Invoice data is sensitive. Here is how we handle it — short, concrete, no fine print.
The API processes every request synchronously in memory. Invoice contents are never stored or logged — once the response is sent, they are gone.
The API runs exclusively on servers in Frankfurt, Germany. All traffic is encrypted via HTTPS/TLS, without exception.
The browser validator and the embeddable WASM engine validate invoices entirely locally. For maximum confidentiality, no invoice ever reaches our servers.
The API is operated on Fly.io Inc. (USA) in the Frankfurt region. A data processing agreement including EU Standard Contractual Clauses is in place with Fly.io. The website is served via Cloudflare; API invoice data does not pass through Cloudflare.
We only collect what operating the service requires: timestamp, endpoint and status of a request — never the contents of your invoices.
A data processing agreement under Art. 28 GDPR is available for download (courtesy English translation; the German version prevails). Request a countersigned copy at [email protected].
Questions about privacy or compliance? [email protected]