Security & Privacy

Your data belongs to you.

IFRS Buddy is used by accountants, auditors, and CFOs who handle confidential financial data. We built security as a first principle, not an afterthought.

Verify our SSL rating on SSL Labs →

Security at a glance

Six non-negotiable properties, enforced by design.

🔒

TLS 1.3

All traffic encrypted in transit with TLS 1.3. HTTP is permanently redirected to HTTPS. Weak ciphers disabled.

🛡️

AES-256 at rest

Database and backups encrypted with AES-256. Encryption keys never stored alongside data.

🚫

No AI training

Your conversations are contractually excluded from AI model training — by us and by our AI providers.

🇪🇺

EU data residency

All infrastructure runs in the Netherlands, EU. Your data never leaves the European Economic Area.

📋

GDPR compliant

Full data subject rights: access, deletion, portability. Privacy by design from day one.

🔑

Passwordless

No passwords to steal. Single-use magic links expire in 15 minutes. No OAuth third-party tokens stored.

Security by plan

Higher-tier plans include stronger contractual guarantees and additional safeguards.

Free / Base

  • TLS 1.3 in transit
  • Encrypted database
  • Passwordless login
  • No AI training on your data
Recommended

Professional

  • Everything in Free / Base
  • AES-256 encryption explicitly enforced
  • Contractual no-AI-training guarantee
  • Isolated conversation storage
  • Priority incident response
Enterprise

CFO

  • Everything in Professional
  • File reconciliation with encrypted diff reports
  • Excel + PPTX analysis — files processed and discarded immediately
  • Audit report with SHA-256 integrity hash
  • Dedicated support channel

Infrastructure details

Location

Netherlands, EU. Dedicated virtual server. No shared-tenant cloud hyperscaler.

Transport

TLS 1.3 with AEAD cipher suites (AES-GCM, ChaCha20). HSTS enforced. HTTP → HTTPS redirect permanent.

Database

PostgreSQL with AES-256 encrypted storage. Backups encrypted and synced to Cloudflare R2 (EU jurisdiction) every 6 hours.

Authentication

Passwordless magic links only. Tokens are single-use and expire after 15 minutes. JWTs signed with HS256, stored client-side only.

Analytics

No tracking scripts, no cookies, no third-party analytics. Zero fingerprinting.

Payments

Stripe — PCI-DSS Level 1 certified. We never see or store card numbers.

Third-party services

No advertising networks. No data brokers. Every sub-processor listed below.

Anthropic (Claude API)Zero retention

Processes queries to generate IFRS answers. Per Anthropic's API terms, API data is not used for model training. No PII is included in prompts.

OpenAI (GPT-4o — CFO tier)Zero retention

Used for multi-model comparison on CFO plan only. OpenAI's API does not train on API data by default under their data processing agreement.

StripePCI-DSS L1

Handles all payment processing. We never see or store your card details. Stripe is PCI-DSS Level 1 certified.

ResendEmail only

Sends transactional emails (magic links). Only your email address is shared. No conversation content is transmitted.

CloudflareDNS / DDoS

DNS resolution and DDoS protection. Acts as a reverse proxy only — does not store conversation content. EU data localisation enabled.

🚫

We never train AI on your data.

Your IFRS questions, Excel files, and conversation history are yours alone. They are never used to fine-tune, train, or improve any AI model — not ours, not Anthropic's, not OpenAI's. This is a contractual commitment, not just a policy.

View plans →

Found a security issue?

Please report it responsibly. We review all security reports and respond within 48 hours.

Contact us →