Skip to content
Fiscova

TRUST CENTER

Trust is the foundation,
not a feature.

Tax advisory firms handle their clients' most sensitive data. Here you will find all information on data protection, security and compliance at Fiscova — transparent and complete.

Binding legal documents are provided in German.

SECTION 01

GDPR & § 203 StGB

Data processing and professional secrecy protection.

Fiscova acts as a data processor within the meaning of Art. 28 GDPR. We conclude a data processing agreement (DPA) with every firm before any production data is processed.

As client data is subject to professional secrecy under § 203 StGB, we treat all content as protected professional data. Employees and subprocessors are contractually bound to maintain professional secrecy (§ 203 para. 4 StGB, § 62a StBerG).

Download DPA (PDF) →
SECTION 02

Hosting & Data Location

Hetzner data centre, Nuremberg, Germany.

The production environment runs in the Hetzner data centre in Nuremberg. All client data remains within the EU.

Core data (call recordings, transcripts, email content, file data) remains within the EU. Where subprocessors are involved in processing core data, they are contractually bound pursuant to Art. 28 GDPR; any third-country transfers take place exclusively on the basis of EU standard contractual clauses or DPF certification. AI models are accessed via EU endpoints (see Section 04).

SECTION 03

Encryption

TLS 1.3 in transit, AES-256 at rest.

  • TLS 1.3 for every inbound and outbound connection.
  • AES-256 encryption for data at rest in the database and filesystem.
  • Object storage (attachments, audio files) is additionally encrypted server-side.
  • Key rotation and a separate key management key hierarchy.
SECTION 04

No Training on Client Data

Contractually guaranteed, technically enforced.

Client data is never used to train AI models — neither by Fiscova nor by the underlying model providers. This commitment is contractually fixed in the agreements with our AI service providers (AWS Bedrock, Deepslate) ("Zero Data Retention").

Technically enforced: AI models are accessed exclusively via dedicated EU endpoints. Inputs and outputs are not persisted.

SECTION 05

Human-in-the-Loop

Nothing is sent without approval.

Fiscova drafts, classifies and proposes — a person reviews and approves. There is no automated outbound communication without the explicit approval of an authorised person at the firm.

Every automated action (call handling, email draft, DATEV handover) is recorded in an immutable audit log. Logs are retrievable in audit-proof form for 12 months.

SECTION 06

WhatsApp — GDPR-Compliant

WhatsApp Business Cloud API with EU controller.

We use the WhatsApp Business Cloud API with Meta Ireland as EU controller. Content is additionally mirrored in our Nuremberg infrastructure and treated in accordance with the requirements of § 203 StGB.

Clients are informed about the communication channel before first use. Incoming messages arrive immediately in the firm's Fiscova inbox and are subject to the same retention and deletion obligations as email or phone.

SECTION 07

Access & Authentication

SSO, mandatory MFA for admins, granular roles.

  • Single Sign-On (SSO) via Microsoft 365 / Entra ID.
  • Mandatory MFA for administrative roles, optional for all users.
  • Granular role and permission models per client, channel and function.
  • Session lifetime and IP allow-listing configurable.
SECTION 08

Backups & Recovery

Daily backups, 30-day retention, RTO < 4 h.

  • Daily encrypted backups of the production database.
  • 30-day retention; geographically separate backup target within Germany.
  • Recovery Time Objective (RTO) < 4 hours.
  • Quarterly recovery tests.
SECTION 09

Subprocessors

Full list with advance notice of any changes.

We announce any change to the subprocessor list at least four weeks in advance. Firms may object to a change in writing on material data protection grounds.

As of 9 June 2026

ProviderPurposeLocationDPA
Hetzner Online GmbHHosting of the production environment (frontend, backend, DB, object storage)Nuremberg, DEView DPA
Cloudflare, Inc.DNS, CDN, WAFUSA / global CDN (DPF + EU-SCC)View DPA
Clerk, Inc.Authentication / loginUSA (DPF + EU-SCC)View DPA
sipgate GmbHTelephony / SIP routingDüsseldorf, DEView DPA
Amazon Web Services (Bedrock)AI models (EU endpoint)EU – Frankfurt, eu-central-1 (DPF + EU-SCC)View DPA
DeepslateVoice AI / speech processingGermanyon request
Google Ireland Ltd.Gmail API integration (email integration)EU region / USA (DPF + EU-SCC)View DPA
Microsoft IrelandOutlook / M365 integrationEU Data Boundary (DPF + EU-SCC)View DPA
Meta Platforms IrelandWhatsApp Business Cloud APIIreland, EU (DPF + EU-SCC)View DPA
Stripe Payments Europe Ltd.Payment processing / billingIreland / USA (DPF + EU-SCC)View DPA
KlardatenDATEV / accounting connectorGermanyon request
DocumensoElectronic signatureself-hosted (Hetzner), DEself-hosted
n8nAutomation / workflowsself-hosted (Hetzner), DEself-hosted

For the public website (without client data) we additionally use Vercel (hosting), Supabase (forms) and HubSpot (CRM) — details in the privacy policy.

Download the full sub-processor list (PDF) →
SECTION 10

Certifications & Standards

ISO 27001 in preparation, BSI baseline protection, secure firm integrations.

  • ISO 27001 in preparation (audit roadmap available on request).
  • Alignment with BSI IT-Grundschutz compendium.
  • GDPR- and § 203-compliant integration with firm software (DATEV, ADDISON, Simba, Agenda).
  • Penetration tests by an external security firm at least annually.
SECTION 11

Data Protection Contact

Data protection contact and compliance enquiries.

For enquiries regarding data protection, data processing and data subject rights, please contact us at:

Data Protection Contact
Tobias Wedel
Postal address
Fiscova GmbHDonaustraße 4412043 Berlin