Security foundations for tax firms

Technical & organisational measures

• EU hosting with TLS encryption, monitored infrastructure and backups.
• Role-based access controls, multi-factor protection and audit-ready logs.
• Retention: demo, pilot and log data follow defined deletion schedules.
• Demos use anonymized samples; pilot data is shared only under AVV and agreed TOMs.

Retention & Deletion

Demo environments never hold real personal data; entries remain only for the current session and are deleted automatically after it ends.

Pilots process contact details, booking stacks and attachments solely under the AVV; this information is kept for a maximum of 12 months after the pilot ends or deleted earlier upon request, with structured backups retained for 30 days.

Operational and audit logs (errors, accesses, security events) remain for up to 90 days before automatic anonymisation or removal.

AVV & subprocessors

The order processing agreement (AVV) is signed before the pilot phase; a sample AVV (PDF) is downloadable and can also be provided by email on request. It outlines responsibilities, retention and deletion obligations together with your firm.

Concrete subprocessors:

• Hetzner Online GmbH – Region: Germany (EU); Purpose: Hosting of GPAA instances, snapshots and backups; Data types: encrypted customer data, infrastructure metrics and monitoring logs.
• Posteo e.K. – Region: Germany (EU); Purpose: Delivery of project status updates and support tickets; Data types: contact details, ticket texts, attachments only with explicit release.
• CleverReach GmbH & Co. KG – Region: Germany (EU); Purpose: Automatic reminders and pilot communications; Data types: email addresses, communication logs, opt-in records.
• OpenAI (EU region via Azure) – Region: EU (Frankfurt/Paris); Purpose: Optional AI support during workshops with explicit consent; Data types: anonymised prompts and feedback without any client-identifying data.