Privacy & hosting

Invoice data is sensitive. Here is how we handle it — short, concrete, no fine print.

No storage of invoice data

The API processes every request synchronously in memory. Invoice contents are never stored or logged — once the response is sent, they are gone.

Processed in Frankfurt

The API runs exclusively on servers in Frankfurt, Germany. All traffic is encrypted via HTTPS/TLS, without exception.

Or: your data never leaves your system

The browser validator and the embeddable WASM engine validate invoices entirely locally. For maximum confidentiality, no invoice ever reaches our servers.

The details

Hosting & sub-processors

The API is operated on Fly.io Inc. (USA) in the Frankfurt region. A data processing agreement including EU Standard Contractual Clauses is in place with Fly.io. The website is served via Cloudflare; API invoice data does not pass through Cloudflare.

Data minimisation

We only collect what operating the service requires: timestamp, endpoint and status of a request — never the contents of your invoices.

Data processing agreement (DPA)

A data processing agreement under Art. 28 GDPR is available for download (courtesy English translation; the German version prevails). Request a countersigned copy at [email protected].

Download DPA (PDF)

Questions about privacy or compliance? [email protected]