Trust Center

Traceable controls, clear responsibilities and evidence-based statements.

Dynafis provides the controlled layer between the original document, structured invoice data, versioned rules, AI suggestions, human decisions and exports.

ISO 27001 readiness in preparation Security organisation, risk management and the technical baseline are being aligned with recognised information-security controls. Dynafis currently claims neither ISO 27001 certification nor formal conformity.

Dynafis supports technical validation, data quality and documented decisions. It does not replace tax or legal advice.

Content reviewed: 5 juillet 2026

01

Responsibility & contact

Operator

R. Redivo, dynafis / General Informatics. Full provider details are available in the imprint.

Security contact

Confidential reports to support@dynafis.com with the subject “Security”. Do not include customer data or publicly exploitable proof-of-concept material.

support@dynafis.com

Privacy contact

Privacy requests to support@dynafis.com with the subject “Privacy”. Further details are available in the privacy notice.

support@dynafis.com

Support

Technical, billing and product questions through the support form or support@dynafis.com.

support@dynafis.com

02

Data processing

Data location

The hosting and storage regions applicable to a customer account are disclosed during contracting and data-processing onboarding. Dynafis does not publish a blanket region claim without operational evidence.

Storage components

PostgreSQL for application data, S3-compatible object storage for documents, and Redis/RQ for bounded processing and queues.

Transmission

Public connections are protected with TLS. Webhook signatures and time windows are verified in the integration flows designed for them.

Data at rest

Encryption and key management are documented as operational evidence for each active hosting and storage deployment. Encryption is not advertised where it is not evidenced.

Tenant separation

Workspace and tenant context are evaluated server-side. Roles, object access and API actions are checked in the backend, not only in the interface.

Deletion & retention

Anonymous free-check artefacts are scheduled for deletion after 24 hours by default. Unlocked reports and workspace data follow separate configured retention rules.

Backup & recovery

Backups, recovery tests and objectives are maintained as internal operational evidence. Recovery commitments are derived only from documented tests.

Export & portability

Reviewed invoice data and approved artefacts can be exported through the supported formats and API flows available for the account.

03

AI transparency

Provider & model

External AI services are optional. The active provider, model, purpose and data flow must be documented in the technical supplier register.

Data sent

Only content required for the specific extraction or assistance step is sent. Full documents are used only in flows that technically require and permit them.

No Dynafis model training

Dynafis does not use customer documents or invoice content to train its own models. Provider training must be disabled contractually and technically before production customer data is sent.

Logging & retention

Prompts and sensitive document content should not appear in application logs. Storage of AI responses is disabled by default and requires a justified, documented use case.

Labelling & decision

AI outputs are handled as suggestions with provenance and confidence. Human acceptance, modification or rejection remains separately traceable.

Rule-based controls

Format detection, schema and rule checks, total reconciliation, access controls and export guardrails operate independently of generative AI.

04

Suppliers & subprocessors

Content reviewed: 5 juillet 2026

Provider / categoryPurposeData categoryRegionUse
Contractually named hosting/storage providerApplication operation and object storageApplication data and documentsRegion stated in the DPADisclosed for the respective customer account
Configured AI providerOptional extraction and assistanceRequired content excerpts; depends on the enabled flowAccording to provider and contract configurationOnly when the AI function is enabled and approved
MollieOptional payment processingBilling and transaction dataEU/EEAOnly when Mollie payments are enabled
PayPalOptional payment processingBilling and transaction dataAccording to PayPal contract documentationOnly when PayPal payments are enabled
Brevo or configured SMTP providerTransactional and support emailEmail address and required message contentAccording to provider and contract configurationOnly when email delivery is enabled

05

Security organisation

  • Security events are classified, assigned to an incident owner, contained, documented and reviewed.
  • Confidential security reports are accepted through the stated contact. Customer data must not be included in public reports or proofs of concept.
  • Changes go through review, testing and traceable release. Emergency changes are documented and reviewed afterwards.
  • Dependencies, containers and known vulnerabilities are reviewed regularly; open findings receive owners and due dates.
  • Operational status and security-relevant changes are communicated without internal secrets or attack-enabling detail.