Taxpoynt Data Protection & Processing (NDPR-aligned)

Last updated: 18 Dec 2025 Scope: Processing of customer data within Taxpoynt SI, AP, and Hybrid services for sandbox and production tenants.

1. Roles

You are the data controller for your tenant’s data. Taxpoynt acts as a data processor (and in limited cases, a controller where required by law, e.g., fraud/abuse prevention).

Deliver e-invoicing services: ingest canonical invoices, generate IRN/QR, validate with FIRS, archive/audit, and deliver callbacks.
Reliability, security, and support: monitoring, alerting, replay/DLQ, incident response.
Compliance: meeting legal/regulatory obligations (e.g., FIRS retention/validation).

Encryption: TLS 1.2+ in transit; managed storage encryption at rest (DB/object storage). Secrets/keys are never echoed in UI; per-org/env API keys are stored hashed/secured.
Tenant isolation: org + environment scoping on all reads/writes; RBAC for privileged actions.
Logging/audit: redacted logs (no secrets); immutable audit trails for configuration changes, invoice processing, and callbacks.
Minimal payloads: callbacks carry only required fields; PII exposure is limited to service needs.

Limited to infrastructure, email, and observability providers vetted for security posture. A current list is provided in your agreement or on request.

Retention aligns with contractual and regulatory requirements. Upon termination or written request (where permitted), data will be deleted or returned, subject to legal holds.

Security incidents with material impact will be notified without undue delay, following contractual and regulatory requirements.

Access, correction, deletion (where legally permissible), restriction, and portability requests are supported. Contact support@taxpoynt.com.