Trust & transparency
Security & Data
Selvia
Effective date: April 2026 · selvia.fi · info@selvia.fi · 0415833020
Encrypted
TLS in transit, encrypted at rest
EU hosted
Data stays in the EEA
GDPR aligned
Finnish & EU law aligned
No data sales
Your data is never sold
72h breach notice
DPA notified as required by law
Contents
Section 1
Our approach to security
Selvia is built around one principle: your business data should be clear, controlled, and protected at every stage. We handle financial records, accounting data, and tax information for freelancers and companies in Finland, and we take that responsibility seriously.
This document explains how we secure the Selvia platform, how we handle your data, and what you can expect from us as your accounting partner.
- EU GDPR compliant infrastructure and practices
- Encrypted data in transit and at rest
- Role-based access control throughout the platform
- Secure EU-based cloud infrastructure with continuous monitoring
- No sale of client data — ever
- 72-hour breach notification to Finnish DPA when required
Section 2
Infrastructure and hosting
Selvia uses modern, EU-based cloud infrastructure to host the platform and store client data. Our infrastructure providers are selected for their compliance certifications, reliability, and alignment with EU data protection requirements.
| Infrastructure type | EU-based cloud hosting |
| Data residency | European Economic Area (EEA) |
| Uptime target | High availability with redundancy |
| Backups | Regular automated backups with integrity checks |
| Monitoring | Continuous infrastructure and access monitoring |
| Third-party providers | Bound by GDPR-compliant data processing agreements (DPAs) |
Selvia does not use infrastructure based in countries without an EU adequacy decision unless Standard Contractual Clauses (SCCs) or equivalent safeguards are in place.
Section 3
Data in transit and at rest
All data exchanged between your device and the Selvia platform is encrypted in transit. Data stored on Selvia systems is encrypted at rest.
| Data in transit | TLS 1.2 or higher — HTTPS enforced on all endpoints |
| Data at rest | Encryption applied to databases and stored files |
| Passwords | Hashed using industry-standard algorithms — never stored in plain text |
| API connections | Authenticated and encrypted |
| PDF documents | Generated and transferred over encrypted channels |
Section 4
GDPR and legal compliance
Selvia processes personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act (Tietosuojalaki, 1050/2018).
- We process only the personal data necessary to provide our services (data minimisation)
- All processing has a defined legal basis under GDPR Article 6
- We do not use client data for advertising, profiling, or sale to third parties
- Clients retain ownership of their data at all times
- We maintain a record of processing activities (ROPA) as required by GDPR Article 30
- Where we act as a data processor on your behalf, a Data Processing Agreement (DPA) is in place
- We review our data protection practices regularly and update them as required
For full details on how we process personal data, see our Privacy Policy.
Section 5
Data storage and residency
All client data processed by Selvia is stored within the European Economic Area (EEA). We do not transfer client data outside the EEA unless strictly necessary and only with appropriate safeguards in place.
| Primary storage | European Economic Area (EEA) |
| International transfers | Only with EU Standard Contractual Clauses (SCCs, 2021) or adequacy decision |
| Accounting records | Retained in EU-hosted systems for the legally required period |
| Documents | Invoices, PDFs, and receipts stored in EEA-based infrastructure |
| Subprocessors | All subprocessors bound by GDPR-compliant DPAs |
We maintain an up-to-date register of subprocessors who may access client data. If you require a copy, contact us at info@selvia.fi.
Section 6
Data retention and deletion
We retain your data only as long as necessary, based on the purpose for which it was collected and applicable Finnish legal requirements.
| Accounting and financial records | 6–10 years (Finnish Accounting Act / Kirjanpitolaki) |
| Tax records and VAT filings | 6 years from end of the relevant tax year |
| Active client account data | For the duration of the service relationship |
| Post-termination client data | Up to 3 years after service relationship ends |
| Platform access logs | Up to 12 months |
| Support communications | Up to 3 years |
| Marketing consent records | Until consent is withdrawn |
Upon termination of your account, Selvia will provide a reasonable period for you to export your data before deletion is initiated. Deletion of data subject to legal retention obligations follows the statutory schedule, not account termination.
You may request deletion of your data at any time by contacting info@selvia.fi. Requests are processed subject to applicable legal retention requirements.
Section 7
Access controls and permissions
Access to client data within Selvia is strictly controlled and limited to those who need it to perform their role.
- Role-based access control (RBAC) is applied across all internal systems
- Staff access to client data is granted on a least-privilege basis
- All Selvia staff with access to client data are subject to confidentiality agreements
- Administrative access to production systems is restricted and logged
- Multi-factor authentication (MFA) is required for internal system access
- Access rights are reviewed regularly and revoked promptly when no longer required
Client-facing platform access is secured by individual account credentials. You are responsible for maintaining the security of your login credentials and for notifying Selvia immediately if you suspect unauthorised access.
Section 8
Incident response and breach notification
Selvia maintains an incident response process for handling suspected or confirmed data security incidents, including personal data breaches.
| Detection | Continuous monitoring with alerting for anomalous activity |
| Containment | Immediate isolation of affected systems upon confirmed breach |
| Assessment | Rapid evaluation of scope, nature, and affected data |
| DPA notification | Finnish Data Protection Ombudsman notified within 72 hours if required (GDPR Art. 33) |
| Client notification | Affected clients notified without undue delay where there is high risk (GDPR Art. 34) |
| Post-incident | Root cause analysis and remediation documented in breach register |
Selvia maintains an internal breach register in accordance with GDPR Article 33(5). All incidents, regardless of severity, are logged and reviewed.
Section 9
Your responsibilities
Security is a shared responsibility. As a Selvia client, you play an important role in keeping your account and data secure.
- Use a strong, unique password for your Selvia account and do not share it
- Enable any available multi-factor authentication on your account
- Log out of the platform on shared or public devices
- Notify Selvia immediately at info@selvia.fi if you suspect your account has been compromised
- Ensure that documents and data you upload are accurate and lawfully obtained
- Do not attempt to probe, test, or exploit Selvia's systems without prior written authorisation
- Keep your contact details up to date so we can reach you in the event of a security incident
Selvia is not responsible for security incidents arising from a client's failure to maintain adequate account security or from inaccurate data provided by the client.
Section 10
Contact and security reporting
For any security-related questions, data subject rights requests, or to report a suspected vulnerability or incident, please contact us:
| General enquiries | info@selvia.fi |
| Security and incidents | info@selvia.fi — mark subject: SECURITY |
| Phone / WhatsApp | 0415833020 |
| Privacy Policy | selvia.fi/privacy |
| Terms and conditions | selvia.fi/terms |
| Finnish DPA | Tietosuojavaltuutetun toimisto — tietosuoja.fi |
We aim to acknowledge all security-related communications within one business day.
Selvia
selvia.fi · Last updated: April 2026
© 2026 Selvia · selvia.fi · All rights reserved.