Security overview · Last reviewed 14 Apr 2026

Built for client-sensitive workflows — and the partners who audit them.

Portiva processes tax and immigration data for advisory firms in the EU. This page is written for the people who will actually validate us: Datenschutzbeauftragte, IT leads, and partners with a fiduciary duty. No marketing claims we can't defend.

Download security overview (PDF) Ask the security team
Hosted in EU (Frankfurt primary) Data in transit TLS 1.3 Data at rest AES-256 Roles Controller → Processor
Trust at a glance

Six commitments, stated plainly.

Each one links to the section below where we explain exactly what it means in practice — and where the limits are.

EU-only data residency

All client and case data is stored and processed in EU regions. No replication outside the EU, no US sub-processor for personally-identifiable client content.

● Live
Encryption everywhere

TLS 1.3 in transit. AES-256 at rest on managed disks and backups. Per-firm encryption keys rotated quarterly, managed through our cloud KMS.

● Live
Firm-level isolation

Each firm gets its own logical workspace with isolated data, audit log, and role permissions. Cross-firm queries are blocked at the database layer, not just the UI.

● Live
Role-based access

Partner, advisor, reviewer, client — four roles, least-privilege by default. Every access event is logged per-firm with actor, action, and resource.

● Live
Pseudonymisation for AI

Before case content reaches the model provider, names, IDs and addresses are replaced with stable tokens. The firm workspace sees the real values; the model does not.

● Live
Configurable retention

Each firm sets its own retention window for intake transcripts, generated briefs, and document uploads — down to zero for transcripts if required by Berufsordnung.

● Live
Data flow

Where the client's data lives, step by step.

Click any node to see what's happening at that point — the auth, the encryption boundary, and where the data is persisted.

Inbound tax inquiry — from first message to consultant brief

● 4 nodes · 3 boundaries
Client
Inquiry source
TLS 1.3
Portiva intake
AI orchestration
pseudonym. layer
Firm workspace
Structured case
GDPR · Art. 4, 6, 28

Lawful basis, roles, and the rights your clients keep.

GDPR compliance isn't a logo — it's a clear answer to three questions. Here are ours.

01 · Lawful basis

Performance of a contract, plus consent where required.

Processing the client's inquiry rests on the firm's contractual relationship with the client (Art. 6(1)(b)). Special categories of data (health, tax-residency history, biometric for KYC) require explicit consent, captured at intake.

Primary
Art. 6(1)(b) — contract
Fallback
Art. 6(1)(a) — consent
Special
Art. 9(2)(a) — explicit
02 · Who is who

Your firm is the controller. Portiva is the processor.

The advisory firm decides the purposes and means of processing. Portiva only processes data on documented instructions — the DPA / AV-Vertrag. We don't use client data to train models, benchmark between firms, or market back to your clients.

Controller
Advisory firm
Processor
Portiva GmbH
Contract
DPA / AV-Vertrag (Art. 28)
03 · Subject rights

Access, rectification, erasure — all routed through your firm.

The client addresses data-subject requests to the firm. Portiva provides tooling: per-client export (Art. 15), in-place edit (Art. 16), and hard-delete-on-request (Art. 17) with a signed completion receipt. Standard turnaround: 5 business days.

Access
Self-service export
Erasure
≤ 5 business days
Receipt
Signed, timestamped
Hosting & processing

EU-only. Frankfurt primary. No US transfers for client content.

The short version for IT: regions, network, crypto, and backup policy on one screen.

Data location
Primary · Secondary · Backup
Frankfurt · primary
Dublin · DR
Milan · edge
Cloud Hetzner (Nuremberg · Falkenstein) + AWS eu-central-1 EU-owned where possible
Primary Frankfurt (eu-central-1) · application, Postgres 15, object storage
DR Dublin (eu-west-1) · encrypted snapshots, async, RPO 15 min
Crypto TLS 1.3 · AES-256-GCM at rest · AWS KMS, HSM-backed
Backups Nightly full, PITR for 7 days · encrypted, EU-only
Logs 30-day application, 1-year audit · immutable
Transfers No US transfer of client content verified
Access control

Firm-level isolation, four roles, least-privilege by default.

Cross-firm boundaries are enforced at the database layer — not just the UI. Every request carries a firm-scoped token that the data layer validates before it runs.

How isolation actually works

Every row in Portiva is tagged with a firm_id. Postgres row-level security (RLS) is enabled per-tenant, so a query with the wrong firm scope returns zero rows — not a filtered subset. Even a compromised internal service can't leak across firms.

  • Separate logical workspace per firm, shared infra
  • Per-firm encryption keys (tenant-specific KMS aliases)
  • Per-firm audit log, exportable
  • Dedicated-tenant hosting available on request for Enterprise
Role permission matrix
Defaults · override per-firm
Capability Partner Advisor Reviewer Client
View case list
View own case
Edit briefcomment
Assign / reassignown
Invite users
Export dataown casesown
Delete on request
View audit log
Data lifecycle & retention

How long we keep things — and how the firm controls it.

Defaults are listed below. Each firm can tighten them per data class (transcripts, briefs, uploads) in workspace settings. We can't make them looser than the defaults.

Intake
T + 0

Message arrives. Pseudonymisation applied, raw transcript encrypted at rest, indexed per firm.

Live case
T + 0 to close

Transcript, structured facts and brief held in hot storage. Audit log captures every access.

Archive
On case close

Moved to cold storage. Transcript purged by default after 90 days. Brief retained per firm setting.

Purge
End of retention

Hard delete, cryptographic erasure of per-case key. Signed completion receipt to firm admin.

Transcript defaultPurge 90 days after case close · can be set to 0
Brief defaultRetain until firm deletes · max 10 years
Audit logRetain 1 year · exportable anytime
Sub-processors

Every third party that touches data, listed in one table.

Firms get 30-days notice before any sub-processor change via the admin email on the account. Target sub-processor list — contracts committed before pilot launch.

Vendor Purpose Data processed Region DPA
AWS EMEA Primary hosting & storage All case data (encrypted) EU — Frankfurt ◐ Committed by launch
Hetzner Application compute (DE) Application-layer only EU — Falkenstein ◐ Committed by launch
Mistral AI Language model (EU) Pseudonymised content only EU — France ◐ Committed by launch
Anthropic Language model (fallback) Pseudonymised content only EU routing ◐ In review
Resend Transactional email Email address + subject line EU — Ireland ◐ Committed by launch
Plausible Product analytics Aggregate usage, no PII EU — Germany ◐ Committed by launch
Sentry EU Error monitoring Stack traces, scrubbed EU — Frankfurt ◐ Committed by launch
Compliance posture

What's in place today, and what we're still working on.

Honesty matters more than badges at this stage. We tell you what's live, what's in progress, and what we haven't started. If a partner needs something from the right column before piloting, say so — we may be able to accelerate.

In place today
● 7 controls
  • GDPR baselineDPA / AV-Vertrag, DPIA template, sub-processor registry, 72-h breach notification commitment.
  • EncryptionTLS 1.3 in transit, AES-256 at rest, per-firm keys via KMS, quarterly rotation.
  • Access controlSSO (Google, Microsoft), SAML on Enterprise, mandatory MFA for admins, per-firm RLS.
  • Logging & auditPer-firm audit trail, immutable, exportable; actor / action / resource / timestamp.
  • Secure SDLCCode review on every change, automated dependency scanning, secrets never in repo.
  • Backup & DRNightly encrypted backups, PITR 7 days, DR region in Dublin, quarterly restore test.
  • PseudonymisationPre-model tokenisation of PII, documented in the sub-processor DPA.
On the roadmap
◐ 4 in progress
  • ISO 27001Gap assessment complete · Stage-1 audit scheduled Q3 2026 with a German accredited body.
  • SOC 2 Type IIn observation window (started Feb 2026). Type I report expected mid-2026; Type II to follow.
  • External pen-testFirst engagement scheduled May 2026 with Cure53. Summary shareable under NDA after remediation.
  • TISAX & C5Evaluating both for 2027 depending on pilot firms' requirements — no commitment yet.
  • What we don't claimNo HIPAA, no FedRAMP, no on-prem deployment today. We'd rather say no than pretend.
Built for Steuerberater & Rechtsanwälte

Designed around the professional obligations German and Austrian advisors actually carry.

Verschwiegenheitspflicht

All staff under signed confidentiality covering §203 StGB. Access to firm data requires an explicit Verschwiegenheitserklärung on file.

AV-Vertrag (Art. 28 DSGVO)

German-language DPA template, aligned to BfDI guidance. Editable clauses for Unterauftragsverarbeiter and sub-processor approval workflows.

Berufsordnung compatibility

Reviewer separation, case locking, and no-training guarantees aligned to StBerG §57 and BORA §2. AI-assisted, advisor-signed workflow.

DATEV & Unternehmen Online

Read-only integration with DATEV case folders on the roadmap Q4 2026. Today: structured CSV / JSON export of any case in one click.

Incident response & contact

If something goes wrong, here's who we tell and when.

Our incident response policy is short and designed to keep the firm fully informed — not to buy us time.

Breach notification — what happens in the first 72 hours

  1. T + 1 h — On-call engineer paged. Incident channel opened. Scope containment begins.
  2. T + 6 h — Preliminary scope determined. Affected firms identified. Holding statement prepared.
  3. T + 24 h — Affected firm admins contacted by phone and email. Incident portal access provisioned.
  4. T + 72 h — Controller-facing notification delivered, meeting Art. 33 GDPR timeline. Regulator notification if thresholds met.
  5. T + 14 d — Post-mortem shared with affected firms. Remediation plan with dates and owners.

Security team

One inbox, monitored by the engineering team on-call. We answer every message within one business day, even if the answer is "we need more time to investigate."

General · bug reports · DPO requests
security@portiva.eu
Coordinated disclosure
disclose@portiva.eu
Mailing address (Impressum)
Portiva GmbH
[Legal entity — TBD]
Berlin, Germany
PGP fingerprint · 7F4A · 9C2B · D1E8 · A3F0 Download public key →
Questions IT validators ask us

The six we hear most.

If yours isn't here, write to security@portiva.eu — we'll answer in plain language and add it to this page if it's a common one.

Do you train your AI models on our client data?
No. Client content is never used for training, fine-tuning, benchmarking, or anything outside delivering the current case. This is in the DPA as a contractual commitment, enforced at the provider layer via no-training flags with Mistral and Anthropic, and we can show you the config on the demo call.
Where exactly is client data stored, and does any of it leave the EU?
Primary storage is in Frankfurt (AWS eu-central-1). DR snapshots go to Dublin (eu-west-1). No personally-identifiable client content is transferred outside the EU — the only thing that reaches a model is pseudonymised text, and even that stays in EU-hosted endpoints for our primary provider (Mistral, FR). We document this in the sub-processor list above and in the DPA.
What's your breach-notification SLA?
Commitment: affected firm admins contacted within 24 hours of confirmed scope. Formal controller notification within 72 hours, matching GDPR Art. 33. Post-mortem shared within 14 days. See the timeline in the Incident response section.
Has Portiva been independently penetration-tested?
Not yet by an external firm — we're honest about this. Internal testing and automated scanning run continuously. Our first external engagement is scheduled for May 2026 with Cure53; we'll share the executive summary under NDA after remediation. If you need a tested vendor before piloting, tell us — we can slot your pilot after the test cycle.
What happens to our data if we stop using Portiva?
On termination: full export of all cases and audit logs within 14 days in JSON and PDF. Hard delete of all firm data within 30 days, including backups up to the PITR window. Cryptographic erasure of the firm's KMS key. A signed deletion receipt is emailed to both admins on file.
Can we get a self-hosted or dedicated-tenant deployment?
Self-hosted: not today. Dedicated-tenant hosting (isolated database, isolated compute, per-tenant KMS hierarchy) is available on Enterprise pilots. Pricing reflects the operational overhead; happy to walk you through the tradeoffs on a call.
For your DPO · For your partners · For your IT

Review Portiva with the people who will need to sign off.

Download the one-page security overview, forward it to your Datenschutzbeauftragte, and bring their questions to a 30-minute security-only call. No intake demo — just their questions, our answers.

Download security overview (PDF) Book a security-only call