No. Antei does not store or process sensitive financial information such as card numbers, CVVs, or payment methods. We only ingest scoped, read-only fields necessary for indirect tax computation — such as invoice totals, tax rates, and customer metadata.

Antei uses a region-aware storage model:

• EU customer PII is stored in data centers located in the EU
• IND customer PII is stored within the IND
• USA and Rest of World PII is stored in USA (Global server)
• Non-sensitive and operational data is centrally processed in India

All data is encrypted at rest and scoped per organization to maintain compliance and isolation.

Antei uses OAuth 2.0 Authorization Code Flow for all supported integrations. Tokens are:

• Scoped to each organization
• Stored encrypted (never in local storage)
• Regularly refreshed and revoked on inactivity or disconnect

Sync failures trigger our retry logic with exponential backoff. If retries continue to fail:

• The incident is logged under Org Settings → Logs
• Optionally, a notification is sent to Admins
• Manual re-sync or override is available through the UI

Yes. Antei fully supports GDPR and DPDP data erasure workflows. You can request deletion at:

• Entity level (e.g., invoices, contacts)
• Org-wide level (entire workspace)

Deletion requests are irreversible and logged for audit traceability.

Yes — IP-based access controls are available for enterprise plans. These can be applied to:

• Dashboard login access
• Public APIs
• Vault document access routes

Contact support@antei.com to enable IP restrictions.

We are currently SOC 2 Type I compliant and undergoing SOC 2 Type II certification. Our systems align with SOC 2 principles for:

• Access control and role-based permissions
• Session and token management
• Logging, observability, and incident response

Audit reports are available to enterprise customers under NDA.

Yes. We offer Data Processing Agreements (DPAs) and can support additional contractual clauses (e.g., SCCs, jurisdictional routing) upon request.

Contact legal@antei.com to initiate the process.

• Session tokens expire after 10 minutes of inactivity
• Vault sessions expire after 5 minutes and require password re-entry
• All API tokens are encrypted and validated against user + org scope
• No tokens are ever stored in browser local storage
• All APIs are rate-limited and pass through multi-layered authorization checks