Security & Privacy

Your financial data.
Treated like financial data.

TaxItEasy is built on a security-first foundation — EU servers, AES-256 encryption, 2FA, full audit trail, and GDPR compliance. Here's exactly how we protect your data.

EU Servers Only
AES-256 Encrypted
GDPR Compliant
2FA Supported
Full Audit Trail

EU Servers Only

All data stored and processed within the EU. Primary infrastructure in Frankfurt, Germany. Data never leaves the EEA without explicit disclosure.

End-to-End Encryption

TLS 1.2/1.3 in transit, AES-256 at rest. Field-level encryption for tax IDs, bank details, and OAuth tokens. Presigned download URLs expire after 1 hour.

GDPR Compliant

Full GDPR compliance. Right to deletion, data portability, transparent processing. Self-service data export and account deletion available at any time.

Full Audit Trail

Every upload, access, download, and share is logged with timestamp, user, and IP. 2-year retention for compliance. Exportable on request.

Technical Details

Built for compliance.
Designed for trust.

Access Control

  • 6 granular permission roles with least-privilege principle
  • Complete data isolation between companies — no cross-company access possible
  • Account lockout after 5 failed login attempts
  • TOTP-based 2FA available on all accounts
  • JWT access tokens with 15-minute expiry + secure refresh rotation
  • Share links use 64-character cryptographic tokens (not guessable)
  • Tax advisor access is strictly read-only — advisors cannot modify or delete

Data Handling

  • Nightly automated backups with 30-day retention to isolated storage
  • File validation using magic bytes — not just file extension
  • 30-day recycle bin before permanent deletion
  • HMAC-signed tokens for all password reset and email verification flows
  • Secrets and tokens stored with Fernet symmetric encryption (field-level)
  • After account cancellation: 30-day grace period, then permanent deletion
  • GDPR data export available at any time — JSON format with all your data

Infrastructure

  • Kubernetes cluster in Frankfurt (DigitalOcean — EU region)
  • Object storage in Frankfurt — documents never leave the EU
  • Managed PostgreSQL with SSL required — no unencrypted DB connections
  • nginx with strict Content Security Policy and Permissions-Policy headers
  • TLS 1.2 / 1.3 only — TLS 1.0 and 1.1 disabled
  • Mozilla Modern cipher suite — no weak algorithms
  • Rate limiting on all API endpoints and file uploads

GDPR & Compliance

  • Explicit consent mechanism with Consent Mode v2 for analytics
  • Sub-processor list maintained and publicly accessible
  • Data Processing Agreement (DPA) available for business customers
  • Legal entity: THE GROVVEST AI LTD, Cyprus (EU), HE 478768
  • Audit log retention 2 years (as required for tax document workflows)
  • Users under 18 cannot register (minimum age enforced at signup)
  • Right to erasure fully implemented — account + all data deleted on request
Why It Matters

Financial documents are
not ordinary files.

Email is not secure enough

Sending invoices and tax documents as email attachments means unencrypted storage, no access control, and no audit trail. TaxItEasy replaces this with an encrypted, access-controlled portal.

Shared drives are not GDPR-compliant

Google Drive and Dropbox are US-based and process data on non-EU servers by default. TaxItEasy's infrastructure is EU-only — built specifically for European data protection law.

You know exactly who accessed what

Every access to your documents is logged. If your tax advisor opened a file, you see it — with timestamp and IP. You are never in the dark about who has seen your financial data.

Security FAQ

Common questions
answered honestly.

Yes. TaxItEasy is fully GDPR compliant. All data is processed and stored within the European Union. You have the right to access, export, and delete your data at any time from your account settings. We maintain a publicly available sub-processor list and offer a Data Processing Agreement (DPA) for business customers.
All data is stored and processed in the European Union — primary infrastructure and object storage are in Frankfurt, Germany (DigitalOcean EU region). No data ever leaves the EEA. Any sub-processors we use are listed in our sub-processor list with their location and purpose.
All data is encrypted in transit using TLS 1.2/1.3 and at rest using AES-256. Particularly sensitive fields — including tax IDs, bank account numbers, IBAN/SWIFT codes, and OAuth tokens — are additionally protected with field-level Fernet symmetric encryption. Download links for documents are presigned URLs that expire after 1 hour.
Only you and the people you explicitly invite. Your tax advisor gets read-only access — they cannot edit, upload, or delete anything. Data is strictly isolated between companies; no user can access another company's data. TaxItEasy staff cannot access your documents without an explicit support request from you, which would be logged in the audit trail.
Yes. TaxItEasy supports TOTP-based two-factor authentication (compatible with Google Authenticator, Authy, and any standard authenticator app). 2FA can be enabled in your account security settings and is strongly recommended for all users handling financial documents.
After cancellation, your data remains fully accessible for 30 days so you can export everything. At the end of the 30-day period, all your data — documents, invoices, account data — is permanently and irreversibly deleted from our systems. You can also request immediate deletion at any time via your account settings.
Our infrastructure (servers, databases, object storage) is entirely EU-based. Some third-party services we use may be US-based (for example, for email delivery or payment processing) — these are listed in our sub-processor list with the legal basis for data transfer. Where possible, we use EU-based alternatives or rely on Standard Contractual Clauses (SCCs) for GDPR-compliant data transfers.
Documentation

Read the details.

Everything is documented, publicly accessible, and written in plain language.

Privacy Policy

How we collect, process, and protect your personal data — in plain language.

Read →
Terms of Service

The rules of the road — what you can expect from us and what we expect from you.

Read →
Imprint

Legal entity information: THE GROVVEST AI LTD, Cyprus (EU), HE 478768.

Read →
Data Processing Agreement

DPA for business customers — GDPR Article 28 compliant, available on request.

Read →

Try it — for free.

No credit card. No commitment. See for yourself how TaxItEasy handles your documents securely.

Get Early Access →