GDPR Compliance & Privacy Framework

Comprehensive data protection documentation for Accaio's AI-assisted accounting and communication platform, ensuring full compliance with EU GDPR requirements and Belgian data protection standards.

Document Control

Scope:

Accaio SaaS Platform (AI-Assisted Accounting & Communication)

Jurisdiction:

Belgium (EU GDPR)

Primary Regulatory Body:

Belgian Data Protection Authority (APD/GBA)

Industry Standards:

ITAA (Institute for Tax Advisors and Accountants)

1. Article-by-Article Compliance Strategy

Article 6: Lawful Basis for Processing

Accaio operates primarily as a Data Processor on behalf of Accounting Firms (Data Controllers). We rely on the following lawful bases:

Contractual Performance (Art. 6(1)(b))

Context: Processing is necessary to deliver the SaaS functionality defined in the Service Level Agreement (SLA) with the Accounting Firm.

Application: Ingesting invoices, processing bank statements, and drafting communications.

Legitimate Interest (Art. 6(1)(f))

Context: Fraud detection, system security monitoring, and service stability.

AI Model Improvement: AI Model Improvement: explicit user feedback (e.g., "up/down" votes on drafts) is processed anonymously to improve system prompts. Client content is NOT used to train generative foundation models.

B2B Communication: B2B Communication: Processing contact details of corporate client representatives for strictly business-related accounting correspondence.

Legal Obligation (Art. 6(1)(c))

Context: Alignment with Belgian Code of Economic Law (CEL) requirements for accounting record retention and format standards.

Article 9: Special Categories of Data

While financial data is sensitive, it is not typically classified as "Special Category" (e.g., health, biometrics) under Art. 9. However, Accaio treats it with equivalent security rigor.

Incidental Collection: If invoices (e.g., medical bills paid by a company) contain Art. 9 data, processing is covered under Substantial Public Interest (Art. 9(2)(g)): Necessary for tax compliance and statutory accounting.

Distinction: We strictly distinguish between Corporate Financial Data (not personal data) and Personal Data (financial data of sole traders or identifiable individuals).

Article 22: Automated Decision-Making & Profiling

Accaio explicitly avoids "Solely Automated Decision-Making" regarding legal or significant effects.

Human-in-the-Loop (HITL) Architecture

  • Drafting vs. Sending: AI generates draft emails and categorizes documents, but an Accountant (human) must review and approve the action before it is finalized or sent.
  • Override Mechanism: Accountants retain the ability to manually override AI classification or redraft communications at any stage.
  • Transparency: Users are informed that AI is assisting in the drafting process, fulfilling transparency requirements.

2. Data Protection Impact Assessment (DPIA) Framework

Given the use of AI and large-scale processing of financial data, a DPIA is mandatory.

High-Risk Processing Identification

  • Systematic Monitoring: Analyzing communication patterns between accountants and clients
  • New Technologies: Integration of Large Language Models (LLMs) for unstructured text processing
  • Scale: Aggregation of financial data across multiple tenancies

Necessity & Proportionality

The use of AI is necessary to handle the volume of data mandated by modern e-invoicing (Peppol) and to reduce administrative burden.

Privacy Check: Data minimization principles apply to training sets.

Mitigation Strategies

  • No-Training Guarantee: We contractually guarantee that client data is not used to train third-party foundation models (e.g., OpenAI, Anthropic).
  • Data Stripping: Removing PII (names, SSNs/NNs) before using internal metadata for non-generative analytics.
  • Isolation: Tenant isolation ensures one accounting firm's data never leaks into another's environment.

3. Cross-Border & Belgian Specific Considerations

International Data Transfers

Data Residency: 100% EU-based storage and processing. Primary infrastructure: Convex (real-time database, EU-hosted), with supporting services in Google Cloud (Brussels, Belgium) and AWS (Frankfurt, Germany).

Sub-Processors: For AI & ML services (OpenAI API, Google AI SDK), Authentication (WorkOS, Microsoft Graph API), Communication (WhatsApp Business API, Meta APIs), Analytics (PostHog), and Document Processing (various libraries): Implementation of Standard Contractual Clauses (SCCs) (Module 2: Controller to Processor). Reliance on the EU-US Data Privacy Framework (where vendors are certified).

Transfer Impact Assessments: Transfer Impact Assessments (TIA) conducted to ensure US surveillance laws do not impinge on Belgian professional secrecy.

Belgian Specifics

Professional Secrecy: The platform is designed to uphold the professional privilege of accountants. Accaio staff are contractually bound to confidentiality standards mirroring Article 458 of the Belgian Penal Code.

APD Registration: Maintaining a Record of Processing Activities (ROPA) as per Art. 30, ready for inspection by the Belgian Data Protection Authority.

4. Technical & Organizational Measures (TOMs)

Data Minimization & Accuracy

Contextual Processing: AI accesses only the specific fields necessary for the task (e.g., extracting VAT number, Date, Total).

Data Provenance: Every AI-generated suggestion or summary includes a direct hyperlink/reference to the source document (invoice or email) to verify accuracy.

Validation Loops: Built-in UI for accountants to correct OCR/AI errors, ensuring data accuracy (Art. 5(1)(d)) before it enters the permanent ledger.

Storage & Retention

Automated Lifecycle: Data retention policies aligned with the 7-10 year requirement for accounting documents in Belgium.

Secure Deletion: Crypto-shredding of data upon contract termination or expiration of retention periods.

Security Architecture

  • Encryption: Full encryption (AES-256) for data at rest on servers; TLS 1.3 for data in transit (End-to-End from browser to server).
  • Logical Segregation: Strict tenant isolation using Row-Level Security (RLS) in databases to prevent cross-contamination between accounting firms.
  • Access Control: Mandatory Multi-Factor Authentication (MFA/2FA) for all users.
  • Role-Based Access Control: Granular permissions (e.g., Office Admin vs. Junior Accountant) limiting access to specific client files.

5. Rights Management Framework

Procedures for assisting Accounting Firms (Controllers) in fulfilling data subject requests:

Right of Access (Art. 15)

"Export Client Data" feature providing a comprehensive zip file of communications and documents processed.

Right to Rectification (Art. 16)

Direct editing capabilities within the dashboard for any AI-parsed data.

Right to Erasure (Art. 17)

Limitation: We flag data that cannot be erased due to legal accounting obligations (Art. 17(3)(b)).

Application: Immediate deletion of non-essential metadata or temporary processing files upon request.

Right to Portability (Art. 20)

Native support for UBL (Universal Business Language) and CODA standard exports to ensure clients are not locked in.

Right to Object (Art. 21)

Clients can opt-out of AI-analyzed communication suggestions, reverting to manual drafting methods.

6. Breach Response Protocol

Detection & Assessment

Automated Alerting: Real-time monitoring for anomalous data access patterns (e.g., bulk downloads).

Severity Matrix: Grading incidents based on risk to rights and freedoms (Low, Medium, High).

Notification Workflow

Internal Escalation: DPO notified immediately.

Controller Notification: Accaio notifies the Accounting Firm without undue delay (target: < 24 hours) after becoming aware of a breach.

Regulatory Reporting: Assisting the Accounting Firm in reporting to the Belgian APD within 72 hours if required.

Remediation

  • Immediate isolation of compromised accounts/API keys.
  • Forensic analysis to prevent recurrence.
  • Post-incident review and policy update.

7. Regulatory Compliance Integration

Peppol & E-Invoicing (2026 Mandate)

Compliance: Accaio acts as a secure Access Point (or integrates with one), ensuring metadata in the Peppol network is handled according to strict usage policies.

Data Integrity: Ensuring the XML structure of e-invoices remains unaltered during processing.

Tax Deductibility (120%) & Digitalisation

Audit Trail: Maintaining immutable logs of when a document was received, processed by AI, and approved by a human. This provides the "digital proof" required for firms claiming government digitalization deductions.

SAF-T (Standard Audit File for Tax)

Structure: Ensuring internal data models map correctly to OECD SAF-T standards for potential future export requirements by Belgian tax authorities.

8. Business Continuity & Governance

Roles and Responsibilities

Data Controller: Accounting Firm - Determining purpose of processing, owning client relationship, lawful basis.

Data Processor: Accaio - Processing data per instructions, security, assisting with compliance.

Sub-Processor: AI Vendors / Cloud - Infrastructure and specific AI tasks (strictly controlled by Accaio).

Vendor Management

  • Annual Audit: Annual review of SOC2 Type II or ISO 27001 certifications of all sub-processors.
  • Transparent List: We maintain a public list of sub-processors including: Infrastructure (Convex, Node.js), AI/ML (OpenAI, Google AI, Vercel AI SDK), Authentication (WorkOS, Microsoft Graph API), Communication (WhatsApp Business API, Meta APIs), Analytics (PostHog, Web Vitals), Document Processing (Mammoth.js, PDF Parse, MSGReader), and Testing (Vitest, Testing Library, JSDOM) and their specific function.
  • DPA Enforcement: Signing robust Data Processing Agreements with every vendor involved in the chain.

Availability

  • Disaster Recovery: RPO (Recovery Point Objective) of < 1 hour; RTO (Recovery Time Objective) of < 4 hours.
  • Redundancy: Distributed database backups to ensure business continuity during system maintenance.
  • Status Monitoring: Public status page available for transparency regarding uptime and incidents.

Contact Information

For any questions regarding GDPR compliance, data protection, or to exercise your rights:

Data Protection Officer: privacy@accaio.com

Address: Belgium (Full address available upon request)

Supervisory Authority: Belgian Data Protection Authority (APD/GBA) - https://www.autoriteprotectiondonnees.be

Last Updated: November 26, 2025