TRUST CENTER
Trust is the foundation,
not a feature.
Tax advisory firms handle their clients' most sensitive data. Here you will find all information on data protection, security and compliance at Fiscova — transparent and complete.
Binding legal documents are provided in German.
GDPR & § 203 StGB
Data processing and professional secrecy protection.
Fiscova acts as a data processor within the meaning of Art. 28 GDPR. We conclude a data processing agreement (DPA) with every firm before any production data is processed.
As client data is subject to professional secrecy under § 203 StGB, we treat all content as protected professional data. Employees and subprocessors are contractually bound to maintain professional secrecy (§ 203 para. 4 StGB, § 62a StBerG).
Download DPA (PDF) →Hosting & Data Location
Hetzner data centre, Nuremberg, Germany.
The production environment runs in the Hetzner data centre in Nuremberg. All client data remains within the EU.
Core data (call recordings, transcripts, email content, file data) remains within the EU. Where subprocessors are involved in processing core data, they are contractually bound pursuant to Art. 28 GDPR; any third-country transfers take place exclusively on the basis of EU standard contractual clauses or DPF certification. AI models are accessed via EU endpoints (see Section 04).
Encryption
TLS 1.3 in transit, AES-256 at rest.
- TLS 1.3 for every inbound and outbound connection.
- AES-256 encryption for data at rest in the database and filesystem.
- Object storage (attachments, audio files) is additionally encrypted server-side.
- Key rotation and a separate key management key hierarchy.
No Training on Client Data
Contractually guaranteed, technically enforced.
Client data is never used to train AI models — neither by Fiscova nor by the underlying model providers. This commitment is contractually fixed in the agreements with our AI service providers (AWS Bedrock, Deepslate) ("Zero Data Retention").
Technically enforced: AI models are accessed exclusively via dedicated EU endpoints. Inputs and outputs are not persisted.
Human-in-the-Loop
Nothing is sent without approval.
Fiscova drafts, classifies and proposes — a person reviews and approves. There is no automated outbound communication without the explicit approval of an authorised person at the firm.
Every automated action (call handling, email draft, DATEV handover) is recorded in an immutable audit log. Logs are retrievable in audit-proof form for 12 months.
WhatsApp — GDPR-Compliant
WhatsApp Business Cloud API with EU controller.
We use the WhatsApp Business Cloud API with Meta Ireland as EU controller. Content is additionally mirrored in our Nuremberg infrastructure and treated in accordance with the requirements of § 203 StGB.
Clients are informed about the communication channel before first use. Incoming messages arrive immediately in the firm's Fiscova inbox and are subject to the same retention and deletion obligations as email or phone.
Access & Authentication
SSO, mandatory MFA for admins, granular roles.
- Single Sign-On (SSO) via Microsoft 365 / Entra ID.
- Mandatory MFA for administrative roles, optional for all users.
- Granular role and permission models per client, channel and function.
- Session lifetime and IP allow-listing configurable.
Backups & Recovery
Daily backups, 30-day retention, RTO < 4 h.
- Daily encrypted backups of the production database.
- 30-day retention; geographically separate backup target within Germany.
- Recovery Time Objective (RTO) < 4 hours.
- Quarterly recovery tests.
Subprocessors
Full list with advance notice of any changes.
We announce any change to the subprocessor list at least four weeks in advance. Firms may object to a change in writing on material data protection grounds.
As of 9 June 2026
| Provider | Purpose | Location | DPA |
|---|---|---|---|
| Hetzner Online GmbH | Hosting of the production environment (frontend, backend, DB, object storage) | Nuremberg, DE | View DPA |
| Cloudflare, Inc. | DNS, CDN, WAF | USA / global CDN (DPF + EU-SCC) | View DPA |
| Clerk, Inc. | Authentication / login | USA (DPF + EU-SCC) | View DPA |
| sipgate GmbH | Telephony / SIP routing | Düsseldorf, DE | View DPA |
| Amazon Web Services (Bedrock) | AI models (EU endpoint) | EU – Frankfurt, eu-central-1 (DPF + EU-SCC) | View DPA |
| Deepslate | Voice AI / speech processing | Germany | on request |
| Google Ireland Ltd. | Gmail API integration (email integration) | EU region / USA (DPF + EU-SCC) | View DPA |
| Microsoft Ireland | Outlook / M365 integration | EU Data Boundary (DPF + EU-SCC) | View DPA |
| Meta Platforms Ireland | WhatsApp Business Cloud API | Ireland, EU (DPF + EU-SCC) | View DPA |
| Stripe Payments Europe Ltd. | Payment processing / billing | Ireland / USA (DPF + EU-SCC) | View DPA |
| Klardaten | DATEV / accounting connector | Germany | on request |
| Documenso | Electronic signature | self-hosted (Hetzner), DE | self-hosted |
| n8n | Automation / workflows | self-hosted (Hetzner), DE | self-hosted |
For the public website (without client data) we additionally use Vercel (hosting), Supabase (forms) and HubSpot (CRM) — details in the privacy policy.
Download the full sub-processor list (PDF) →Certifications & Standards
ISO 27001 in preparation, BSI baseline protection, secure firm integrations.
- ISO 27001 in preparation (audit roadmap available on request).
- Alignment with BSI IT-Grundschutz compendium.
- GDPR- and § 203-compliant integration with firm software (DATEV, ADDISON, Simba, Agenda).
- Penetration tests by an external security firm at least annually.
Data Protection Contact
Data protection contact and compliance enquiries.
For enquiries regarding data protection, data processing and data subject rights, please contact us at:
- Data Protection Contact
- Tobias Wedel
- Postal address
- Fiscova GmbHDonaustraße 4412043 Berlin
Downloads
Contractual templates and data protection documents.
- Data Processing Agreement pursuant to Art. 28 GDPR (PDF) →Standard agreement pursuant to Art. 28 GDPR with annexes (TOMs, sub-processors, professional-secrecy concept).
- Technical and Organisational Measures (PDF) →Fiscova's security measures for processing personal data pursuant to Art. 32 GDPR.
- Sub-processor List (PDF) →Complete list of the sub-processors engaged (annex to the DPA).
- Confidentiality and Professional-Secrecy Concept (PDF) →Protection of professional secrecy under § 203 StGB within the data processing (annex to the DPA).
- Deletion and Retention Policy (PDF) →How Fiscova deletes, anonymises, returns or retains personal data.
- Template for firms informing their clients about Fiscova (PDF) →Template for firms to inform their clients about the use of Fiscova (Art. 13/14 GDPR).