Compliance
faktoora maintains a comprehensive information security management system aligned to leading international standards and regulatory frameworks. Our compliance programme covers six major frameworks with over 25 interlinked policy documents.
Regulatory Compliance
GDPR
Status: Compliant
As a German company processing personal data of EU residents, faktoora is fully compliant with the General Data Protection Regulation. Our GDPR programme includes:
- A designated external Data Protection Officer (PROLIANCE GmbH)
- Documented Record of Processing Activities covering all processing operations
- Data subject rights procedures with self-service tools for access, rectification, erasure, and portability
- Data Processing Agreements with all third-party processors
- Privacy-by-design principles embedded in our development lifecycle
See our Privacy page for full details.
DORA
Status: Compliant
The Digital Operational Resilience Act (DORA) applies to financial entities and their ICT service providers. faktoora maintains full compliance with DORA requirements through:
- ICT risk management framework with defined governance and risk appetite
- Incident classification and reporting procedures aligned to DORA Art. 17–20 timelines
- Business continuity and disaster recovery plans with regular testing
- Third-party risk management with concentration risk assessment and exit strategies
- Digital operational resilience testing programme covering vulnerability scanning, penetration testing, and scenario-based exercises
NIS2
Status: Monitoring
The NIS2 Directive is being transposed into German national law (NIS2UmsuCG). faktoora is actively monitoring the legislative process and has pre-aligned its security controls to the directive's requirements, including risk analysis, incident handling, business continuity, supply chain security, and cryptographic practices.
Industry Standards
ISO 27001
Status: Controls aligned
Our information security management system is aligned to ISO/IEC 27001:2022. We have mapped and implemented controls across all applicable Annex A domains, supported by a comprehensive Statement of Applicability. Our ISMS covers:
- Information security policies and governance
- Access control and identity management
- Cryptography and key management
- Operations security and change management
- Secure development lifecycle
- Supplier and third-party risk management
- Incident management and business continuity
- Human resource security and awareness
SOC 2
Status: Controls aligned
faktoora's security controls are aligned to the SOC 2 Trust Service Criteria across all five categories:
| Category | Coverage |
|---|---|
| Security (Common Criteria) | Access control, change management, risk mitigation, system operations, monitoring |
| Availability | Capacity planning, environmental protection, disaster recovery testing |
| Processing Integrity | Input validation, system processing controls, output verification |
| Confidentiality | Data classification, encryption, secure disposal |
| Privacy | Notice, choice, collection limitation, use/retention/disposal, access, disclosure, quality |
C5 (BSI)
Status: Controls aligned
Our controls are aligned to the BSI C5:2020 (Cloud Computing Compliance Criteria Catalogue), the German federal standard for cloud service security. Coverage spans all 14 C5 domains including organisation, asset management, identity and access management, cryptography, operations, incident management, and business continuity.
E-Invoicing Standards
faktoora is built for compliance with European e-invoicing regulations:
| Standard | Scope |
|---|---|
| EN 16931 | European standard for electronic invoicing — core compliance |
| ZUGFeRD | German hybrid PDF/XML invoice format (CII-based) |
| XRechnung | German government e-invoicing standard (mandatory for B2G) |
| Peppol | Pan-European e-invoicing network with AS4 transport |
| VeriFactu | Spanish tax authority real-time invoice registration |
German Accounting Law (GoBD)
faktoora's platform is designed to meet the requirements of German accounting law (GoBD), including:
- Immutable audit trails with cryptographic integrity verification
- Document retention for the legally required periods
- Invoice integrity from creation through archival
- Complete, traceable processing records
Detailed Documentation
For access to detailed compliance documentation including full policy texts, control mappings, and assessment reports, please visit our Request Access page.
Questions?
For compliance inquiries, contact compliance@faktoora.com.