Security & Compliance
Built with security, privacy, and regulatory reviewability as design goals. Primary application hosting and persistent storage are configured in the EU, and additional compliance documentation is available on request.
- Transparency
- AI use is clearly disclosed. Every mapping can be reviewed before output.
- Human Oversight
- AI suggests mappings, but users remain responsible for review, correction, and approval.
- Data Handling
- Primary application hosting and persistent storage are configured in the EU, with transfer safeguards available where cross-border processing is needed.
- Security by Design
- Encryption, access controls, environment separation, logging, and incident response are built into the platform architecture.
Infrastructure categories
Our stack uses specialist providers for different parts of the service. We share provider-specific materials during customer, audit, or procurement review when they are relevant to the request.
- Web delivery & application hosting
- Frontend and backend runtime
- Authenticated application flow with TLS-protected traffic
- Primary workloads configured in EU regions
- Operational monitoring, patching, and environment separation
- Authentication, database & encrypted storage
- Identity, persistence, and access control
- Role-based access and row-level data isolation
- Encryption in transit and at rest
- Document persistence backed by controlled storage and recovery procedures
- Key management & secrets handling
- Application-layer protection
- Managed key infrastructure for sensitive cryptographic operations
- Secrets restricted to operational need-to-know access
- Auditability for security-relevant administrative actions
- AI & OCR processing
- Text extraction and taxonomy suggestion support
- Only the processing needed to provide the service is enabled
- Cross-border safeguards are used where relevant
- Provider-specific documentation can be shared during customer or procurement review
GDPR
General Data Protection Regulation (EU 2016/679). We act as a data processor where appropriate and maintain contractual, technical, and organisational safeguards around personal data processing.
- Data protection
- DPA and sub-processor information available on request
- Primary hosting and persistent storage configured in EU regions
- Encryption in transit and at rest
- Privacy by Design and Default (Art. 25)
- Your rights
- Access, rectify, and delete your data
- Data portability in machine-readable formats
- 72-hour breach notification where required
- Review materials available for onboarding and procurement
EU AI Act
Regulation on Artificial Intelligence (EU 2024/1689). Our AI-assisted workflow supports document analysis and taxonomy suggestion, but does not make autonomous filing decisions.
- Classification
- Transparency obligations are met through clear AI disclosure
- Human review remains required before export or filing
- No autonomous financial decision-making
- Purpose-specific support for financial document preparation
- Measures
- Users review and approve all suggested mappings
- Customer documents are not used to train our own models
- Processing is limited to the service workflow
- Security and incident materials are available for review on request
Data security
Technical and organisational safeguards protect financial documents, conversion outputs, and account access across the service.
- Encryption & access
- Application-layer protection for uploaded source files
- Authenticated access with scoped permissions
- Row-level data isolation for customer environments
- Controlled internal access on a least-privilege basis
- Operations
- Encrypted backups and recovery procedures
- Environment separation between production and non-production systems
- Monitoring, logging, and vulnerability management
- Documented incident handling and notification workflow
Documentation requests
We can prepare the compliance materials relevant to your customer review, audit, or procurement process.
- Typical materials
- DPA discussion materials and onboarding documents where appropriate
- Current sub-processor overview and processing-role summary
- Security measures summaries and incident response materials
- Transfer safeguard information and answers to reasonable questionnaires
- Review flow
- Share your company name, review context, and requested materials.
- Tell us whether the request is for customer onboarding, audit, or procurement.
- Include any deadline so we can assemble the relevant documentation quickly.
For a broader overview, see the Trust Center.
Contact
For security inquiries, compliance documentation, or vulnerability reports, please contact our team.
Doc2iXBRL
contact@doc2ixbrl.com
max@doc2ixbrl.com
For urgent security matters, include “Security” in the subject line.