Beta-HinweisBeta-Phase: Wir verfeinern noch einige Details. AGB und Datenschutz können in den kommenden Wochen aktualisiert werden.Mehr erfahren
e-Rechnung·Inbox
Security & compliance

A public trust overview for e-invoices, DATEV-adjacent workflows and firm handoffs.

This page separates live safeguards from planned hardening. It is intentionally plain: no ISO certification, SOC 2 or external pentest claims until those attestations exist.

Live in the product

EU hosting & data residency

Supabase project data is hosted in EU/Frankfurt; Sentry is configured for the EU/DE region. The DPA template is linked in the footer.

Encryption

Transport uses TLS 1.3; data at rest is protected with AES-256 by the hosting provider. Key and provider operations follow the hosting platform.

Checked with the official KoSIT validator

The parser is checked against the official KoSIT validator. This is not an external KoSIT certificate or KoSIT certification.

GoBD DB-level immutability

Active database triggers protect archived invoices and audit-relevant records from later mutation; 8-year retention applies to every plan.

Structured audit log with redaction

Central audit events record security- and billing-relevant actions; log output is cleaned through central redaction helpers.

Account-level 2FA

Supabase MFA is available and respected by the login flow when a second factor is enabled. Hardware-key enforcement is not live.

Custom domain & Mailgun routing

Custom-domain inboxes can be connected; routing is automated via Mailgun.

VAT ID checks via BZSt + VIES

Organizations can verify VAT IDs via BZSt and VIES; results are cached for 30 days.

Granular cookie consent

Analytics and marketing cookies are controlled by explicit consent and can be reopened from the footer.

HTTP security header hardening

Nonce-based CSP without unsafe-inline for scripts, HSTS preload, Permissions-Policy and COOP/COEP/CORP are active; CSP violations report to Sentry DE.

Tenant-isolation negative tests

RLS negative tests cover invoices, suppliers, payment accounts, audit events and active-org cookie forgery with real Supabase clients.

Security event taxonomy & Sentry alerts

Auth, admin, payment-data, CSP and IBAN risk events use a typed security-event API; Sentry DE alert rules are documented in the ops runbook.

IBAN/BEC defense workflow

New supplier IBANs are checked against known history, risk-scored, shown in inbox/detail warnings and must be explicitly confirmed before payment-adjacent exports.

Public API hardening

API keys with hash storage (SHA-256 + server pepper), per-key rate limits on Upstash with fail-closed posture, signed outbound webhooks (HMAC-SHA256) with automatic deactivation after 5 consecutive failures.

Security questions? Contact us via the imprint.

Impressum

Diese Website verwendet Cookies, um Ihre Erfahrung zu verbessern und den Datenverkehr zu analysieren. Sie können einzelne Kategorien jederzeit ablehnen. Datenschutzerklärung