Legal

Privacy Policy

Last updated: March 2025

We take confidentiality and data protection seriously. This Privacy Policy describes how GreenHat Assurance handles personal information when delivering SOC 2 audits and related services.

1. Introduction

GreenHat Assurance ("GreenHat", "we", "us", or "our") is an AICPA-accredited CPA firm that provides SOC 2 attestation and related services. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you visit our website, engage with our client portal, or interact with us during an audit engagement.

We act as an independent service auditor. In most cases we process personal information as a service provider on behalf of our clients. When acting as a controller (for example, operating our website, managing business relationships, or conducting due diligence), we do so in accordance with this Privacy Policy and applicable privacy laws.

2. Information We Collect

  • Contact and business information such as name, job title, company affiliation, work email address, phone number, and mailing address.
  • Engagement data including system descriptions, control documentation, policy acknowledgements, access lists, and audit evidence uploaded by client personnel.
  • Platform usage data such as authentication logs, device information, IP addresses truncated to city or region, and activity records generated through our secure evidence portals or collaboration tools.
  • Website analytics data captured via first-party cookies and scripts, including pages visited, referring URLs, session duration, and aggregated interaction metrics used to improve our website. We do not use analytics for behavioral advertising.

3. Cookies and Analytics Technologies

  • We deploy strictly necessary cookies to maintain session security for the client portal and optional analytics cookies to measure site performance and detect errors.
  • Analytics tools collect metadata such as browser type, operating system, approximate geolocation derived from truncated IP addresses, and on-page events. Data is aggregated or de-identified before reporting.
  • You can adjust browser settings, enable Global Privacy Control, or opt out through the banner presented where required. Declining analytics cookies will not affect access to core services.

4. How We Use Personal Information

  • Planning, executing, and delivering SOC 2 audits, readiness assessments, and related professional services.
  • Managing client accounts, responding to inquiries, and providing engagement updates.
  • Maintaining the security, integrity, and availability of our platforms, including monitoring access, detecting fraud, and preventing unauthorized activity.
  • Complying with legal, regulatory, and professional obligations, including quality control, peer review, and record retention requirements.
  • Improving our services through anonymized analytics, de-identified benchmarking, and refinement of methodologies.

5. Legal Bases for Processing

  • Performance of a contract with our clients and fulfilling pre-contractual requests.
  • Compliance with legal and professional obligations applicable to CPA firms.
  • Legitimate interests in operating and improving our business, securing our systems, and communicating with prospective or current clients.
  • Consent, where required, such as when we use optional cookies or conduct certain marketing communications.

6. How We Share Information

  • With engagement personnel, subcontractors, or specialists who are bound by confidentiality obligations and only to the extent necessary to perform their responsibilities.
  • With technology service providers that host our infrastructure, workflow systems, or collaboration tools. These providers are vetted for security and sign data processing agreements.
  • With regulators, peer reviewers, courts, or law enforcement when required by law or professional standards.
  • With third parties approved by you, such as your legal counsel or other advisors involved in the engagement.

7. Data Retention

We retain engagement workpapers, communications, and related personal information for at least seven (7) years or longer if required by professional standards, contractual obligations, or applicable law.

For marketing inquiries or website interactions, we retain personal information for as long as necessary to respond and maintain business records, unless you request deletion sooner and we are able to comply.

8. Security Measures

We maintain a documented information security program aligned with SOC 2 requirements, including encryption in transit and at rest, multi-factor authentication, access reviews, logging, and incident response procedures.

Engagement data is stored in segregated environments with least-privilege access controls. Personnel complete annual security and confidentiality training.

While we strive to protect personal information, no security program is infallible. We promptly investigate and notify clients of incidents in accordance with contractual commitments and applicable law.

9. Subprocessors and Cross-Border Transfers

Some service providers may process information in jurisdictions outside of your home country, including the United States. Where required, we implement appropriate safeguards such as standard contractual clauses or rely on adequacy decisions.

A current list of subprocessors and their locations is available upon request and through our client portal. We will notify clients before onboarding materially new subprocessors for engagement data.

10. Your Privacy Rights

Subject to applicable law, you may request access to, correction of, or deletion of personal information that we hold as a controller.

You may also request a copy of data in portable format, object to certain processing, or withdraw consent where processing is based on consent.

Requests should be submitted through your engagement lead or by emailing privacy@ghassurance.com. We may need to verify your identity and coordinate with the client organization when acting as a processor.

11. Children's Data

Our services and website are directed to business professionals. We do not knowingly collect personal information from children under 16. If you believe a child has provided us information, please contact us so we can delete it promptly.

12. Updates to This Policy

We may update this Privacy Policy to reflect changes in law, technology, or our practices. When we make material updates, we will revise the "Last updated" date and notify clients through email or our portal when required.

13. Contact Us

For privacy-related questions or to exercise your rights, please contact us at

privacy@ghassurance.com or visit our contact page to submit a request.