Your fiscal data, protected.

All data in transit is encrypted with TLS 1.3. All data at rest is encrypted with AES-256. Passwords are hashed with Argon2id — the recommended algorithm by OWASP. API traffic enforces HTTPS with HSTS preload enabled across all subdomains.

Sensitive PII fields (tax IDs, bank accounts) receive an additional layer of application-level encryption using a master key stored outside the database.

All customer data is stored exclusively within the European Union. Our infrastructure runs on Hetzner Cloud data centers in Helsinki, Finland — an EU jurisdiction under strict data protection law.

Hetzner maintains ISO 27001 certification for its data center operations. No data is transferred outside the European Economic Area (EEA). Database backups are stored in the same EU region with encryption at rest.

Levka is fully committed to GDPR compliance as a data processor. We support all data subject rights:

Right of access — export your complete data at any time. Right to erasure — request full account deletion. Right to portability — download your data in standard formats. Right to rectification — update your information freely.

A Data Processing Agreement (DPA) is available upon request. We maintain a sub-processor list and notify customers of any changes. Fiscal data is retained per local regulatory requirements; all other data is deleted upon account closure.

Contact: privacy@levka.eu

Multi-factor authentication (MFA) via TOTP is available for all accounts. Role-based access control (RBAC) with four levels: Owner, Admin, Member, and Viewer. Sessions expire automatically after inactivity. All authentication events are logged in an immutable audit trail.

The admin panel requires superadmin privileges and is served on a separate subdomain with additional access controls.

Levka is purpose-built for fiscal compliance across the Balkans and Eastern Europe. Each country module integrates with local tax authority systems and follows jurisdiction-specific rules:

Our development practices follow industry standards: code reviews on all changes, automated dependency scanning, OWASP secure coding guidelines, strict separation between production and development environments, and the principle of least privilege for all system access.

Infrastructure is managed as code with version-controlled configurations. Deployments are automated and reproducible.

Automated daily database backups with 14-day retention. Infrastructure monitored 24/7 with automated alerting. Public status page at status.levka.eu with real-time uptime data and incident history.

We target 99.9% uptime. In case of an incident, updates are posted to the status page within 30 minutes of detection.

In compliance with GDPR Article 33, we commit to notifying the relevant supervisory authority within 72 hours of becoming aware of a personal data breach. Affected users are notified without undue delay when the breach is likely to result in a high risk to their rights.

All incidents are followed by a post-incident review to identify root causes and implement preventive measures.

We take security seriously. If you discover a vulnerability, please report it responsibly.