TaxItEasyTaxItEasy
Sign in Get started — free
Security

Your tax data,
locked from us too.

We don't see your receipts. We don't read your bank transactions. Even if an employee opened the database directly, they'd see encrypted gibberish — nothing decrypts without your login. Plain English first — tech depth below.

Plain English

What we see — and what we don't.

Tax data is the most sensitive data you own. So our default isn't "trust us" — our default is "we built it so you don't have to".

What we cannot see

  • The content of your receipts — vendor names, amounts, line items, categories
  • Your bank transactions — counterparty, IBAN, reference text
  • Your tax IDs (VAT numbers, personal tax numbers)
  • Your 2-factor authentication secret
  • Your passwords (we never store them; only a one-way hash)

A TaxItEasy employee opening the database directly sees encrypted gibberish. Nothing decrypts without your login — and every authorised access is permanently logged.

What we do see

  • How many receipts you have (so we can enforce plan limits)
  • Your email address + login times (account management)
  • Which bank you connected (NOT what's on it)
  • Error logs with PII scrubbed (so we can fix bugs)
  • Your billing & subscription state (handled by Stripe)

Standard service-operation data — the minimum we need to run the app and bill you correctly. Nothing more.

What about lawful court orders?

If we receive a legally binding court order, we cooperate to the minimum extent the law requires — and notify you, unless that order legally prohibits us from doing so. Every such request is recorded internally. We will publish a Transparency Report once we have meaningful numbers.

What you delete with the "Delete account" button goes through cryptographic shredding after a 30-day restore window. After day 31, it's no longer recoverable — by us or by anyone. See exactly how that works →

How it works

Your receipt's journey, in 4 steps.

Smartphone with encryption padlock — your data, locked

Encrypted before it leaves your device. Encrypted in transit. Encrypted at rest. Only your login can decrypt it.

1

You snap or forward

You photograph a receipt with the mobile app, drag a PDF into the browser, or forward an invoice email to your private TaxItEasy address.

2

The receipt is locked

Before it lands in our database, it's encrypted with a key that belongs only to your account. The key lives in a vault that only your logged-in account can open.

3

It travels to Frankfurt

Sent over an encrypted connection (HTTPS) to our servers in Frankfurt, Germany. Your data does not leave Europe.

4

It rests, locked

The server stores the encrypted file. We cannot read its contents. Only you can decrypt it again — by logging in.

Even if someone illegally gained access to our server, all they would find is a collection of encrypted file-blobs. Without your key, they're worthless.

The right to be forgotten — done properly

Click "Delete account". A 30-day window. Then your content is gone, mathematically.

1.

You click "Delete account". Your account is locked the same second — nobody can log in, including you. We send you a restore link by email.

2.

For 30 days you can change your mind: click the restore link, your account is back as if nothing happened. After 30 days, the restore link expires.

3.

On day 31, your encryption key is deleted. Every receipt, invoice, bank transaction, OCR output, 2FA secret and email-integration token tied to your account becomes mathematically unreadable — for us, for our backups, forever. Your email address is anonymised so no one can connect old records to you.

4.

What stays: a small audit trail ("user X deleted account on date Y") for legally required retention periods. The trail contains no financial content — only timestamped action records. We're required to keep this by tax law. After the retention period (see card below) it's removed automatically.

What stays — and for how long

Tax law requires us to keep certain records even after you delete your account. We keep the bare minimum, with no financial content.

Document & invoice audit entries10 years
Bank-transaction audit entries10 years
Account / login / share audit entries2 years
General system audit entries6 months
IP addresses in audit logAnonymised after 90 days
Stripe billing recordsPer Stripe's retention policy (legally required for tax)

These are action records, not your data. The receipts themselves, vendor names, amounts, IBANs — all irreversibly destroyed when your encryption key is deleted on day 31.

Where your data lives

Your data lives in Frankfurt, Germany — in a data center operated by DigitalOcean (FRA1 region). It does not leave the European Union. We do not transfer storage to the United States.

The single exception is the AI extraction step: when we read what's on your receipt (vendor, amount, VAT, etc.), we send the document to the Anthropic Claude API in the United States — for the few seconds of processing — under EU-U.S. Data Privacy Framework + Standard Contractual Clauses, in zero-retention mode (Anthropic does not keep your document content). After extraction, your data goes back to Frankfurt and stays there.

For the technical reader: how the encryption works

If you're a CISO, IT lead, data-protection officer or just curious — here's what's under the hood.

Envelope encryption with a three-key hierarchy

  1. Master Key — lives outside the database, in our secrets vault. We use it only to unlock the next layer.
  2. Account Key — one per company, encrypted with the Master Key, stored in the database.
  3. File Key — one per receipt or invoice, encrypted with the Account Key. The actual document content is encrypted with this key.

All encryption uses AES-256-GCM, the same standard banks and governments use.

Why three keys instead of one

If we ever need to delete a customer's data permanently — for a GDPR right-to-erase request, for example — we delete their Account Key. The instant that key is gone, every receipt, every invoice, every transaction belonging to that company becomes mathematically unrecoverable. We don't have to track down every database row. The data is shredded by losing its key.

What we encrypt at the field level

Beyond document content, we encrypt sensitive individual fields directly in the database:

  • Tax IDs (VAT numbers, personal tax numbers)
  • Bank account numbers (IBAN)
  • Counterparty names and references on bank transactions
  • Raw OCR text and structured extraction results
  • 2-factor authentication secrets

Even if someone gained read-only access to the database, these fields would be unreadable without the per-account keys.

Authentication

  • 2-factor authentication (TOTP) available on every account, free or paid.
  • Session rotation — refresh tokens rotate on every use; if one is stolen and replayed, we detect it and invalidate the entire session family.
  • Rate limiting on login (5 attempts / 15 min) and password reset.
  • Optional Google Sign-In with verified ID tokens.

Compliance

  • GDPR. We process data under Articles 6(1)(b) and 6(1)(c). DPA available on request and as an in-app download.
  • Right to erase. Triggered by you in the app. Crypto-shredding completes in seconds, not days.
  • Breach notification. If we detect a breach affecting your data, you and the relevant authority are notified within 72 hours.
  • Audit log. Every read, write, export and deletion is recorded with timestamp, IP, user agent. Retained 10 years. Append-only — entries cannot be edited.

Certifications & assessments — roadmap

We don't currently hold third-party security certifications. Here's where we are and where we're going. Honest dates, not aspirational ones.

Google CASA Tier 2 — verification by end of Q2 2026

Pre-submission hardening shipped 27 April 2026 (token revocation on disconnect, Svix-signed webhooks, SPF/DKIM verification, fail-closed encryption requirements). Formal CASA Tier 2 verification is scheduled to complete by end of Q2 2026 (30 June 2026).

Verification by 30 June 2026

SOC 2 Type I — under evaluation, decision in 2026

We are evaluating whether to pursue SOC 2 Type I in late 2026. SOC 2 is primarily relevant for US enterprise buyers; our current focus is EU mid-market. We will publish a firm date if and when we engage an auditor. No date yet.

Decision in H2 2026

ISO 27001 — not on the 12-month roadmap

ISO 27001 typically takes 9–18 months and €30–80k. We will not pursue it in 2026. We may revisit in 2027 once revenue justifies the spend. We will publish a clear plan if and when this changes.

Not in 2026 roadmap

Independent penetration test — annual cadence

Last pentest: April 2026 (internal pre-submission review). First independent third-party pentest is scheduled for Q4 2026. Findings summary will be published on this page (raw report on request to enterprise customers under NDA).

Independent pentest Q4 2026

Email security

Every inbound email to your private TaxItEasy address is verified with SPF and DKIM before we open it. Our webhook endpoint requires Svix-signed requests — unsigned requests are rejected with HTTP 503. Attachments are virus-scanned with ClamAV before they touch your account.

Bank connections

Today we offer Revolut Business via direct OAuth integration. Statement upload (CSV/PDF) works with any bank. Multi-bank Open Banking via GoCardless and pan-EU PSD2 connectors are on the roadmap for 2026. We never store your bank login credentials — only OAuth tokens, encrypted with your Account Key.

Sub-processors

We use a small, named set of sub-processors:

  • DigitalOcean — primary infrastructure: Kubernetes (DOKS), managed PostgreSQL, Spaces object storage. Frankfurt, Germany (FRA1). DigitalOcean is a US-incorporated company; we mitigate CLOUD-Act exposure via application-layer encryption (envelope encryption, MEK/UEK/DEK) so plaintext document data is never visible to the host.
  • Anthropic — Claude API for receipt reading. United States, zero-retention API mode. Transfer under EU-U.S. Data Privacy Framework + SCCs.
  • Stripe — payment processing. United States. Transfer under DPF + SCCs.
  • Resend — transactional email and inbound webhook. United States. Transfer under SCCs.
  • Sentry — error monitoring with PII scrubbing. United States. Transfer under DPF + SCCs.
  • Cloudflare — CDN, DDoS, WAF. Global edge with EU presence. Transfer under DPF + SCCs.

The full list with locations, transfer mechanisms and DPA references is on our sub-processors page. Customers are notified before any new sub-processor is added (14-day objection window).

Data protection impact assessment (DPIA)

Available on request to [email protected]. We document categories of data, lawful bases, retention periods, sub-processors, encryption design and breach procedures.

Responsible disclosure & vulnerability reporting

If you've found a security issue, we want to hear about it. We follow the RFC 9116 security.txt standard — our machine-readable contact lives at /.well-known/security.txt.

How to reach us

Our commitment to you

  • First reply within 48 hours.
  • Severity classification within 5 business days (CVSS 3.1).
  • Fix or mitigation timeline within 10 business days of triage.
  • Credit on our Hall of Fame when you follow responsible disclosure (see below).
  • No legal action against good-faith researchers who follow this policy.

What's in scope

  • taxiteasy.org and all sub-domains
  • app.taxiteasy.org (web app)
  • api.taxiteasy.org (REST API)
  • in.taxiteasy.org (inbound email)
  • Mobile apps (iOS, Android) once published

What's out of scope

  • Vendor-side issues on our sub-processors (Anthropic, Stripe, DigitalOcean, Cloudflare, Resend) — please report directly to the vendor.
  • Social engineering against staff.
  • Physical security.
  • Volumetric DDoS without proof of bypass.
  • Issues already known and tracked.

Bug bounty

We do not currently run a paid bug bounty programme. We may launch one once independent pentesting is in place (Q4 2026). For now we offer public credit (Hall of Fame) and direct communication with the team.

Hall of Fame

We thank the following researchers for responsibly reporting security issues:

This list is empty so far — we'd love to add you. Email [email protected].

Try it. Lock it down later.

Get started — free

✓ €0 forever✓ EU-hosted✓ DPA on request