GDPR Compliance and Privacy Framework

Document Control

Scope: Pacium SaaS Platform (AI-Assisted Accounting and Communication)
Jurisdiction: Belgium (EU GDPR)
Primary Regulatory Body: Belgian Data Protection Authority (APD/GBA)
Industry Standards: ITAA (Institute for Tax Advisors and Accountants)

1. Article-by-Article Compliance Strategy

Article 6: Lawful Basis for Processing

Pacium operates primarily as a Data Processor on behalf of Accounting Firms (Data Controllers).

Contractual Performance (Art. 6(1)(b))

Processing is necessary to deliver the SaaS functionality defined in the SLA. Application: ingesting invoices, processing bank statements, syncing and sending emails, AI-powered drafting, knowledge extraction from communications, and accounting software synchronization.

Legitimate Interest (Art. 6(1)(f))

Fraud detection, system security monitoring, and service stability. AI Model Improvement: explicit user feedback is processed anonymously to improve prompts. Client content is NOT used to train foundation models.

Legal Obligation (Art. 6(1)(c))

Alignment with Belgian Code of Economic Law (CEL) requirements for accounting record retention.

Article 9: Special Categories of Data

Financial data is not typically "Special Category" under Art. 9, but Pacium treats it with equivalent security rigor. Incidental Art. 9 data in invoices is covered under Substantial Public Interest (Art. 9(2)(g)). We strictly distinguish between Corporate Financial Data and Personal Data of identifiable individuals.

Article 22: Automated Decision-Making

Pacium avoids "Solely Automated Decision-Making" regarding legal or significant effects.

• Drafting vs. Sending: AI agents generate drafts, but an Accountant must review and approve before sending.
• Override: Accountants can manually override AI classification at any stage.
• Transparency: Users are informed that AI is assisting in the drafting process. AI-generated content is clearly indicated with source citations.
• Hallucination Detection: AI-generated answers are validated against source material using automated groundedness checks.

2. Data Protection Impact Assessment (DPIA)

High-Risk Processing

• Analyzing communication patterns between accountants and clients
• Integration of Large Language Models for unstructured text processing
• Aggregation of financial data across multiple tenancies
• Agentic AI workflows that autonomously extract knowledge from email communications
• Multi-model AI processing across multiple providers (Anthropic, Google, OpenRouter)

Mitigation Strategies

• No-Training Guarantee: Client data is not used to train third-party foundation models. All AI providers are contractually bound to not use input data for training.
• Data Stripping: Removing PII before using internal metadata for analytics.
• Isolation: Tenant isolation ensures no data leakage between firms. All data is scoped by organization ID.
• Human-in-the-Loop: All AI-generated outputs require accountant approval before external action.

3. Cross-Border and Belgian Considerations

International Data Transfers

Data Residency: 100% EU-based storage and processing. Primary: Convex (EU-hosted), Google Cloud (Brussels), AWS (Frankfurt).

Sub-Processors: Standard Contractual Clauses (SCCs) and EU-US Data Privacy Framework where applicable. Transfer Impact Assessments conducted for Belgian professional secrecy. AI providers (Anthropic, Google, OpenRouter) process data under Data Processing Agreements that prohibit training on client data.

Belgian Specifics

Professional Secrecy: Staff contractually bound to confidentiality mirroring Article 458 Belgian Penal Code.

APD Registration: Maintaining Record of Processing Activities (ROPA) per Art. 30.

4. Technical and Organizational Measures

Data Minimization

AI accesses only specific fields necessary for each task. Every AI suggestion includes source references. Built-in UI for accountants to correct errors before ledger entry. OAuth token scopes are limited to email access only.

Storage and Retention

Retention aligned with 7-10 year Belgian requirement. Crypto-shredding upon contract termination. Configurable retention periods per organization.

Security Architecture

• AES-256 encryption at rest; TLS 1.3 in transit
• Row-Level Security (RLS) for tenant isolation, scoped by organization ID
• Mandatory Multi-Factor Authentication (MFA/2FA)
• Granular Role-Based Access Control (owner, admin, member)
• OAuth token encryption: access tokens and refresh tokens encrypted before storage
• Rate limiting on API endpoints and webhooks

5. Rights Management

• Access (Art. 15): "Export Client Data" feature for comprehensive data export.
• Rectification (Art. 16): Direct editing in the dashboard for AI-parsed data.
• Erasure (Art. 17): Immediate deletion of non-essential data; legal accounting obligations flagged.
• Portability (Art. 20): UBL and CODA standard exports.
• Object (Art. 21): Opt-out of AI suggestions, revert to manual drafting.

6. Breach Response Protocol

Detection: Real-time monitoring for anomalous access patterns. Severity matrix for incident grading.

Notification: DPO notified immediately. Accounting Firm notified within 24 hours. Regulatory reporting to APD within 72 hours if required.

Remediation: Immediate isolation, forensic analysis, post-incident review and policy update.

7. Regulatory Compliance

Peppol and E-Invoicing: Secure Access Point integration. XML structure integrity maintained during processing.

SAF-T: Internal data models mapped to OECD SAF-T standards for Belgian tax authority requirements.

8. Business Continuity and Governance

Roles: Accounting Firm (Controller), Pacium (Processor), AI Vendors/Cloud (Sub-Processor).

Vendor Management: Annual SOC2/ISO 27001 audits. Public sub-processor list maintained. Robust DPAs with all vendors including AI providers.

Availability: RPO < 1 hour, RTO < 4 hours. Distributed backups. Public status page.

Contact

Data Protection Officer: contact@pacium.com
Supervisory Authority: Belgian Data Protection Authority (APD/GBA) - https://www.autoriteprotectiondonnees.be