View Demo
DE EN

Security & AVV

Security foundations for tax firms

GPAA runs on EU hosting with TLS, documented access controls and anonymized demo datasets; real data is handled only via pilot or contact requests and deleted when no longer needed.

Contact View demo

Data for pilots is collected only with consent and processed under defined retention rules.

Security overview

Summary: German servers (Hetzner, Nuremberg), encrypted, GDPR-compliant. Your firm controls every access. Client data never leaves the EU. Details below.

Technical & organisational measures
  • Your client data never leaves the EU. Hosting in Germany (Hetzner, Nuremberg) with TLS encryption, regular backups and secured infrastructure.
  • Role-based access controls, multi-factor protection and audit-ready logs.
  • Retention: demo, pilot and log data follow defined deletion schedules.
  • Demos use anonymized samples; pilot data is shared only under AVV and agreed TOMs.
Login & Access Security
  • Keycloak (Open Source, CNCF): Enterprise authentication — same standard used by banks and government agencies.
  • Face ID / Touch ID / Fingerprint: Biometric login via Passkey (WebAuthn/FIDO2) — no password required.
  • Two-Factor Authentication (2FA): Optional authenticator code (TOTP) in addition to password.
  • Encrypted Transmission: TLS 1.3, HSTS, secure cookies — no plaintext passwords transmitted.
  • Cross-Device: Passkey syncs via iCloud Keychain (Apple) or Google Password Manager (Android/Chrome).
  • Session Protection: Automatic logout on inactivity, optional remember-me.
  • Invitation System: Tax firm sets own password — no passwords sent via email, link expires after 24h.

GPAA does not store passwords — authentication is handled entirely by Keycloak with hashed credentials (bcrypt).

Retention & Deletion

Demo environments never hold real personal data; entries remain only for the current session and are deleted automatically after it ends.

Pilots process contact details, booking stacks and attachments solely under the AVV; this information is kept for a maximum of 12 months after the pilot ends or deleted earlier upon request, with structured backups retained for 30 days.

Operational and audit logs (errors, accesses, security events) remain for up to 90 days before automatic anonymisation or removal.

AVV & subprocessors

The order processing agreement (AVV) is signed before the pilot phase; a sample AVV (PDF) is available on request by email (info@dtnsoft.de). It outlines responsibilities, retention and deletion obligations together with your firm.

Concrete subprocessors:

  • Hetzner Online GmbH – Region: Germany (EU); Purpose: Hosting of GPAA instances, snapshots and backups; Data types: encrypted customer data, infrastructure metrics and monitoring logs.
  • Posteo e.K. – Region: Germany (EU); Purpose: Delivery of project status updates and support tickets; Data types: contact details, ticket texts, attachments only with explicit release.
  • CleverReach GmbH & Co. KG – Region: Germany (EU); Purpose: Automatic reminders and pilot communications; Data types: email addresses, communication logs, opt-in records.
  • OpenAI (EU region via Azure)No access to client data. Region: EU (Frankfurt/Paris); Purpose: Optional AI support during workshops with explicit consent; Data types: anonymised prompts and feedback without any client-identifying data.