# Trust & Security Center

How we protect invoice data, keep processing compliant, and stay transparent.

## At a glance
- **EU-first hosting**: Primary infrastructure is hosted in Frankfurt, Germany. Some sub-processors may process data in the EU/EEA and, where necessary, in third countries under Standard Contractual Clauses (SCCs).
- **Minimal retention**: Invoice files are processed and removed immediately after conversion.
- **Encrypted by default**: TLS in transit and encryption at rest for stored metadata.

## Security controls
- TLS encryption for all uploads and downloads.
- Access controls and least-privilege for internal tools.
- Continuous monitoring and logging for anomalies.

## Privacy & compliance
- GDPR-aligned processing with a Data Processing Agreement (DPA).
- EN 16931 compliant output with validation checks.
- Money-back guarantee if compliant output cannot be produced.

## Retention & deletion
Invoice files are processed transiently and removed immediately after conversion. We do not store invoice content. Account data follows legal and contractual retention requirements.