# Security

Data security and IT infrastructure are one of the key pillars of the system **eAuditor Cloud**. The Administrator exercises the utmost diligence to ensure compliance with the requirements of **GDPR**, industry best practices, and information security standards.\
User data is protected through transmission encryption, access control, and continuous security monitoring.<br>

The Administrator guarantees Service availability at the level of **99.90% on an annual basis**.

## **Data location and protection**

* All servers **eAuditor Cloud** are located in **Poland**, in data centers that meet the requirements of **GDPR** and national personal data protection regulations.
* Infrastructure location:
  * **OVHcloud data center in Ożarów Mazowiecki (Kazimierza Kamińskiego 6, 05-850 Ożarów Mazowiecki, Poland) -** a facility managed by [**OVHcloud sp. z o.o.**](https://www.ovhcloud.com/pl/), which holds, among others, the following certifications **ISO 27001, ISO 27017, ISO 27018, ISO 27701**, as well as the following standards **SOC 1/2/3** (as of 13.11.2025). \
    More information: [OVHcloud compliance and certifications](https://www.ovhcloud.com/pl/compliance/)
* Each Client has **its own individual database**, which is not shared with other services or clients.
* Data is not transferred outside the **European Economic Area (EEA)**.
* To ensure the highest level of security, the Service is regularly subjected to **penetration tests** and **security audits** conducted by independent, specialized entities.

{% hint style="warning" %}
Data is not transferred outside the European Economic Area (EEA). **The exception applies only to data related to payment processing**, which is processed by the Stripe operator on servers located also outside the EEA (including in the United States). This includes only the information required to execute payments, such as purchaser data, billing data, subscription information, and transaction details.

**This does not apply to any data collected by the eAuditor cloud system**, such as inventory, activity monitoring, security policies, disk encryption, DLP data, or any technical information from the Client's computers – these remain solely on servers in Poland.

More information about payment processing security is available in the section [**Payment security and billing operator**](#bezpieczenstwo-platnosci-i-operatora-rozliczen).
{% endhint %}

### Backups and data recovery

The scope and availability of backups depend on the selected subscription plan:

* **FREE plan** – backups are not available.
* **INV100 plans** and **ACT200** – the system performs **1 backup**, stored in the same location where the eAuditor cloud infrastructure operates, namely in the **OVHcloud data center in Ożarów Mazowiecki**.
* **DLP300 plan** – available are **2 backups**:
  * one stored in **Ożarów Mazowiecki**,
  * the other in **a separate location within the European Union**, meeting the security and compliance standards described above.

Backups are used exclusively for data restoration in the event of a system failure or loss of availability.

## **Encryption and data transmission**

* The data transmission process is secured using **SSL/TLS**, which guarantees the confidentiality and integrity of communication between the user and the service.
* Communication between system components (**eAgent** and **eServer** ) takes place using the **TLS 1.3**.
* Both **eAgent**and **eServer** have their own **SSL certificates with a 4096-bit key length**, which ensures a very high level of data transmission security.
* Encryption covers both real-time data transmission and communication during authentication processes and exchange of system information.

## **Data storage and deletion**

* Data sent to **the eAuditor cloud Service** is stored on the **Client Account** and may be deleted by the Client at any time.
* After the Service is terminated, the Client Account is blocked for a period of 14 days, after which the data is **permanently deleted (on the 15th day after the Account is closed)**, subject to the obligations arising from applicable law.
* After permanent deletion of data, its **recovery is technically impossible**.
* The Administrator processes Client data after the Account is closed **only to the extent and for the period necessary to fulfill legal obligations**, in particular those arising from accounting and tax regulations.

## **Authentication and access**

* Logging in to the console **eAuditor Cloud** takes place using **multi-factor authentication (MFA)**.
* The system is integrated with applications such as **Google Authenticator** and **Microsoft Authenticator**.
* The account administrator can enforce MFA for all organization users.
* The system works with **Microsoft Entra ID**, enabling centralized identity and access management.
* Access to system functions and data can be managed based on **roles (RBAC)**.

## **Service updates**

* New software versions **eAuditor Cloud** and updates (patches) are made available to users automatically.
* Updates include security fixes, performance improvements, and new features.

## **Payment security and billing operator**

* As part of the billing model, we use the operator **Stripe**, which also affects the security of the eAuditor cloud system.
* Stripe is a certified [**Service Provider Level 1 compliant with PCI DSS 4.0**](https://docs.stripe.com/security), which means the highest level of security in processing payment card data.&#x20;
* Stripe has compliance reports of the **SOC 1 and SOC 2 Type II**type, and all API connections and the dashboard operate exclusively over a secure HTTPS/TLS channel. [More.](https://docs.stripe.com/security/guide)
* As a result, your payment data and subscription information are processed by an operator that meets stringent industry standards.

## **User responsibilities regarding security**

To maintain the security of Service usage, the following rules apply to all persons with access to the Client account, both **Users**and **Account Administrators** (in accordance with the definitions in the Service Terms of Service):

* Use the current version of the recommended web browsers: **Chrome, Edge, Firefox** or **Safari**.
* Regularly update the browser to the latest release version.
* Keep in mind that using browsers other than the recommended ones may cause the Service to malfunction.
* Protect access credentials and do not disclose them to unauthorized persons.
* Use the Service in accordance with applicable law and the rules set forth in the Service Terms of Service.

**Additional Account Administrator obligations:**

* Manage user access and control the permissions granted.
* Oversee the configuration of the Client Account.
* Respond to suspected unauthorized access or security breaches.

More information can be found in [**the eAuditor Cloud Service Terms of Service**](https://app.eauditor.eu/register).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eaclouddoc.eauditor.eu/eacloud-docs-en/system/security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.