Security & compliance
Trust at Eitoo.
Eitoo handles cross-border VAT data on behalf of EU finance teams. That work is regulated, audited, and someone's payroll depends on us getting it right. This page is the unabridged answer to every procurement question a DPO, CFO, or biotech sponsor's clinical-ops team will ask before they sign anything. We name vendors, we cite articles, we disclose what we don't have. If a detail is missing here, email security@eitoo.eu and we'll add it.
At a glance
What your procurement team needs to know in 60 seconds:
Data residency
Application servers, database, queues, and object storage all run in eu-central-1 (Frankfurt, Germany). No regional replicas in the United States or Asia. The only cross-border data transfer is the LLM call to Anthropic for invoice extraction — see Cross-border transfers below for the lawful basis and what data leaves the EU.
- Web tier: Render (Frankfurt region) for application servers · Vercel (Frankfurt edge) for the marketing site.
- Database: Supabase Postgres in Frankfurt with automated daily backups in the same region.
- Queues + cache: Upstash Redis, EU region.
- Observability: Sentry EU instance (data warehoused in Frankfurt).
Encryption
In transit: TLS 1.3 for every connection, browser to API, API to database, API to sub-processor. HSTS preload on eitoo.eu. No TLS 1.0 / 1.1 fallback accepted.
At rest: AES-256 for the Postgres database (Supabase-managed) and for any uploaded files retained for processing. Object storage uses provider-managed envelope encryption with per-region keys.
Sub-processors
We disclose every sub-processor and the specific role it plays. New sub-processors are announced here at least 14 days before they handle production data — subscribe to security@eitoo.eu to be notified.
| Sub-processor | Purpose | Region | Data accessed |
|---|---|---|---|
| Anthropic (Claude API) | Invoice field extraction | US · SCC under GDPR Art. 46 | Invoice text + line items, no PII beyond vendor address |
| Google Document AI | PDF OCR fallback | EU · europe-west region | Invoice image + extracted text only |
| Render | Application server hosting | Frankfurt (eu-central-1) | All processed data in transit |
| Supabase | Postgres database + auth | Frankfurt (eu-central-1) | Structured invoice fields, user accounts, audit log |
| Upstash | Redis cache + rate limiting | EU region | Session tokens, rate counters · no invoice data |
| Sentry | Error monitoring | EU instance · Frankfurt | Stack traces, request IDs · invoice fields scrubbed |
| Vercel | Marketing site hosting | EU edge network | Page-view analytics only · no application data |
| Plausible Analytics | Cookieless web analytics | EU (Germany) | Aggregated page views · no personal data |
| VIES | VAT number validation | EU Commission | VAT IDs only (already public) |
Retention
| Data type | Retention | Why |
|---|---|---|
| Invoice files (PDF/image) | Not persisted | Processed in memory, discarded after extraction. Only structured fields are stored. |
| Extracted invoice fields | For the duration of the engagement + audit trail | Required to assemble submission packages and prove audit defensibility under Dir. 2008/9/EC. |
| Anthropic API calls | 30 days (Anthropic standard) | No Zero Data Retention agreement yet. Disclosed openly — not buried. When we hit ZDR eligibility (paid plan threshold), this row updates. |
| Audit logs | 13 months | Covers the 12-month VAT recovery window plus reconciliation grace period. |
| Account email | While account is active + 30 days post-deletion | Magic-link auth + final invoice / refund correspondence. |
Compliance basis
Every recovery decision Eitoo makes traces back to a specific article of EU regulation. The two pillars:
- Council Directive 2008/9/EC — the cross-border VAT refund regime itself. Article §5(2)(a) is the eligibility test we run per line item. Article §15 is the filing deadline math. Annex III (via Regulation 79/2012) is the expense-code classification system every recovered invoice is mapped against.
- GDPR — Article 6(1)(b) (contract) for processing customer data, Article 46 SCC for the one cross-border transfer (Anthropic). DPA available on request.
Cross-border transfers
One cross-border data flow exists: the LLM call to Anthropic in the United States for invoice field extraction. Governed by:
- GDPR Article 46 Standard Contractual Clauses (SCC)
- Anthropic's DPA — referenced in our master DPA
- 30-day API retention (no Zero Data Retention yet — disclosed above)
- No PII in the prompt beyond what appears on the invoice itself (vendor name, vendor address, line items)
All other processing — database, cache, application servers, observability — happens entirely within the EU.
Vendor due diligence
DPA
Pre-signed template, ready in 24 hours. Email privacy@eitoo.eu.
DPIA support
We'll fill in the relevant sections of your DPIA template and turn it around in 48 hours. Email privacy@eitoo.eu.
Security questionnaire
Most procurement questionnaires (SIG Lite, CAIQ, custom) we turn around in 3–5 business days. Email security@eitoo.eu.
Penetration test
Annual third-party pentest planned for Q4 2026. Report available under NDA once complete.
Security incidents & disclosure
Found something? Email security@eitoo.eu. First response within 24 hours, weekdays. We follow GDPR Article 33 (notification within 72 hours of awareness for any personal-data breach) and disclose specifically to affected customers — no aggregated blast, no PR-managed language.
No bug bounty programme yet. Responsible disclosure thanked in writing and credited (with permission) on this page.
What we don't have — yet
Radical transparency about gaps reads as honesty; vague reassurance reads as cover-up. The list:
- SOC 2 Type II. Not yet attested. On the roadmap for 2026. Happy to share our control map in the meantime.
- ISO 27001 certification. Not yet certified. Internal ISMS modelled against ISO 27001 controls.
- Anthropic Zero Data Retention. We're on standard 30-day API retention until we hit the paid-plan eligibility threshold.
- Status page. Coming with v1.1.
- HIPAA Business Associate Agreement. Out of scope — Eitoo processes financial / VAT data, not PHI.
Contact
- Security: security@eitoo.eu
- Privacy & DPA: privacy@eitoo.eu
- General: itay@eitoo.eu
- Founder LinkedIn: /in/itaykahan
Related: Privacy Notice · Terms