Your evidence is handled with care.

Multi-tenant isolation.

Each organisation's data is strictly separated. No cross-contamination between tenants. Evidence uploaded by one organisation is never accessible to another — not in storage, not in processing, not in any AI model context.

Data handling.

Evidence files are processed and stored within a defined cloud region. Files are received, processed through the analysis pipeline, and stored in the organisation's isolated tenant. Processing does not involve transferring evidence to third-party services outside the defined infrastructure.

Access controls.

Role-based access model with three defined roles:

• Lead Auditor — full access to evidence, findings, and report confirmation (Manylder's qualified lead auditor)
• Auditor — access to evidence and findings within assigned audit scope (Manylder audit team members)
• Reviewer — read-only access to finalised reports (for customer stakeholders)

Permissions are enforced at the application layer. Role assignment is managed by Manylder's lead auditor in coordination with the organisation.

Encryption.

Data encrypted at rest using AES-256. Data encrypted in transit using TLS 1.2 or higher. Encryption keys are managed through the cloud provider's key management service with regular rotation.

Audit logging.

All actions on evidence and reports are logged with user identity and timestamp. This includes: file uploads, finding generation, finding review, status amendments, and report generation. Logs are retained for the duration of the organisation's subscription plus a defined retention period.

Auditor review trail.

The system records when findings are reviewed, when statuses are amended by Manylder's lead auditor, and when findings are confirmed. This review trail is available for inclusion in the audit record per ISO 19011:2018 Section 5.5.7.

The review trail is not editable after confirmation. It provides a complete, immutable record of the lead auditor's review process.

Retention and deletion.

Organisations control their evidence retention. Evidence files and audit reports can be deleted on request at any time. Upon subscription cancellation, all tenant data — including evidence files, findings, reports, and logs — is deleted within 30 days.

No AI training on customer data.

Customer evidence files are not used to train, fine-tune, or improve any AI model. Evidence is processed for the purpose of generating audit findings for that specific organisation only. This is not a policy — it is an architectural constraint.