Our architecture

Built on bank-grade architecture

Your invoicing is infrastructure, not just another dashboard. Certificates encrypted with a separate key, native 2FA, a tamper-proof audit log, and data that always stays on European soil.

AES-256
certificate encryption at rest
TLS 1.3
on every endpoint, with HSTS
🇪🇺 EU
data in Frankfurt, never leaves
Infrastructure

Infrastructure you can trust

Cofactu runs 100% on Cloudflare and Neon, with data always kept on European soil. Every organization is isolated at the application level: no query ever crosses your tenant's boundary.

  • PostgreSQL on Neon (Frankfurt) — data never leaves the EU
  • Multi-tenant isolation per organization on every query
  • 7-day point-in-time backups with granular restoration
99,9%
Target uptime
<50 ms
Latency in the EU
AES-256
Encryption at rest
Anti-draft guarantee

Zero lost invoices. In writing.

In our research at /comparativas we uncovered a pattern on Trustpilot: invoices stuck in draft, flipped signs, VeriFactu errors that require escalation. People find out months later while reconciling quarters. We commit to the opposite:

What if an invoice slips through?

If a failure in our own alert system leaves an invoice stuck as a zombie and it results in an AEAT penalty, we cover the cost. Ask us for the signed commitment at hola@cofactu.com.

Incidents in the industry

Accounting data is a target for attacks. Nobody talks about this.

Between 2024 and 2026 there have been several serious incidents in invoicing software used in Spain. We list them without sugarcoating — and how Cofactu is designed so this doesn't happen here.

What happened Feb 2026

Cegid — 74.000 IBANs leaked to the dark web

An actor published a dataset with IBANs, names, and emails extracted from Cegid (an ERP used by thousands of firms in Spain/France). The accounting firm has no mechanisms of its own to limit the exposure.

Source: Dataset published on a dark web forum

How we prevent it at Cofactu

Data encrypted at rest (Neon AES-256), .p12 encrypted with a separate password in R2, no bulk IBAN export even to internal staff — only the owner downloads their data.

What happened 2024

Contasimple — hacked accounts and diverted payments

Trustpilot has accumulated reviews about accounts accessed by third parties and payments diverted to unrelated IBANs. Quote: «hacked accounts, diverted payments, 2005-level security».

Source: Verified reviews on Trustpilot

How we prevent it at Cofactu

TOTP 2FA + WebAuthn passkeys + rate limiting + lockout after 5 attempts. The owner ALWAYS needs 2FA or a passkey to change payment IBANs.

Want the row-by-row detail? Scroll down to the comparison table.

Support

Direct access to the founder, no tier 1

Sage bills partners by the hour to fix bugs. Quipu locks phone support behind a Premium paywall. Anfix's post-sale support has gone downhill. As long as we stay small, Cofactu runs in «Founder Mode»: when you write in, the person who wrote the code answers you.

  • Public commitment: response in under 8 business hours
  • No tiers, no «I'll escalate this to the technical department»
  • Responsible disclosure program: security@cofactu.com
How support works
Pillars

Five pillars, none optional

We don't sell security as an upsell. All of this is active on every plan — from the 9 € one to the accounting firm plan.

Better Auth + 2FA

Identity and access

  • Native TOTP 2FA (Google Authenticator, 1Password, Authy).
  • Revocable sessions per device with device parsing.
  • Magic link and password with haveibeenpwned.com breach checks.
  • Rate limiting per IP with Cloudflare KV — automatic lockout against brute force.
  • Audit log for every login, logout, password change, and failed 2FA attempt.
AES-256-GCM · TLS 1.3

Data at rest and in transit

  • Certificates .p12 encrypted with AES-256-GCM before uploading to R2.
  • The .p12 password is encrypted with a separate key (envelope encryption).
  • Postgres on Neon EU (Frankfurt) — data never leaves European territory.
  • Strict TLS 1.3 on every endpoint, HSTS enabled, no downgrade.
  • Secrets stored in Wrangler Workers Secrets — never in code or public env vars.
Hash chain + audit log

Tamper-proofing and traceability

  • Immutable audit log with a SHA-256 hash chain — any retroactive change gets detected.
  • Every VeriFactu invoice carries the hash of the previous one in its series (chaining per RD 1007/2023).
  • Every critical action leaves an entry with userId, IP, before/after.
  • Audit log accessible to the owner — exportable as CSV.
GDPR · RD 1007/2023

Regulatory compliance

  • Full GDPR: right to erasure (soft DELETE → hard delete after 30 days), ZIP export.
  • Granular cookie consent banner (analytics toggle on/off independently).
  • DPA available for accounting firms (sub-processing agreement).
  • VeriFactu retention for 5 years — automatic deletion once the legal deadline expires.
  • Public subprocessor list: Cloudflare, Neon, Resend, Stripe, Anthropic.
Sentry + proactive alerts

Operations and monitoring

  • Sentry with sourcemaps in the API and workers — we diagnose bugs in minutes.
  • T-90 / T-30 / T-7 alerts for certificates and AEAT powers of attorney.
  • Transactional email when AEAT rejects an invoice, with an actionable explanation.
  • Status page at /status with public historical incidents.
  • Neon point-in-time backups, 7 days — granular restoration.
Subprocessors

Who we work with, no fine print

These are the providers that process data to make Cofactu work. A public list — no need to request it by email.

Cloudflare
Infra · CDN

Workers, Pages, R2, and KV. Compute and storage in the EU region.

Neon
Database

Serverless PostgreSQL in Frankfurt (EU). Your data, encrypted at rest.

Stripe
Payments

Billing and subscriptions. PCI-DSS level 1. We never touch your card number.

Resend
Email

Transactional email: expiration alerts, AEAT rejections, notices.

Anthropic
AI assistant

The Lucía assistant. Prompts don't include identifying data about the end customer.

Your certificate
Never shared

The .p12 is encrypted with AES-256-GCM before it leaves your browser. It never travels in plaintext.

Full list and DPA at /legal/privacidad.

Comparison

Cofactu vs. Holded · Contasimple · Quipu · Sage

Public data drawn from official documentation, Trustpilot/Capterra reviews, and public complaints (May 2026). If you spot outdated info, let us know and we'll fix it.

Native 2FA (TOTP)

Yes, at no extra cost

Quipu Trustpilot: "in 2024 there is no excuse for such outdated security"

Holded

Higher-tier plans only

Contasimple

No — source of the 2024 hack

Quipu

No (reviews are asking for 2FA)

Sage

Varies by product

Immutable audit log with hash chain

Yes, exportable as CSV

Holded

Partial

Contasimple

Not documented

Quipu

Partial

Sage

Enterprise plans only

Certificate .p12 encryption (envelope)

AES-256-GCM, separate password

Holded

Yes

Contasimple

Not verifiable

Quipu

Yes

Sage

Varies

Automatic brute-force lockout

Cloudflare KV, no config needed

Contasimple Trustpilot: "hacked accounts, diverted payments, 2005-level security"

Holded

Yes

Contasimple

No (confirmed by the 2024 incident)

Quipu

Yes

Sage

Varies

Data always in the EU (Frankfurt)

Yes — Neon EU + Cloudflare EU

Holded

Yes

Contasimple

Yes

Quipu

Yes

Sage

Yes (cloud products)

T-90/T-30/T-7 certificate alerts

Yes — unique in the market

Holded

T-30 only

Contasimple

Manual

Quipu

T-30 only

Sage

Manual

Expired AEAT power-of-attorney alerts

Yes — unique in the market

Holded

No

Contasimple

No

Quipu

No

Sage

No

Proactive email if AEAT rejects

Yes — error code + how to fix it

Holded Capterra: "€50 extra just to talk to a human when AEAT rejects"

Holded

Notification with no explanation

Contasimple

Notification in-app

Quipu

Notification in-app

Sage

Varies

Self-service GDPR ZIP export

Yes, 1 click

Billin Trustpilot: "unable to export contacts/invoices after the acquisition"

Holded

Yes

Contasimple

Limited

Quipu

Limited

Sage

Manual

Public DPA for accounting firms

Yes, at /legal/privacidad

Holded

On request

Contasimple

On request

Quipu

On request

Sage

On request

Public incidents

We don't make up the gaps

Real problems in the industry over the past few years, documented in public sources. Cofactu was designed by reading every complaint.

Contasimple (Cegid) 2024

Accounts compromised at scale — payments diverted to fraudulent accounts. Reviews point to the lack of 2FA and IP-based lockout.

"serious security failures where accounts were hacked and payments were diverted to fraudulent accounts"
See source
Holded 2025

VeriFactu bug (error 4124) blocking invoicing in production. Human support billed separately.

"€35 a month for a service that does not comply with the legal regulation, and €50 extra just to talk to a human on the phone"
See source
A3 / Wolters Kluwer 2025

Public complaint filed with OCU over service degradation after the acquisition.

"appalling service... every inquiry takes forever"
See source
FAQ

Frequently asked questions

The essentials on how we handle your data. Found a security flaw? Email us at security@cofactu.com.

Do you store data outside the EU?
No. Postgres runs on Neon EU (Frankfurt) and files live in R2 EU. Cloudflare processes traffic at its nearest EU PoP but does not store data outside European territory. The only exception is calls to Anthropic (the AI assistant) — prompts do not contain identifying data about the end customer.
Do you have a public DPA for accounting firms?
Yes. It is linked at /legal/privacidad and can be signed before you start your trial — no need to email us to get it.
If I leave Cofactu, can I take my data with me?
Yes, with one click. A complete ZIP export with CSVs of invoices, customers, products, the audit log, and the XML+PDF of every invoice. No cost, no waiting period, no "pay to take it with you." If your plan expires we keep your data for 90 days so you have time to migrate.
Do you have a responsible disclosure program for vulnerabilities?
Yes. If you find a security flaw, email us at security@cofactu.com with the steps to reproduce it. We respond within 24h, keep you posted on the fix, and credit your finding in the changelog if you would like.

Any specific question about how we handle your data

Email hola@cofactu.com and we'll reply with whatever technical documentation you need — no forms, no sales departments in between.

Ready to invoice without the headaches?

Start free or browse the plans. Your first VeriFactu invoice in under 10 minutes.

No card requiredCancel in 1 clickExport anytime