Your fiscal data deserves the best defense
We built the Latitude App platform with security in mind from the start: in how you sign in, how we keep your data, and how we send it on to the authorities.
Recognized certifications
Compliance proven, not just claimed
We operate under independently audited international standards that confirm our security and quality management processes.
ISO 27001
Information security management. Audited annually by an independent body.
ISO 9001
Quality management of processes.
GDPR
Compliant with Regulation (EU) 2016/679.
Peppol AP & SMP
Accredited Access Point and SMP for cross-border B2B/B2G exchanges.
Authentication
You decide who gets in, how, and what they can do
We reduce the risk of unauthorized access through modern authentication methods and granular permission control.
Single Sign-On (SSO)
Sign in with your corporate identity provider — Microsoft Entra ID, Okta, or any OIDC provider (others added on request). You can require SSO and restrict sign-in to a single provider per company or domain.
Multi-Factor Authentication
MFA available for all users: authenticator apps (TOTP) and passkeys (WebAuthn / FIDO2). A strong second factor beyond the password, and beyond SMS.
Strong password policy
Minimum length, enforced complexity, reuse prevention, and temporary lockout after repeated failed sign-in attempts. Passwords are hashed, never stored in plain text.
Role-based access (RBAC)
Granular permissions per module, per workspace, per action. The "least privilege" principle applied by default.
Offensive testing
We attack the platform before anyone else does
Security isn't something you solve once; it needs constant attention. That's why we test the platform regularly and fix what we find quickly.
Periodic penetration testing
Performed at least once a year by an independent specialist firm, covering the application and the infrastructure. Findings are remediated and re-tested; the summary is available under NDA.
Fast patch management
We continuously monitor published CVEs for all frameworks and libraries we use. Critical updates are applied under a strict internal SLA.
Responsible disclosure
A dedicated channel for security researchers: security@latitude-app.com. We investigate every report we receive.
Data protection
Your data, protected at every step
From the moment it leaves your browser until it reaches the tax authorities, your data is protected through modern encryption and secure infrastructure.
Encryption in transit
TLS 1.2+ enforced for all connections. Certificates managed automatically, with no outdated protocols.
Encryption at rest
Sensitive data is encrypted at the storage layer with industry-standard algorithms (AES-256).
Backup and disaster recovery
Automated backups, periodically tested, with clear RPO and RTO objectives. Operational continuity assured.
EU hosting
Infrastructure hosted exclusively in the European Union, in line with GDPR requirements on data transfer.
Tenant isolation
Each customer's data lives in its own isolated workspace, with strict scoping that prevents any cross-tenant access.
Infrastructure protection
DDoS protection and rate limiting on all public endpoints, on hardened cloud infrastructure with restricted network access.
Secure operations
Clear processes, prepared people
Technology alone is not enough. Security works when the people who build and operate the platform take it seriously.
Security training
Every team member follows periodic security and awareness training (phishing, social engineering, secure coding).
Logging and audit
Security-relevant actions are recorded in append-only audit logs (who, what, when, source IP), available for investigations and compliance.
Environment separation
Development, staging, and production are fully separated. Production data never leaves the production environment.
Incident response
A documented procedure for identifying, escalating, communicating, and remediating incidents. Affected customers are notified without undue delay, in line with GDPR.
GDPR and privacy
You remain the owner of your data
We process your data strictly for the purposes set out in your contract. We do not sell data, do not use it for profiling, and do not share it without a legal basis.
- A Data Processing Agreement (DPA) in place with every client, accepted as part of our terms.
- The right to access, rectify, and erase your data, guaranteed through clear processes.
- Sub-processors listed transparently, each audited and contracted under GDPR clauses.
- Data hosted in the EU, with no extra-community transfer without legal mechanisms.
Documentation
Verify for yourself
For your security, IT, or procurement teams, we can provide on request, under NDA:
Request the documentsPentest report
Summary of the latest penetration testing report.
ISO 27001 certificate
Valid certificate, issued by an accredited body.
Sub-processor list
All vendors that process data on our behalf.
Security questionnaire
Completed in custom or industry-standard formats (e.g. CAIQ).
DR plan
Business continuity and disaster recovery plan.
Architecture
The platform's security architecture diagram.
Get started with Latitude App today
Try the features for free or talk to our team about your company's needs.