Tax firms already follow strict rules about retention, custody and audit. We built the product the same way: predictable defaults, written-down behaviour, and a paper trail you can hand to a regulator without flinching.
Each principle is paired with a deliberate non-feature - the thing we chose not to do. Both halves matter. A security claim without a counterweight is marketing copy.
VAT numbers, tax numbers and client identifier values are encrypted using Laravel's authenticated encryption. The application sees plaintext; the database row never does.
We do not ship a single master key, store keys in source, or rely on disk encryption alone as the boundary.
Every model that holds firm data carries a global firm scope. Cross-tenant queries require an explicit opt-out reserved for system jobs.
User requests cannot cross tenants. There is no "switch firm" superuser path that bypasses the scope - not even for support.
Document approvals, period closings, retention purges, exports and sick-leave decisions produce an audit-log row with actor, IP, user-agent and structured properties.
The log table is append-only - the application has no UPDATE or DELETE path. Edits create a new row referencing the old one.
Per-firm retention windows you can shape by document category and country. A nightly purger deletes or anonymises documents past their window.
Documents under an active legal hold are exempt and stay until the hold is lifted - we never delete what a tax authority asked you to keep.
Narrow categories like payroll can be granted to named users. Once any restrictive grant exists, default-open access for that category flips to default-closed.
There is no "everyone can see everything" mode. An admin role does not bypass category-level grants without an explicit override that is itself logged.
Data-export and erasure workflows ship in the product. Sick-leave records hold administrative data only - never a diagnosis. Held documents survive erasure but are detached from the user.
We do not require a support ticket to exercise data rights. The workflow is the same the regulator audits.
Every sign-in, failed attempt, logout and password reset goes to a queryable login-events table. Anomalies surface in the security inbox.
We do not silently retry credentials, suggest weak passwords, or e-mail you a copy of one. MFA is the path, not the exception.
Every export package records the SHA-256 of the bundle at write time. Auditors re-hash the file later and confirm it has not been altered since hand-off.
Exports are not silently regenerated when re-downloaded - the hash you got is the hash that exists, forever.
A privacy posture is mostly a list of what you said no to. Ours is short and deliberate.
A short, deliberate list. Each partner is contractually committed to GDPR-aligned processing and lives - where it can - inside the EU.
| Service | Purpose | Region | Certification |
|---|---|---|---|
|
EU-Rechenzentren
Application database & file storage
|
Hosts all firm data, encrypted at rest, daily backups retained for 30 days. | EU-CENTRAL-1 | ISO 27001 |
|
Stripe
Subscription billing
|
Processes payment cards. Card data never touches our servers. | EU / US | PCI-DSS L1 |
|
Postmark
Transactional email & inbound intake
|
Routes inbound documents via per-client tokens; sends notification email. | EU | SOC 2 II |
Last verified 2026-05-20 · Request DPA & full sub-processor list
Article 33 of GDPR and the NIS2 directive give us 72 hours from awareness to a regulator-facing notification. Our incident register tracks each stop on that clock.
Request the registerSecurity review for an enterprise plan, DPA negotiation, a vulnerability report, or the full sub-processor list - the same address reaches the same person.