TaxItEasyTaxItEasy
Sign in Get started — free
Browse the knowledge base

Security & privacy

Where your data is stored, how to delete it, our encryption design in plain English, the 6 sub-processors at a glance, 2FA recovery codes, your GDPR rights.

Where is my data stored?
Your data is stored in Frankfurt, Germany (DigitalOcean DOKS, FRA1 region) and never leaves the EU at rest. The one exception is the AI extraction step, which sends document content to Anthropic's Claude API in the US for a few seconds of processing under EU-US DPF + SCCs. A contractual zero-retention addendum with Anthropic is in negotiation.
How do I delete my account and export my data?
Settings → Account → Delete account. Type your email to confirm. You get a 30-day grace period to undo the deletion. On day 31 the encryption key tied to your account is destroyed and every document, invoice, transaction, and OAuth token becomes mathematically unreadable — for us, our backups, forever. Export your data before deleting; restore is impossible after day 31.
How our encryption works, in plain English
Three keys nested like Russian dolls: a platform Master Key, your per-Account Key (encrypted by Master), and per-File Keys (encrypted by Account Key). All AES-256-GCM. Deleting your Account Key on account-deletion makes every document, OCR result, and OAuth token mathematically unreadable — for us, our backups, forever. That's how we satisfy GDPR Article 17 cryptographically.
Our sub-processors at a glance
Six sub-processors: DigitalOcean (Frankfurt infra), Anthropic (US, AI extraction), Stripe (US, payments), Resend (US/EU, email), Sentry (US, error monitoring with PII scrubbing), Cloudflare (Global, CDN/WAF). All under EU-US DPF + SCCs. The canonical list with details lives at /subprocessors.html. We notify customers 14 days before adding any new sub-processor.
How do I use 2FA recovery codes?
On the 2FA prompt, click Use a recovery code instead, enter one of the 8 codes you saved when enabling 2FA. Each code works once. After signing in, immediately disable + re-enable 2FA on your new device, or generate fresh recovery codes from Settings. If all codes are used and you can't access the authenticator, [email protected] resets 2FA after identity verification (1–3 working days).
Your GDPR rights as a user
Six GDPR rights apply to your TaxItEasy data: Art. 15 (access), 16 (rectification), 17 (erasure), 18 (restriction), 20 (portability), 21 (objection). Most are exercisable directly in-app; for the formal route or for Art. 18 / 21 (no UI today), email [email protected]. Statutory 30-day resolution window; we acknowledge within 2 working days.

Looking for something else? Browse all 8 topics · or write to [email protected].