Sample BAA and DPA compliance report
A public example of the kind of output AuditGuard produces: cited findings, risk severity, reasoning, and suggested language for review before legal approval.
Example risky clause
Original clause: "Vendor may use patient data and customer personal data for service improvement, analytics, and operational purposes without additional approval."
Example findings
| Framework | Citation | Issue | Severity |
|---|---|---|---|
| HIPAA | 45 CFR § 164.502(e) | Business associate use of PHI must be limited to permitted purposes defined in the BAA. | High |
| GDPR | Article 28(3) | Processor instructions, purpose, duration, and processing terms must be defined in the DPA. | High |
| CCPA | 1798.100(d) | Personal information should not be retained or used beyond reasonably necessary purposes. | Medium |
Suggested replacement language
"Vendor shall process customer personal data and protected health information only for the specific services described in this Agreement, only on documented customer instructions, and only for the retention period required to provide those services or comply with applicable law. Vendor shall not use such data for independent analytics, model training, advertising, or unrelated service improvement without the customer's prior written authorization and any required legal basis."
This is sample language for review. It is not legal advice.
What a full report includes
- Executive summary and risk score.
- Per-clause findings with framework, article, severity, and reasoning.
- Suggested remediation language aligned with the cited requirement.
- Critic-verifier notes that identify likely false positives or human-review items.
- Downloadable PDF for internal legal, compliance, and vendor-management workflows.
Audit one agreement before legal review
Run one limited audit free, no credit card required. Suggested outputs should be reviewed by qualified counsel.
Run a free audit →