Why auditors trust ReportingGPT with confidential client data
Loading client sustainability reports into an AI tool requires absolute trust. ReportingGPT is built by a licensed Wirtschaftsprüfungsgesellschaft – we hold ourselves to § 203 StGB and § 43 WPO standards. Here is exactly how.
“Can I really upload my client's sustainability report to an AI tool? What about § 203 StGB? What about client confidentiality? What if the data is used for training?”
These are the right questions. We built ReportingGPT specifically because no existing AI tool could answer them satisfactorily. Below is exactly how we address each concern – technically, legally, and contractually.
Security & Compliance
EU data residency, military-grade encryption, and access controls built for regulated industries.
- AWS Frankfurt – data never leaves the EU
- AES-256 at rest · TLS 1.3 in transit
- RBAC & least-privilege access model
- MFA mandatory for all accounts
- CloudTrail audit logging for every action
AI & Data Transparency
Your reports are never used for training. Period. Full transparency on how AI processes your data.
- No fine-tuning with customer reports – ever
- AWS Bedrock: stateless inference, no prompt logging
- No data shared with third-party AI providers
- Validated audit knowledge base – not model weights
- Optional invocation logging under your governance
Data Processing Agreement
GDPR-compliant DPA (Auftragsverarbeitungsvertrag) – because compliance isn't optional.
- GDPR Art. 28 (AVV)
- Available on request for all paid plans
- Standard contractual clauses included
- Data retention & deletion policy
- Subprocessor list available
Legal foundation
§ 203 StGB. Auditor confidentiality applies to ReportingGPT
justReporting GmbH Wirtschaftsprüfungsgesellschaft is a certified auditing firm (WPG) registered with the Wirtschaftsprüferkammer. This means § 203 StGB (professional secrecy for Wirtschaftsprüfer) applies to every engagement – including ReportingGPT.
Breaching this obligation is a criminal offence under German law – carrying penalties of up to one year of imprisonment. This is not a policy choice – it's a legal obligation.
Why not just use ChatGPT?
We hear this question often. Here is why a generic AI tool is not sufficient for confidential audit work.
Generic AI
ChatGPT, Copilot
Purpose-built
ReportingGPT
EU data residency guaranteed
No training on uploaded data
§ 203 StGB coverage
Signed DPA available
Audit-methodology comments
Stateless inference (no logging)
ESRS knowledge base
Audit trail for working papers
Data security questions
Yes. ReportingGPT is fully GDPR/DSGVO compliant. All data is processed and stored in AWS Frankfurt (EU). A Data Processing Agreement (Auftragsverarbeitungsvertrag) is available for all paid plans. We process personal data only as necessary for the review service.
All data – including uploaded reports, comments, and user data – is stored in AWS Frankfurt (eu-central-1). Data never leaves the European Union. There is no replication to non-EU regions.
No. Your reports are never used for fine-tuning, model training, or any form of machine learning improvement. AI inference is stateless via AWS Bedrock – there is no prompt or response logging by default.
ReportingGPT is built by justReporting GmbH WPG, a licensed audit firm. As a Berufsgeheimnisträger under German law, § 203 StGB (professional secrecy) applies to justReporting – making breach of confidentiality a criminal offence. Technical safeguards include AES-256 encryption, RBAC, and mandatory MFA.
Yes – if the tool meets appropriate security standards. ReportingGPT is specifically built for this use case: EU-hosted, no data training, § 203 StGB coverage, and encryption standards that meet the requirements of regulated audit firms.
At minimum: EU data residency, encryption at rest and in transit, role-based access control, audit logging, and a signed DPA. For audit firms handling client data, § 203 StGB and § 43 WPO obligations are additionally relevant. ReportingGPT is built with these requirements in mind – see our Trust Center for details on how we address each one.
Questions about data security?
We're happy to walk you through our security architecture, provide a DPA, or discuss specific compliance requirements for your firm.