Trust Center

Our commitment

Your documents stay private by default. We encrypt uploads before they land in storage, process them inside the authenticated application flow when a conversion runs, and keep product-improvement sharing turned off unless you or your workspace decide otherwise. This Trust Center explains the main controls and incident procedures. Detailed sub-processor, DPA, and transfer documentation is available on request as part of customer, audit, or procurement reviews.

Data we process

Doc2iXBRL processes three categories of personal data:

Account data

Email address and display name provided during sign-up via Supabase Auth.

Uploaded documents

PDF and DOCX financial reports uploaded for iXBRL conversion. These may contain names, addresses, and financial figures of natural persons.

Conversion metadata

Timestamps, processing status, selected framework, and validation results associated with each conversion.

Security measures

Encryption

Source files are encrypted before they are written to storage, so downloading a raw file directly from storage is not enough to read it. When you run a conversion, the app securely decrypts the file for that job and continues processing inside the platform. Other platform data remains encrypted at rest (AES-256) and in transit (TLS 1.2+).

EU primary hosting

Primary application hosting, database storage, and document persistence are configured in EU regions. Some limited processing or support activity may involve providers outside the EEA; where that happens, we rely on contractual and technical safeguards and can share details on request.

Access control

Users can only access their own conversions through authenticated app requests protected by Supabase row-level security. Internal review access for product improvement is blocked unless personal or workspace sharing has been switched on.

Continuity & recovery

Encrypted backups and documented recovery procedures are maintained for business continuity. Backup retention and recovery testing are reviewed periodically.

User-controlled sharing

We do not review uploaded source files for product improvement unless the relevant account owner has explicitly enabled sharing. You can keep files private by default and only switch sharing on if you want to help us improve extraction quality and workflow performance.

Private by default

New accounts and new workspaces start with improvement sharing turned off.

Account-level control

Each user can decide in account settings whether personal uploads may be shared with our team for quality improvements.

Workspace-level control

Workspace superadmins can make the same choice at workspace level for files uploaded under that workspace.

Compliance documentation

Customers, active prospects, auditors, and procurement or legal reviewers can request the compliance materials relevant to their review.

What we can share

Depending on the relationship and review context, we can provide:

• our current DPA template or customer DPA discussion points
• a current sub-processor list and processing-role summary
• transfer safeguard information, including SCC-based measures where relevant
• security measures summaries and incident response materials

How requests work

Send your request to our compliance contact with enough context for us to route it quickly.

• your company name and your role
• the documents or answers you need and any deadline
• whether the request is for a customer review, prospect evaluation, audit, or procurement process

Review context

We tailor the documentation package to the review you are carrying out.

• customer DPA or privacy review
• vendor onboarding or procurement review
• audit or compliance questionnaire follow-up
• security or incident-response review

Questions

If you need our DPA, current sub-processor list, transfer safeguard summary, or security documentation, please contact Ontos B.V..