# Trust & Security Center How we protect invoice data, keep processing compliant, and stay transparent. ## Trust & Security Center How we protect invoice data, keep processing compliant, and stay transparent. > **This Trust Center provides an overview of our security and privacy practices. For the legally binding terms and full details, please refer to our Data Processing Agreement (DPA) and Privacy Policy.**: Authoritative documents: ## At a glance ### EU-first hosting Primary infrastructure is hosted in Frankfurt, Germany. Some sub-processors may process data in the EU/EEA and, where necessary, in third countries under Standard Contractual Clauses (SCCs). ### Minimal retention Invoice files are processed and removed immediately after conversion. ### Encrypted by default TLS in transit and encryption at rest for stored metadata. ## Operational assurance - Certifications: SOC 2 and ISO 27001 are currently not certified yet. - Audits: We run internal control reviews and targeted external penetration checks. - Incident response: affected users are notified without undue delay. - Security contact: contact@invoice-converter.com ## Data handling - PDF invoices are processed strictly for conversion and validation. - We minimize stored personal data and keep only what is required for accounts, billing, and support. - You can request deletion of account data via support. ## Security controls - TLS encryption for all uploads and downloads. - Access controls and least-privilege for internal tools. - Continuous monitoring and logging for anomalies. ## Privacy & compliance - GDPR-aligned processing with a Data Processing Agreement (DPA). - EN 16931 compliant output with validation checks. - Money-back guarantee if compliant output cannot be produced. ## Data residency Primary infrastructure runs in Frankfurt (Germany). Where required for service delivery, sub-processors may process data in the EU/EEA and in third countries under SCCs. ## Retention & deletion Invoice files are processed transiently. For critical failed review/download flows, short-lived diagnostic bundles may be retained for up to 14 days; we do not keep a permanent invoice-content archive. Account data follows legal and contractual retention requirements. ## Sub-processors We use vetted providers for hosting, AI processing, payments, and analytics. For the authoritative list and processing locations, see the DPA (Annex 1) and the Privacy Policy. ### Payments Subscription billing and invoicing. ### Authentication User accounts and access management. ### Infrastructure Hosting, storage, and delivery. ## Named providers ### Supabase Authentication and PostgreSQL data storage ### Koyeb Backend application hosting (Frankfurt region) ### Cloudflare CDN, DDoS protection, and edge security ### Stripe Payments and billing operations ### OpenAI / Mistral Document extraction support under processor terms ## Incident response We investigate security incidents quickly and notify affected customers as required by law. ## Policies & agreements - [Read the full Data Processing Agreement (DPA)](/en/dpa) - [Read the full Privacy Policy](/en/privacy-policy) - [Terms & Conditions](/en/terms-and-conditions) - [Contact security](mailto:contact@invoice-converter.com) - [Markdown export](/resources/trust-center/md) ## Need a DPA or security answers? Reach out and we will provide documentation and tailored guidance for your compliance review. - [Contact us](/convert)