Security Policy for the FaktuPro Application
1. General Provisions
1.1. This Security Policy describes the technical and organizational measures applied by the Provider to ensure the security of data processed in the FaktuPro application (hereinafter: "Application").
1.2. This document is informational in nature and supplements the Terms of Service and the Privacy Policy.
1.3. The purpose of this Policy is to ensure:
- data confidentiality,
- data integrity,
- service availability.
2. Scope of Application
2.1. This Policy applies to all data processed in the Application, including:
- User data,
- business data (Vendors),
- client data,
- financial documents,
- technical and operational data.
3. Infrastructure and Hosting
3.1. Data processed within the Application is stored on servers located within the European Union.
3.2. The Provider uses cloud service provider infrastructure:
Hetzner (Hetzner Online GmbH, Germany/EU)
3.3. The Provider selects infrastructure providers that meet appropriate security and data protection standards.
4. Access Control
4.1. Access to systems processing data is restricted exclusively to authorized persons.
4.2. Authentication and permission management mechanisms are applied.
4.3. Access to data is granted in accordance with the principle of least privilege (need-to-know).
5. Encryption and Data Security
5.1. Data transmitted between the User's device and the server is protected using encryption (e.g., HTTPS/TLS protocol).
5.2. Sensitive data stored in systems may be secured using encryption or pseudonymization mechanisms.
5.3. The Provider applies technical measures aimed at protecting data against unauthorized access, loss, or damage.
6. Event Logging and Monitoring
6.1. The Provider may maintain an event log (logs) related to the operation of the Application.
6.2. Logs may include, among others:
- system operations,
- security-related events,
- application errors.
6.3. Logs are used exclusively for the purposes of:
- diagnostics,
- ensuring security,
- improving service quality.
7. Backups
7.1. The Provider may employ data backup mechanisms.
7.2. The scope and method of creating backups:
Automatic database and file backups. Backups stored on Hetzner infrastructure in the EU.
7.3. Backups are intended to increase system security but do not constitute a guarantee of data recovery in every case.
7.4. The User remains responsible for independently archiving their data, in accordance with the Terms of Service.
8. Artificial Intelligence (AI)
8.1. The Application may use external artificial intelligence services to process data entered by the User.
8.2. The Provider uses the services of:
OpenAI (OpenAI, Inc., USA)
8.3. Data sent to AI services is limited to the scope necessary for the functionality.
8.4. The Provider makes efforts to use providers that ensure an appropriate level of data security.
9. Integration with External Systems
9.1. The Application may integrate with external systems, in particular:
- KSeF,
- GUS,
- VAT White List,
- Apple App Store.
9.2. The Provider has no control over the security and availability of external systems.
9.3. Data transmitted to external systems is limited to the scope necessary for the Application's functionality.
10. KSeF Data Security
10.1. Data related to KSeF integration is processed using security mechanisms that ensure its confidentiality.
10.2. The Provider applies measures aimed at protecting User authentication data.
10.3. The User is responsible for protecting their own KSeF access credentials.
11. Application Security
11.1. The Provider takes actions to ensure the security of the Application, including:
- system updates,
- bug fixes,
- operation monitoring.
11.2. The Provider may periodically introduce changes to the Application to improve security.
12. Security Breaches
12.1. The Provider takes actions to detect and respond to security breaches.
12.2. In the event of security incidents, the Provider will take appropriate actions to:
- mitigate the impact,
- secure the system,
- restore operation.
13. Data Retention Period
13.1. Data is retained for the period necessary for providing the Service and fulfilling legal obligations.
13.2. Detailed data retention rules are defined in the Privacy Policy and the Terms of Service.
14. Organizational Measures
14.1. The Provider applies organizational measures to ensure data security, including:
- restricting access to data,
- application of security principles by authorized persons,
- regular review of procedures.
15. Changes to the Security Policy
15.1. The Provider may update this Policy.
15.2. The current version of this document is available in the Application or on the website.
16. Contact
For matters related to data security, you may contact the Provider:
17. Effective Date
This Policy is effective as of: March 25, 2026