At VAT4U, we prioritize the confidentiality and integrity of the data we manage. We are committed to providing transparent information about our security practices to ensure customers trust us as their provider.

We constantly identify risks, implement best practices, and continuously enhance our security measures. For more details, visit our Trust Center.

Information Security Incident Management

VAT4U team ensures fast and effective responses to security incidents through clear procedures and responsibilities. Key points include:

• Reporting: We have channels for reporting incidents, with all events logged in a security incident database.
• Incident Handling: Incidents are assessed, classified, and managed from identification to resolution.
• Continuous Improvement: Lessons from incidents are analyzed to prevent future issues and minimize impact.

Compliance

VAT4U is dedicated to maintaining the highest standards of data protection and security. We are fully compliant with the SOC (System and Organization Controls) framework, which ensures our services are securely managed. Additionally, we adhere to GDPR (General Data Protection Regulation) guidelines, guaranteeing the privacy and protection of personal data for our users.

VAT4U Privacy by Design Policy

At VAT4U, we prioritize the protection of personal information by embedding privacy considerations into every stage of our products and services. Here are the key principles of our Privacy by Design approach:

1. Proactive Privacy: We integrate privacy into our processes from the design stage, not as an afterthought.
2. Built-in Security: Privacy is embedded into product architecture, ensuring protection against unauthorized access.
3. End-to-end Protection: Personal information is secured throughout its lifecycle, from collection to disposal.

Procedures Include:

• Conducting privacy impact assessments;
• Providing clear privacy notices and obtaining consent;
• Regularly reviewing compliance with laws.

VAT4U also provides privacy training to ensure accountability for all staff and third-party providers.

VAT4U Encryption Policy Overview

At VAT4U, we prioritize the security of your data by employing encryption both at rest and in transit.

Encryption in Transit

Data in transit refers to data actively moving across networks. To safeguard this, VAT4U encrypts all external and internal connections using the latest TLS (Transport Layer Security) standards. Specifically, we use TLS version 1.2 or higher to ensure secure access to our application through HTTPS. This guarantees that all data transferred, whether between our systems or external users, is fully encrypted.

Encryption at Rest

Data at rest is stored data, such as information on hard drives or cloud storage. VAT4U encrypts all data at rest using AES-256 encryption, a widely recognized industry standard. This ensures that no external entity, including cloud providers like Amazon, can access or extract data without our explicit consent. Additionally:

• We use managed databases provided by infrastructure partners that handle both encryption and key management;
• All storage where data is persisted is encrypted;
• Company laptops are encrypted according to our Endpoint Security Policy.

By combining these encryption methods, we provide strong, reliable data protection to prevent unauthorized access and ensure that your data remains secure at all times.

How We Handle Passwords at VAT4U

At VAT4U, we take password security very seriously, ensuring that your credentials remain safe and protected.

• Encrypted and Hashed: All user passwords are stored using advanced encryption techniques, specifically hashing, which makes it impossible to decipher or reverse-engineer the original password. This ensures that no one, including us, can access or view your password.
• No Access to Logs: Passwords are filtered from all system logs, meaning they are never stored or accessible through any of our logging mechanisms. This adds another layer of security to safeguard your credentials.
• Password Verification Only: Our system is designed to verify passwords without ever knowing them. When you enter your password, the system checks its validity against the stored hash but does not store or reveal the original password at any point.
• Strong Password Requirements and 2FA: We enforce strong password requirements to protect your account. Additionally, two-factor authentication (2FA) is available for extra security, providing an added layer of protection.

By following these best practices, VAT4U ensures that your passwords remain secure, private, and compliant with the latest security standards.

Do We Store Your Personal Data?

At VAT4U, we do not store customer-specific data or personal information intentionally. However, some personal information, such as traveler details from travel expense documents (e.g., hotel invoices), may be present in the documents you upload.

While this information may appear in the documentation, it is not used for any data processing on our side, nor is it shared with any third-party provider. Additionally, this data is necessary for VAT processing, and we ensure that it does not play any role in our business operations.

For compliance purposes, we do not alter or remove this information from your documents, as doing so could violate the integrity of the original PDF and potentially make it non-compliant with tax administration requirements.

In summary, although we may have access to personal information in the documents you submit, it is not stored or used in any part of our processes.

Our Hosting Provider

VAT4U's system and databases are hosted on AWS servers located in Frankfurt, Germany with a secondary disaster recovery location in Paris, France. This ensures high availability, reliability, and data protection across our infrastructure.