EU-first by design
Last updated 2026-05-26
Pactaro is built and operated entirely in the European Union. All customer data — including invoices, archive copies, and authentication tokens — is stored, processed, and accessed exclusively from EU jurisdictions.
We don’t replicate to the US. We don’t transfer to third countries. Your data stays in Europe.
Data residency
Every layer of our stack runs in the European Union. Each vendor below has signed a Data Processing Agreement with Pactaro under GDPR Article 28.
| Layer | Vendor | Region |
|---|---|---|
| Application database | Supabase (PostgreSQL) | EU Central (Frankfurt, Germany) |
| Application hosting | Vercel | EU edge regions |
| Long-term invoice archive (10y) | Cloudflare R2 (Object Lock) | EU jurisdiction |
| EU e-invoicing format conversion | Invopop S.L. (Spain) | Data hosted in EU (Belgium, Germany) |
| Error monitoring | Sentry | EU (Frankfurt) instance — de.sentry.io |
| Transactional email dispatch | Resend | EU (Ireland) dispatch; provider-side metadata in US under SCCs |
| Billing | Stripe Payments Europe Ltd | Ireland (EU) |
For the complete, dated list including data categories and DPA status, see our Sub-processors page.
Compliance posture
Today
- ✅ GDPR-compliant by design (data minimisation, lawful basis documented, data-subject rights honoured)
- ✅ EU data residency — no US or third-country processing in normal operation
- ✅ Encryption in transit — TLS 1.3 minimum, HSTS preload
- ✅ Encryption at rest — AES-256 (database, file storage). OAuth refresh tokens additionally encrypted with pgsodium AEAD-DET, key-bound to tenant + integration
- ✅ Row-Level Security on every customer-data table — Postgres RLS with FORCE so admin queries are also constrained
- ✅ Immutable 10-year invoice archive — Cloudflare R2 Object Lock in Compliance mode (meets §147 AO retention)
- ✅ Webhook signature verification (HMAC-SHA256), idempotency, replay-safe dedup window
- ✅ EU-jurisdiction error monitoring with PII redaction
- ✅ Founder-led incident response — 24h weekday SLA, 72h GDPR Art. 33 breach notification
In progress
| Standard | Status | Target |
|---|---|---|
| SOC 2 Type I | Engaging auditor | Q3 2026 |
| ISO 27001 | Planning phase | 2027 |
| BSI C5 (German cloud-services attestation) | Under consideration | Demand-based |
For enterprise customers, on request
- Penetration test summary (under NDA, available Q4 2026)
- Detailed security questionnaire response (SIG Lite, CAIQ)
- Counter-signed DPA via DocuSign
Security overview
We follow the principle of “compliance by isolation.” Each customer’s data is logically separated by Postgres Row-Level Security policies enforced at the database engine level — not just in application code. RLS is enabled with FORCE so that even administrative queries (running as the postgres superuser) are constrained to the queried tenant.
OAuth refresh tokens for connected QuickBooks Online and Xero accounts are encrypted with pgsodium AEAD-DET, with the Additional Authenticated Data (AAD) bound to both the tenant ID and the integration ID. This means a refresh token cannot be decrypted with a different tenant’s context — preventing both database-dump replay and cross-tenant token reuse.
All HTTPS traffic uses TLS 1.3 with strict cipher selection and HSTS preload. We do not accept TLS 1.0 or 1.1.
We do not log Personal Identifiable Information (PII), VAT identification numbers, customer email content, or full invoice payloads. Our logging redaction layer rejects log objects containing these keys at the source.
In the event of a security incident affecting your data, you will be notified by the founder personally within 72 hours of confirmed discovery, per GDPR Article 33 timing requirements.
Documents
- Data Processing Agreement (DPA) — required for every customer; current draft published for review pending lawyer sign-off
- Sub-processors list — public, dated, with 30-day-advance change-notice commitment
- Privacy policy
- Cookie policy
- Terms of Service
Data Protection Officer
For privacy, GDPR, or data-related questions, contact our Data Protection Officer:
You may also exercise any of your GDPR rights (access, rectification, erasure, portability, objection, restriction) by emailing this address. We respond within 30 days; usually within 5 business days.
Wassim Ben Salem — Operator, Pactaro service
(Pactaro B.V. — Netherlands — in formation)