Skip to main content
Legal & privacy • Updated May 9, 2026

Legal & Privacy

Baseline policies for muratov.io. Platform access is governed by these terms. Managed service projects are governed by written agreements.

01 Privacy

Privacy

We collect data necessary to operate the platform and respond to inquiries. No data is sold or shared for marketing purposes.

  • Data controller — Bonfleur s.r.o. (IČO 28169166), Rabochova 1016, 252 62 Horoměřice, Czech Republic. Registered in the Czech commercial register (or.justice.cz).
  • Contact form — name, email, role (required selector), and message field (required); optional: engagements/year and current tools. Used solely to respond. We do not store submissions in an application database; delivery is handled by a transactional-email sub-processor whose own policy governs retention of delivery metadata and logs.
  • Platform accounts — authentication data managed by our identity sub-processor. Evidence files stored in your tenant and isolated from other customers.
  • AI processing — evidence content sent to our AI inference sub-processor for extraction and testing. Not used for model training, per the AI provider's commercial-API terms.
  • Sub-Processors — our current sub-processors: Clerk (authentication), Neon (managed PostgreSQL database), Vercel (hosting + platform delivery + transactional log storage), Vercel Blob (evidence-file blob storage; tenant-scoped paths; customer audit files at rest), Anthropic (AI inference), Pinecone (content retrieval index; tenant-isolated namespacing for evidence excerpts, workpaper narratives, and exception descriptions; matching is exact-text, not semantic similarity), Resend (transactional email for contact-form delivery), Upstash (Redis-based rate limiting + distributed locks for AI-test / QC / population concurrency serialization; request IPs + user identifiers only, no customer audit content). Primary data storage is in the United States; transactional sub-processors may process metadata in their own operational regions per their published policies. Maintained under change-control (30-day notice for material additions). Authoritative Sub-Processor list per customer is MSA Schedule A.
  • Retention — you control your own data lifecycle. Before subscription termination you can export every workpaper via the 13-section export, archive evidence files off-platform, and delete engagements at will. After termination, you retain a 30-day post-termination export window for the 13-section pack; the platform provider runs the cadence to revoke Clerk-org access at the end of that window and delete tenant-scoped content per MSA Schedule B (see Platform access below for the externally-deleted-Clerk-org carve-out where export access ends immediately). We do not retain your audit workpapers on your firm's behalf. Your firm's own workpaper-retention obligations run against your firm's off-platform copies of your audit documentation — not against this platform.
  • EU / EEA residents — you may contact us with data-access or erasure requests; we will respond within a reasonable timeframe consistent with applicable law. muratov.io is not actively marketed in the EU; this notice is provided for transparency.
  • No marketing mailing list. No cross-site tracking cookies, advertising cookies, or marketing-analytics cookies. We use cookieless usage analytics (via our hosting provider) that does not identify individual visitors or set tracking cookies; strictly necessary session cookies only (see Cookies below). No cookie consent banner required under this model.
02 Disclaimer

Disclaimer

Platform outputs are documentation tools, not audit opinions or attestation reports. The platform is provided as-is, without warranties of any kind (express or implied), to the fullest extent permitted by applicable law.

  • Not a CPA firm. muratov.io does not perform audits, issue audit opinions, provide assurance, or render attestation reports.
  • Not legal or accounting advice. Platform content is informational; your firm's qualified professionals own all audit conclusions, professional judgments, and regulatory decisions.
  • Primary data in the United States. Transactional sub-processors may process metadata in their own operational regions per the Sub-Processors entry in the Privacy card.
  • Governing law per MSA. For customer engagements, governing law and forum are set in the Master Services Agreement, which controls over this public notice.
Questions? Get in touch
03 Platform scope

What muratov.io provides

muratov.io is an ITGC audit automation platform. We are not a CPA firm and do not perform audits, issue audit opinions, provide assurance, or perform attestation services.

  • Platform outputs are intended for use by the responsible auditor — sole practitioner, IT audit consultant, or single-headcount corporate IA function — within their own audit and quality-control framework.
  • Designed for sole-practitioner CPAs, IT audit consultants, and single-headcount internal audit functions. External engagement quality review (when required for SOC engagements) is performed by your contracted reviewer outside the platform.
  • Workpapers, testing results, and conclusions generated through the platform are documentation tools — not audit opinions or attestation reports.
  • Users are responsible for their own professional judgments, conclusions, and regulatory decisions when relying on platform outputs.
04 AI features

AI-assisted features

The platform uses AI (Anthropic Claude API) for evidence extraction, testing, and draft generation. AI outputs are probabilistic and require professional review.

  • Mandatory auditor review enforced by the platform
  • AI tests run only on samples with mapped evidence
  • Data not used for AI model training (per provider's commercial-API terms)
  • Full AI provenance stored with each result
05 Platform access

Platform access

Platform access is billed monthly via invoice. Managed operation projects are scoped and priced individually.

  • Cancel at any time. Access continues through the paid period.
  • Export every workpaper via the 13-section export before ending your subscription. For voluntarily-ended subscriptions, a 30-day post-termination export window applies per the MSA, at the end of which the platform provider runs revoke-and-delete cadence. For subscriptions ended at the identity-provider level (organization deleted externally), export access ends immediately — export first, then request deletion.
  • Reasonable-efforts availability, no uptime SLA.
  • No refunds. No warranties. Platform provided as-is.
06 Data protection

Data protection

Personal data processing follows applicable federal and state privacy regulations.

  • Data collected only for responding to inquiries and delivering platform functionality.
  • You may request access, correction, or deletion of your data at any time.
  • Contact via the form to exercise your rights.
07 Managed operation

Managed Operation

Managed Operation is a platform operation service. Bonfleur s.r.o. (provider of the muratov.io platform) runs the software on behalf of the client. All audit conclusions, professional judgments, sign-offs, and determinations of regulatory adequacy remain the sole responsibility of the client and their qualified auditors.

Scope, deliverables, and terms for each managed engagement are defined in a written engagement letter prior to work commencing.

08 Cookies

Cookies

Only strictly necessary cookies for authentication and theme preference. No analytics or marketing cookies.

  • theme — light/dark preference (session).
  • __session, __clerk_db_jwt, __client_uat, __refresh_* — authentication session + refresh tokens (Clerk; our identity sub-processor).
  • No third-party tracking.