Trust Center

Security & Compliance

Everything you need to know about how Invoice Navigator handles your data, maintains security, and ensures compliance with EU regulations.

GDPR Compliant
πŸ‡ͺπŸ‡ΊEU Data Storage
TLS 1.3 Encrypted
EN 16931 Conformant
ViDA-Ready
DPA Available
Last updated: February 16, 2026

Company Information

Legal Entity

Company: CCC Impact BV

Trading as: Invoice Navigator

Location: Apeldoorn, The Netherlands

Founded: 2024

Business Continuity

Your data is always accessible

If Invoice Navigator ceases operations:

  • 90-day notice period for all customers
  • Full data export tools available
  • Evidence Packs remain verifiable (public keys archived)
  • API versioning ensures integration stability during transition

Data Handling

What we store

Invoice files

Temporarily stored for processing, auto-deleted

Validation results

Error counts, metadata, compliance status

Evidence Packs

Cryptographically signed validation certificates

Account information

Email, company name, subscription details

Where it's stored

European Union (Frankfurt, Germany)

All data is stored on Supabase infrastructure, which runs on AWS eu-central-1.

Retention periods

Data TypeRetention
Uploaded invoices (XML/PDF)24 hours, then auto-deleted
Validation history (Free tier)7 days
Validation history (Pro tier)1 year
Validation history (Business tier)Unlimited
Evidence PacksPer plan (30 days to 7 years)
API usage logs90 days
Account dataDuration of service + 90 days

Data deletion

Users can delete their data at any time from the dashboard. Account deletion removes all associated data within 30 days. Contact legal@invoicenavigator.eu for data export or deletion requests.

AI and data training

We do NOT use your data to train AI models

Invoice content processed via our AI assistant is transient and not stored or used for model training by us or our AI provider (Anthropic).

Data handling by feature

Different features process data in different locations. Most features are 100% EU-based. Only the PDF Converter uses US-based AI processing.

FeatureProcessing LocationData Stored
Invoice ValidatorπŸ‡ͺπŸ‡ΊEU only (Frankfurt)Validation results only
Invoice FixerπŸ‡ͺπŸ‡ΊEU only (Frankfurt)Validation results only
PDF ConverterπŸ‡ΊπŸ‡ΈUS (Anthropic API)Transient only (not stored)
Evidence PacksπŸ‡ͺπŸ‡ΊEU only (Frankfurt)Signed PDFs stored per plan
Dashboard / HistoryπŸ‡ͺπŸ‡ΊEU only (Frankfurt)Validation history per plan
API AccessπŸ‡ͺπŸ‡ΊEU only (Frankfurt)Usage logs (90 days)

100% EU Data Residency

If you require 100% EU data residency, avoid the PDF Converter feature. Use our Validator and Fixer directly with XML invoices for EU-only processing.

Sub-processors

We use the following third-party services to provide Invoice Navigator. All processors are GDPR-compliant and bound by data processing agreements.

Sub-processorPurposeLocation
SupabaseDatabase and authenticationEU (Frankfurt)EU
AWS S3File storage (invoices, evidence packs)EU (Frankfurt)EU
VercelApplication hosting and CDNEU edge nodesEU
StripePayment processingEUEU
ResendTransactional email deliveryUS
AnthropicAI chat assistant (transient processing only)US
UpstashRate limiting and cachingEU (Frankfurt)EU
SentryError monitoring (no PII)EUEU

We notify customers 30 days before adding new sub-processors that process customer data. Subscribe to updates at legal@invoicenavigator.eu.

Security

Encryption

  • In transit:TLS 1.3 for all connections
  • At rest:AES-256 encryption

Authentication

  • Email/password with bcrypt hashing
  • API keys with SHA-256 hash storage
  • Session tokens with 30-day expiry
  • Secure cookies (HttpOnly, Secure, SameSite)

Rate limiting

All API endpoints are protected by tier-based rate limiting using a sliding window algorithm:

Anonymous

10/day

Free

10/hour

Pro

100/hour

Business

1,000/hour

Infrastructure

  • All infrastructure runs on SOC 2 Type II + ISO 27001 certified providers (Vercel, AWS, Supabase)
  • Automated security updates and patching
  • DDoS protection via Vercel edge network
  • Continuous monitoring and alerting

MFA and SSO coming soon

Multi-factor authentication and SSO are planned for Q2 2026. Enterprise customers requiring SSO can contact us for early access.

Evidence Pack Verification

Every Evidence Pack is cryptographically signed to prove authenticity and prevent tampering. This provides audit-ready proof of compliance.

How it works

1

We create a SHA-256 hash of your invoice content

2

We sign the validation result with our RSA-2048 private key

3

The signature is embedded in the Evidence Pack

4

Anyone can verify the signature using our public key

Verify an Evidence Pack

Online

www.invoicenavigator.eu/verify/[id]

API

GET /api/v1/verify/[id]

Public key

Current signing key

Key ID: ep-signing-2025-01

Algorithm: SHA256-RSA-PKCS1

View public key (JWK format)

API & Reliability

Uptime Commitment

99.9%

Uptime SLA

<100ms

Avg Response

EU

Primary Region

Status & Monitoring

We monitor service health 24/7. For current status or incident reports, contact status@invoicenavigator.eu

API Versioning Policy

Semantic versioning:All API changes follow semver (v1, v2, etc.)
Deprecation notice:12 months minimum before removing any API version
Breaking changes:Never within a major version; 6-month notice for new major versions
Changelog:All changes documented in our regulatory changelog

Rate Limits

Generous limits designed to support real-world usage without throttling legitimate traffic.

Free

100/mo

10/min

Startup

1K/mo

60/min

Growth

5K/mo

120/min

Scale

25K/mo

300/min

Incident Response

We take security incidents seriously. Here's our commitment to transparency and rapid response.

Response Timeline

<1 hour

Initial assessment and internal escalation

<4 hours

Customer notification if data affected

<24 hours

Detailed incident report to affected customers

<72 hours

GDPR notification to authorities if required

Notification Channels

Email Notifications

Direct notification to account owners for any incidents

In-App Alerts

Dashboard notifications for service updates

Incident History

No security incidents to date

Invoice Navigator has not experienced any security breaches or data incidents since launch. This section will be updated if any incidents occur, in line with our commitment to transparency.

Compliance Monitoring

We monitor official sources across 27 EU countries to keep compliance data current. This is our core differentiator - you always have the latest regulatory requirements.

What we monitor

  • Tax authority websites (BMF, DGFiP, Agenzia delle Entrate, etc.)
  • EUR-Lex for EU directives and regulations
  • Official gazettes and government announcements
  • Peppol and OpenPeppol specifications

How updates work

1

Automated system detects changes (checked daily)

2

AI classifies the change type and urgency

3

Human reviews and approves before anything goes live

4

All changes logged with source attribution

Transparency

Last verified dates

Every country page shows when data was last verified

Public changelog

View all regulatory updates β†’

Source attribution

Every fact links to its official source

RSS feed

Subscribe to updates β†’

Certifications & Compliance

Data Protection & Privacy

GDPR compliant
Data stored in EU (Frankfurt)
DPA available on request
SCCs for US sub-processors

Infrastructure Provider Certifications

Invoice Navigator runs on certified cloud infrastructure. While these are our providers' certifications (not ours directly), your data benefits from their security controls.

V

Vercel

Application hosting & CDN

SOC 2 Type IIISO 27001
AWS

Amazon Web Services (eu-central-1)

Database, storage, and compute infrastructure

SOC 2 Type IIISO 27001BSI C5ISO 27017ISO 27018
SB

Supabase

Database and authentication

SOC 2 Type IIHIPAA

E-Invoicing Standards Conformance

Invoice Navigator validates and fixes invoices against the official European e-invoicing standards. Our validation engine implements the complete rule sets published by CEN TC/434 and OpenPeppol.

StandardVersionRules ImplementedStatus
EN 16931v1.3.1165+ business rules (BR-01 to BR-65)Conformant
Peppol BIS Billingv3.0.17120+ Peppol-specific rulesConformant
XRechnungv3.0.2BR-DE rules + SchematronConformant
Factur-X / ZUGFeRDv1.0.07CII + PDF/A-3 profilesConformant
FatturaPAv1.2.2Italian SDI format rulesConformant

Validation tested against official test suites

Our validation engine is tested against 450+ official test invoices from CEN TC/434, OpenPeppol, and KoSIT (German Coordination Office for IT Standards). Test results are verified on every release.

EU Regulatory Compliance

EU Directive 2014/55/EU

Validates invoices against the EN 16931 semantic data model required by the EU e-invoicing directive.

ViDA-Ready

Supports structured e-invoicing formats required by the VAT in the Digital Age initiative (adopted March 2025).

EN 16931 Conformant

Full implementation of CEN TC/434 business rules with 450+ test invoice verification.

Peppol Network Compatible

Validates Peppol BIS Billing 3.0 invoices for cross-border e-invoicing compliance.

Planned Certifications

CSA STAR Level 1(Q2 2026)

Cloud Security Alliance self-assessment (free, public registry)

OpenPeppol Observer Membership(Q2 2026)

Official observer status with the OpenPeppol association

SOC 2 Type II(Q4 2026)

Independent audit of security controls

ISO 27001(2027)

Information security management system certification

Contact

Security concerns

security@invoicenavigator.eu

DPA requests

legal@invoicenavigator.eu

Vulnerability disclosure

Responsible disclosure β†’