Security & Data Privacy
Your data is yours.
Full stop.
VATHack is built on a zero-retention architecture. We analyse your sales data and return the results — we don't store, sell, or train on it.
TLS 1.3 encrypted
GDPR compliant
EU data residency
No password storage
Zero data retention
Google Auth only
Encryption in Transit & at Rest
- All data transmitted over HTTPS/TLS 1.3 — no plain-text connections allowed.
- Firebase and Supabase enforce AES-256 encryption at rest by default.
- JWT tokens are short-lived and validated server-side on every authenticated request.
Data Handling Policy
- CSV uploads are processed server-side in memory and are never written to a persistent database.
- Calculation results are stored only in the user's own browser (localStorage) — not on our servers.
- No employee has access to your uploaded sales data at any point.
Access Controls
- Authentication via Google Sign-In (Firebase Auth) — no passwords stored by VATHack.
- Role-based access: free plan users are limited to 2 uploads/month; paid plans unlock full access.
- Admin access is restricted to a hardcoded allowlist — no shared admin credentials.
Infrastructure & EU Data Residency
- Deployed on Vercel's global edge network with EU-region routing preferred.
- Firebase project configured in the EUR3 (europe-west) region — data stays in the EU.
- No third-party analytics SDKs with access to your sales data.
GDPR Compliance
- VATHack processes data as a data processor under GDPR Article 28.
- You can request deletion of your account and associated metadata at any time.
- No data is used for model training or shared with third parties for marketing.
Roadmap
- SOC 2 Type II audit — planned for H2 2026 as client base scales.
- Penetration testing by an independent third party — scheduled Q3 2026.
- DPA (Data Processing Agreement) available on request for enterprise clients today.
Need a Data Processing Agreement?
Enterprise clients and agencies can request a signed DPA for GDPR compliance documentation.
Contact security@vathack.com