Security

How we protect your business data

Infrastructure

  • Production infrastructure is hosted on Hetzner in Germany/EU.
  • Public pages, app traffic, and session cookies are served over HTTPS.
  • Operational access is limited to authorized maintainers.

Transport and storage

  • Browser traffic uses HTTPS/TLS.
  • Passwords stored using industry-standard hashing (bcrypt)
  • Uploaded files and generated documents use the configured Rails storage layer; customer-facing exports are available in standard formats.

Credential custody

  • Isafi does not publicly claim production-ready multi-tenant custody for Brazilian A1 certificates.
  • Automatic Integra Contador and certificate-based fiscal automation remain roadmap until credential custody discovery is complete.
  • Never email certificates or passwords to support.

Backup and recovery

  • Database snapshots are taken periodically for operational recovery, stored in a volume separate from the production database.
  • No public RPO/RTO commitment, nor geographic replication, is promised on this page.
  • Customers should export and retain their own statutory records when required.

Access Controls

  • Secure authentication via industry-standard libraries (Devise)
  • Role-based access control (owner, admin, member, accountant)
  • Session management with automatic timeouts
  • Multi-tenant data isolation ensures clients cannot access each other's data

Audit & Transparency

  • Accountant actions logged with timestamps
  • Clients can see when their accountant accessed data
  • Activity history available in account settings

LGPD and data subject process

  • LGPD requests can be sent to privacy@isafi.com.br.
  • Security concerns can be sent to security@isafi.com.br.
  • Requests are reviewed case by case, including access, correction, export, and deletion where legally applicable.

Your Data

  • You own your data
  • Export available in standard formats (CSV, PDF)
  • Account deletion available upon request

Frequently Asked Questions

Where is my data stored?

Production infrastructure is hosted on Hetzner in Germany/EU. We avoid broader claims beyond the provider and region we operate on.

Is my data encrypted?

Traffic between your browser and Isafi uses HTTPS/TLS. Passwords are stored with bcrypt hashing. We do not use this page to claim every data class has the same at-rest treatment.

How are backups handled?

Database snapshots are taken periodically and stored in a volume separate from the production database. We do not promise geographic replication or a public RPO/RTO on this page. Customers who need formal guarantees should export and retain their own copies.

Who can access my data?

Access to your data is controlled through role-based permissions (owner, admin, member, accountant). You control who has access to your organization. Only authorized personnel with a legitimate business need can access customer data for support purposes.

Are accountant actions logged?

Yes. When an accountant accesses your data, their actions are logged with timestamps. You can view when your accountant accessed your account in your settings.

How do you protect my account?

We use secure password hashing (bcrypt), session management with automatic timeouts, and role-based access controls. Accountant access is logged and auditable. We continuously evaluate additional security features.

How long is my data retained?

Your data is retained for as long as your account is active. If you close your account, you can request deletion of your data. Some data may be retained as required by law or for legitimate business purposes.

What happens if there's a security incident?

We have incident response procedures in place. In the event of a security incident affecting your data, we will notify you as required by applicable law and provide information about the incident and steps being taken.

Can I export my data?

Yes. You can export your data in standard formats (CSV, PDF) at any time. You own your data and can take it with you if you decide to leave.

Do you support two-factor authentication (2FA)?

Two-factor authentication via authenticator apps is on our roadmap and coming soon. We will announce when 2FA is available.

Do you custody A1 certificates?

We do not publicly claim production-ready multi-tenant A1 certificate custody today. Certificate custody and Integra Contador automation remain gated by a separate discovery.

Does Isafi support FTC Safeguards Rule compliance?

We understand that accountants and financial service providers must comply with the FTC Safeguards Rule. While compliance is the responsibility of each covered entity, Isafi provides features that support your compliance: encrypted data storage and transmission, access controls and audit logging, role-based user permissions, and data export and deletion capabilities. You should evaluate how Isafi fits into your overall information security program.

How do I report a security concern?

If you discover a potential security issue, please report it to security@isafi.com.br. We take all reports seriously and will investigate promptly.

Questions?

If you have additional questions about our security practices, please contact us:

Email: security@isafi.com.br
General Support: isafi.com.br/contact

See also: Privacy Policy | Terms of Service | Coverage | Pricing