Security, privacy, and compliance documentation.
Financial reports are sensitive. We treat them that way: with EU-configured hosting, encrypted storage, audited sub-processors, and clear documentation on what we do and don't do with your data.
EU-configured hosting
Primary hosting and storage are in the EU. Some limited processing may involve sub-processors outside the EEA under appropriate safeguards, documented per sub-processor where it applies.
AES-256 at rest, TLS 1.2+ in transit
Per-workspace key separation with envelope encryption via AWS KMS. Filings are encrypted both in transit and at rest.
Audited cloud and AI vendors
Cloud and AI sub-processors are selected from vendors with independently audited security programs. The full list and current status are available on request.
Role-based access control
Role-based access (RBAC) with an audit log per workspace. Single sign-on (SSO/SAML) is on the roadmap, not a current feature.
Human approval required
No filing leaves the platform without a reviewer's explicit approval. Suggestions are always editable and overridable.
GDPR-oriented controls
Data portability, deletion, and a signed DPA with sub-processor list and security measures available on request. Filings are deleted within 30 days of account or contract termination, and on request at any time.
Scope. Any audited security programs referenced apply to the relevant sub-processor's services and are not a certification of Doc2iXBRL itself. We will not claim coverage we do not have; the current state of our own controls is reviewed under NDA during procurement.
GDPR Article 33 response process
We maintain a documented incident response process aligned with the GDPR Article 33 breach-notification requirements, including assessment, containment, and notification steps.
Read our incident response processYour filings never enter a training set.
We do not use your filings to train models. The no-train commitment is written into our DPA.
Read the full security measures