IRS filing season is open. File your IRS for free (early access) →
descodify

Security

Descodify handles sensitive financial data - invoices, tax numbers, expense records, and tax authority credentials. We take the responsibility seriously. This page explains what we do to protect your data.

Data hosting and jurisdiction

Where your data sits and who can legally compel it are two different questions. Many “EU-hosted” services run on infrastructure operated by US-parented companies, which remain subject to US extraterritorial laws like the CLOUD Act and FISA Section 702 — regardless of which data centre the bits physically live in. We pick subprocessors under EU jurisdiction wherever a credible EU option exists.

  • Hosting:Hetzner Online GmbH (Germany) — German company, German data centres
  • Transactional email:AhaSend B.V. (Netherlands) — Dutch company, EU servers
  • Document OCR:Mistral AI (France) — French company, EU inference
  • Payment processing:Mollie B.V. (Netherlands) — Dutch company, EU-regulated payment institution
  • Analytics: Umami, self-hosted alongside the application

Where a US-parented partner is the realistic option — Anthropic for the optional chat assistant (EU-region endpoints), Cloudflare for edge TLS and DDoS protection, Google for optional OAuth sign-in — traffic to those providers is always encrypted in transit (TLS), and we never store sensitive payloads with them in plain form. On the free tier, with the AI assistant off and magic-link or passkey sign-in instead of Google, zero of your application data ever touches a US-parented company.

The full subprocessor table, with regions and transfer mechanisms, lives in our Privacy Policy.

Encryption

In transit

All connections to Descodify use TLS (HTTPS). Data moving between your browser and our servers is always encrypted. We enforce HTTPS on all endpoints with no fallback to unencrypted connections.

At rest

Sensitive credentials are encrypted at rest using AES-256-GCMwith authenticated encryption. This applies to your Portal das Finanças credentials if you choose to connect your tax portal. We cannot read these credentials in plain text - they are decrypted only at the moment of use and never logged.

Authentication

  • Passwordless by design: Descodify has no passwords to store, leak, or phish. You sign in with a magic link sent to your email, a passkey (WebAuthn) bound to your device, or Google OAuth
  • Magic links: Single-use and short-lived - they expire 10 minutes after they are sent
  • Passkeys: WebAuthn credentials where the private key never leaves your device - we only ever hold the public key
  • Google sign-in: Available as an alternative, using standard OAuth 2.0
  • Encrypted sessions: Session tokens are encrypted (JWE) and stored as httpOnly cookies that cannot be read by JavaScript running in your browser
  • CSRF protection: All state-changing requests are protected against cross-site request forgery
  • Cookie security: Cookies are marked Secure (HTTPS only) and SameSite=Lax to prevent cross-site attacks

Access control

Descodify uses organization-based access control. Your data is isolated to your organization and only accessible by members you explicitly invite.

  • Every API request is verified against your session and organization membership
  • There is no cross-organization data access - users can only see data in organizations they belong to
  • If you work with an accountant, invite them through Descodify instead of sharing credentials. Each person logs in with their own account.

No credential sharing

A common practice in Portugal is to give your accountant your Portal das Finanças login and keep two-factor authentication disabled so they can access your account. Descodify replaces this with proper access management:

  • Each user has their own Descodify account
  • Accountants are invited to the organization with appropriate permissions
  • You keep control of your tax portal credentials and can enable two-factor authentication

Tax authority integration

Descodify connects to the Portal das Finanças using a dedicated subuser - a separate login created specifically for Descodify, distinct from your main portal credentials.

  • Your main credentials are never stored. If you use automatic setup, your main login is used once to create the subuser, then immediately and permanently deleted
  • Subuser credentials are encrypted with AES-256-GCM before storage
  • The subuser has its own audit trail on the AT portal - you can see exactly which actions were performed by Descodify versus your own login
  • Every interaction with the tax portal is also logged in Descodify's audit trail - action type, success or failure, and timestamp
  • Portal sessions are short-lived and cached in memory only (not persisted to disk)
  • You can disconnect your portal at any time, which immediately deletes the stored subuser credentials. You can also revoke the subuser directly on the AT portal.

AI assistant security

The AI assistant is powered by Anthropic's Claude and is entirely optional. When enabled:

  • Only the messages you type are sent to Anthropic - we do not automatically include your financial data, invoices, or customer records
  • Anthropic does not use API data to train their models
  • Conversations are rate-limited to prevent abuse
  • You can disable the AI assistant in Settings - when disabled, no data is sent to Anthropic

What we do not do

  • We do not use analytics or tracking pixels
  • We do not set marketing or advertising cookies
  • We do not sell or share your data with third parties
  • We do not use device fingerprinting
  • We do not store your data in regions outside the EU (except optional AI assistant traffic to Anthropic)

Dependency management

We regularly review and update third-party dependencies to patch known vulnerabilities. Security updates are prioritized and applied promptly.

Responsible disclosure

If you discover a security vulnerability in Descodify, please report it to us privately. We take all reports seriously and will work to address confirmed vulnerabilities promptly.

  • Email: [email protected]
  • Please include a description of the vulnerability, steps to reproduce, and your contact information
  • We ask that you do not publicly disclose the vulnerability until we've had a reasonable opportunity to address it
  • We will not take legal action against security researchers who act in good faith and follow responsible disclosure practices

Questions

For security questions or concerns, email us at [email protected]. For privacy-related questions, see our Privacy Policy.