Trust
Markdown exportTrust & Security Center
How we protect invoice data, keep processing compliant, and stay transparent.
This Trust Center provides an overview of our security and privacy practices. For the legally binding terms and full details, please refer to our Data Processing Agreement (DPA) and Privacy Policy.
Authoritative documents:
At a glance
EU-first hosting
Primary infrastructure is hosted in Frankfurt, Germany. Some sub-processors may process data in the EU/EEA and, where necessary, in third countries under Standard Contractual Clauses (SCCs).
Minimal retention
Invoice files are processed and removed immediately after conversion.
Encrypted by default
TLS in transit and encryption at rest for stored metadata.
Operational assurance
Use these points as the practical checks for this section.
- Certifications: SOC 2 and ISO 27001 are currently not certified yet.
- Audits: We run internal control reviews and targeted external penetration checks.
- Incident response: affected users are notified without undue delay.
- Security contact: contact@invoice-converter.com
Data handling
Use these points as the practical checks for this section.
- PDF invoices are processed strictly for conversion and validation.
- We minimize stored personal data and keep only what is required for accounts, billing, and support.
- You can request deletion of account data via support.
Security controls
Use these points as the practical checks for this section.
- TLS encryption for all uploads and downloads.
- Access controls and least-privilege for internal tools.
- Continuous monitoring and logging for anomalies.
Privacy & compliance
Use these points as the practical checks for this section.
- GDPR-aligned processing with a Data Processing Agreement (DPA).
- EN 16931 compliant output with validation checks.
- Money-back guarantee if compliant output cannot be produced.
Data residency
Primary infrastructure runs in Frankfurt (Germany). Where required for service delivery, sub-processors may process data in the EU/EEA and in third countries under SCCs.
Retention & deletion
Invoice files are processed transiently. For critical failed review/download flows, short-lived diagnostic bundles may be retained for up to 14 days; we do not keep a permanent invoice-content archive. Account data follows legal and contractual retention requirements.
Sub-processors
We use vetted providers for hosting, AI processing, payments, and analytics. For the authoritative list and processing locations, see the DPA (Annex 1) and the Privacy Policy.
Payments
Subscription billing and invoicing.
Authentication
User accounts and access management.
Infrastructure
Hosting, storage, and delivery.
Named providers
Supabase
Authentication and PostgreSQL data storage
Koyeb
Backend application hosting (Frankfurt region)
Cloudflare
CDN, DDoS protection, and edge security
Stripe
Payments and billing operations
OpenAI / Mistral
Document extraction support under processor terms
Incident response
We investigate security incidents quickly and notify affected customers as required by law.
Policies & agreements
Need a DPA or security answers?
Reach out and we will provide documentation and tailored guidance for your compliance review.