IFRS Buddy is used by accountants, auditors, and CFOs who handle confidential financial data. We built security as a first principle, not an afterthought.
Verify our SSL rating on SSL Labs →Security at a glance
Six non-negotiable properties, enforced by design.
All traffic encrypted in transit with TLS 1.3. HTTP is permanently redirected to HTTPS. Weak ciphers disabled.
Database and backups encrypted with AES-256. Encryption keys never stored alongside data.
Your conversations are contractually excluded from AI model training — by us and by our AI providers.
All infrastructure runs in the Netherlands, EU. Your data never leaves the European Economic Area.
Full data subject rights: access, deletion, portability. Privacy by design from day one.
No passwords to steal. Single-use magic links expire in 15 minutes. No OAuth third-party tokens stored.
Security by plan
Higher-tier plans include stronger contractual guarantees and additional safeguards.
Infrastructure details
Netherlands, EU. Dedicated virtual server. No shared-tenant cloud hyperscaler.
TLS 1.3 with AEAD cipher suites (AES-GCM, ChaCha20). HSTS enforced. HTTP → HTTPS redirect permanent.
PostgreSQL with AES-256 encrypted storage. Backups encrypted and synced to Cloudflare R2 (EU jurisdiction) every 6 hours.
Passwordless magic links only. Tokens are single-use and expire after 15 minutes. JWTs signed with HS256, stored client-side only.
No tracking scripts, no cookies, no third-party analytics. Zero fingerprinting.
Stripe — PCI-DSS Level 1 certified. We never see or store card numbers.
Third-party services
No advertising networks. No data brokers. Every sub-processor listed below.
Processes queries to generate IFRS answers. Per Anthropic's API terms, API data is not used for model training. No PII is included in prompts.
Used for multi-model comparison on CFO plan only. OpenAI's API does not train on API data by default under their data processing agreement.
Handles all payment processing. We never see or store your card details. Stripe is PCI-DSS Level 1 certified.
Sends transactional emails (magic links). Only your email address is shared. No conversation content is transmitted.
DNS resolution and DDoS protection. Acts as a reverse proxy only — does not store conversation content. EU data localisation enabled.
Your IFRS questions, Excel files, and conversation history are yours alone. They are never used to fine-tune, train, or improve any AI model — not ours, not Anthropic's, not OpenAI's. This is a contractual commitment, not just a policy.
View plans →Found a security issue?
Please report it responsibly. We review all security reports and respond within 48 hours.
Contact us →