Security & compliance

Trust at Eitoo.

Last reviewed: 17 May 2026

Eitoo handles cross-border VAT data on behalf of EU finance teams. That work is regulated, audited, and someone's payroll depends on us getting it right. This page is the unabridged answer to every procurement question a DPO, CFO, or biotech sponsor's clinical-ops team will ask before they sign anything. We name vendors, we cite articles, we disclose what we don't have. If a detail is missing here, email security@eitoo.eu and we'll add it.

At a glance

What your procurement team needs to know in 60 seconds:

Compute regioneu-central-1 · Frankfurt
Data residencyEU only · no US copies
Encryption in transitTLS 1.3
Encryption at restAES-256
Invoice file retentionNot persisted
DPAAvailable on request · 24h
Sub-processorsPublic list ↓
Cross-border transfersGDPR Art. 46 SCC
Regulatory basisCouncil Dir. 2008/9/EC
Security contactsecurity@eitoo.eu

Data residency

Application servers, database, queues, and object storage all run in eu-central-1 (Frankfurt, Germany). No regional replicas in the United States or Asia. The only cross-border data transfer is the LLM call to Anthropic for invoice extraction — see Cross-border transfers below for the lawful basis and what data leaves the EU.

  • Web tier: Render (Frankfurt region) for application servers · Vercel (Frankfurt edge) for the marketing site.
  • Database: Supabase Postgres in Frankfurt with automated daily backups in the same region.
  • Queues + cache: Upstash Redis, EU region.
  • Observability: Sentry EU instance (data warehoused in Frankfurt).

Encryption

In transit: TLS 1.3 for every connection, browser to API, API to database, API to sub-processor. HSTS preload on eitoo.eu. No TLS 1.0 / 1.1 fallback accepted.

At rest: AES-256 for the Postgres database (Supabase-managed) and for any uploaded files retained for processing. Object storage uses provider-managed envelope encryption with per-region keys.

Sub-processors

We disclose every sub-processor and the specific role it plays. New sub-processors are announced here at least 14 days before they handle production data — subscribe to security@eitoo.eu to be notified.

Sub-processorPurposeRegionData accessed
Anthropic (Claude API)Invoice field extractionUS · SCC under GDPR Art. 46Invoice text + line items, no PII beyond vendor address
Google Document AIPDF OCR fallbackEU · europe-west regionInvoice image + extracted text only
RenderApplication server hostingFrankfurt (eu-central-1)All processed data in transit
SupabasePostgres database + authFrankfurt (eu-central-1)Structured invoice fields, user accounts, audit log
UpstashRedis cache + rate limitingEU regionSession tokens, rate counters · no invoice data
SentryError monitoringEU instance · FrankfurtStack traces, request IDs · invoice fields scrubbed
VercelMarketing site hostingEU edge networkPage-view analytics only · no application data
Plausible AnalyticsCookieless web analyticsEU (Germany)Aggregated page views · no personal data
VIESVAT number validationEU CommissionVAT IDs only (already public)

Retention

Data typeRetentionWhy
Invoice files (PDF/image)Not persistedProcessed in memory, discarded after extraction. Only structured fields are stored.
Extracted invoice fieldsFor the duration of the engagement + audit trailRequired to assemble submission packages and prove audit defensibility under Dir. 2008/9/EC.
Anthropic API calls30 days (Anthropic standard)No Zero Data Retention agreement yet. Disclosed openly — not buried. When we hit ZDR eligibility (paid plan threshold), this row updates.
Audit logs13 monthsCovers the 12-month VAT recovery window plus reconciliation grace period.
Account emailWhile account is active + 30 days post-deletionMagic-link auth + final invoice / refund correspondence.

Compliance basis

Every recovery decision Eitoo makes traces back to a specific article of EU regulation. The two pillars:

  • Council Directive 2008/9/EC — the cross-border VAT refund regime itself. Article §5(2)(a) is the eligibility test we run per line item. Article §15 is the filing deadline math. Annex III (via Regulation 79/2012) is the expense-code classification system every recovered invoice is mapped against.
  • GDPR — Article 6(1)(b) (contract) for processing customer data, Article 46 SCC for the one cross-border transfer (Anthropic). DPA available on request.

Cross-border transfers

One cross-border data flow exists: the LLM call to Anthropic in the United States for invoice field extraction. Governed by:

  • GDPR Article 46 Standard Contractual Clauses (SCC)
  • Anthropic's DPA — referenced in our master DPA
  • 30-day API retention (no Zero Data Retention yet — disclosed above)
  • No PII in the prompt beyond what appears on the invoice itself (vendor name, vendor address, line items)

All other processing — database, cache, application servers, observability — happens entirely within the EU.

Vendor due diligence

DPA

Pre-signed template, ready in 24 hours. Email privacy@eitoo.eu.

DPIA support

We'll fill in the relevant sections of your DPIA template and turn it around in 48 hours. Email privacy@eitoo.eu.

Security questionnaire

Most procurement questionnaires (SIG Lite, CAIQ, custom) we turn around in 3–5 business days. Email security@eitoo.eu.

Penetration test

Annual third-party pentest planned for Q4 2026. Report available under NDA once complete.

Security incidents & disclosure

Found something? Email security@eitoo.eu. First response within 24 hours, weekdays. We follow GDPR Article 33 (notification within 72 hours of awareness for any personal-data breach) and disclose specifically to affected customers — no aggregated blast, no PR-managed language.

No bug bounty programme yet. Responsible disclosure thanked in writing and credited (with permission) on this page.

What we don't have — yet

Radical transparency about gaps reads as honesty; vague reassurance reads as cover-up. The list:

  • SOC 2 Type II. Not yet attested. On the roadmap for 2026. Happy to share our control map in the meantime.
  • ISO 27001 certification. Not yet certified. Internal ISMS modelled against ISO 27001 controls.
  • Anthropic Zero Data Retention. We're on standard 30-day API retention until we hit the paid-plan eligibility threshold.
  • Status page. Coming with v1.1.
  • HIPAA Business Associate Agreement. Out of scope — Eitoo processes financial / VAT data, not PHI.

Contact

Related: Privacy Notice · Terms