Data Security & Privacy
How we protect your financial data with encryption, access controls, and GDPR-compliant infrastructure.
Our Security Philosophy
Financial data is among the most sensitive information a business holds. At Klaras AI, security is not an afterthought — it is the foundation of every system we build. We treat your invoices, bank statements, payroll records, and tax filings with the same level of protection that banks apply to their own internal data.
Our approach follows three core principles:
- Defence in depth — Multiple layers of protection so no single point of failure can compromise your data
- Least privilege — Every system and person has access only to the minimum data required for their role
- Transparency — You always know what data we hold, who accessed it, and why
Encryption
Data in Transit
All communication between your browser and Klaras AI servers is encrypted using TLS 1.3, the latest transport layer security protocol. This applies to every interaction — uploading documents, viewing reports, submitting filings, and API calls.
Data at Rest
All stored data is encrypted using AES-256 encryption, the same standard used by governments and financial institutions worldwide. This covers:
- Uploaded documents (invoices, receipts, contracts)
- Database records (transactions, account balances, employee data)
- Backups and archives
- Temporary processing files (automatically purged after processing)
Key Management
Encryption keys are managed through a dedicated key management service with automatic rotation. Keys are never stored alongside the data they protect, and access to key management is restricted to a minimal set of infrastructure engineers with multi-factor authentication.
Infrastructure & Hosting
Klaras AI runs on EU-based cloud infrastructure, ensuring your data remains within the European Economic Area (EEA). Our hosting environment includes:
- SOC 2 Type II certified data centres
- ISO 27001 certified infrastructure provider
- Redundant storage across multiple availability zones for disaster recovery
- Automated daily backups with 30-day retention
- 99.9% uptime SLA
Access Controls
We implement strict access control at every level:
| Level | Protection |
|---|---|
| User accounts | Email + password with enforced complexity, optional 2FA (TOTP or hardware key) |
| Team roles | Granular permissions — Owner, Accountant, Viewer, Auditor — each with different data access levels |
| Internal staff | Role-based access with mandatory MFA, just-in-time access provisioning, and full audit logging |
| AI systems | Isolated processing environments with no persistent access to raw data after task completion |
GDPR Compliance
As a company processing data of EU residents, Klaras AI is fully compliant with the General Data Protection Regulation (GDPR). Our compliance measures include:
- Lawful basis for processing — We process financial data under contractual necessity (Art. 6(1)(b)) and legitimate interest (Art. 6(1)(f))
- Data minimization — We collect only the data necessary to provide our services
- Right to access — You can request a full export of your data at any time
- Right to erasure — You can request deletion of your account and all associated data, subject to legal retention requirements
- Data Processing Agreement (DPA) — Available for all business clients upon request
- Data Protection Officer — Our DPO oversees compliance and can be reached at admin@klarasai.com
Polish Data Protection
In addition to GDPR, we comply with Polish data protection requirements overseen by UODO (Urząd Ochrony Danych Osobowych). Polish accounting regulations also impose specific data retention periods:
- 5 years — Tax-related documents must be retained for 5 years from the end of the calendar year in which the tax obligation arose
- 50 years — Payroll and employment records (10 years for employees hired after January 1, 2019)
- Permanent — Annual financial statements and certain corporate records
Klaras AI automatically manages these retention periods, ensuring documents are preserved for the required duration and flagged for secure deletion when no longer legally required.
AI-Specific Security
When your documents are processed by our AI models, additional safeguards are in place:
- No training on your data — Your financial documents are never used to train or fine-tune AI models. Processing is inference-only.
- Isolated processing — Each document is processed in a sandboxed environment that is destroyed after completion
- No data sharing — We do not share your data with any third-party AI providers. Our models run on our own infrastructure.
- Audit trail — Every AI action is logged, including what data was accessed, what decision was made, and what confidence level was assigned
Incident Response
Despite our best efforts, no system is immune to threats. Our incident response plan includes:
- 24/7 monitoring — Automated threat detection with human security team on-call
- 72-hour notification — In the event of a data breach affecting personal data, we notify affected users and relevant authorities within 72 hours as required by GDPR
- Post-incident review — Every security event triggers a thorough review with published findings and remediation steps
- Regular penetration testing — Annual third-party security audits and penetration tests
Your Responsibilities
Security is a shared responsibility. We recommend that all Klaras AI users:
- Enable two-factor authentication on their account
- Use unique, strong passwords (we recommend a password manager)
- Review team member access regularly and remove inactive users
- Report any suspicious activity immediately to admin@klarasai.com
Have questions about our security practices? Contact our team — we're happy to provide additional documentation or discuss specific compliance requirements.