Trust FAQ
Below are answers to the most common questions our customers ask about Antei’s infrastructure, compliance, and data protection policies.Show Does Antei store sensitive financial data like card numbers or payment methods?
Show Does Antei store sensitive financial data like card numbers or payment methods?
No. Antei does not store or process sensitive financial information such as card numbers, CVVs, or payment methods. We only ingest scoped, read-only fields necessary for indirect tax computation — such as invoice totals, tax rates, and customer metadata.
Show Where is customer data stored?
Show Where is customer data stored?
Antei uses a region-aware storage model:
- EU customer PII is stored in data centers located in the EU
- IND customer PII is stored within the IND
- USA and Rest of World PII is stored in USA (Global server)
- Non-sensitive and operational data is centrally processed in India
Show How does Antei ensure secure authentication for integrations?
Show How does Antei ensure secure authentication for integrations?
Antei uses OAuth 2.0 Authorization Code Flow for all supported integrations. Tokens are:
- Scoped to each organization
- Stored encrypted (never in local storage)
- Regularly refreshed and revoked on inactivity or disconnect
Show What happens if an integration sync fails?
Show What happens if an integration sync fails?
Sync failures trigger our retry logic with exponential backoff. If retries continue to fail:
- The incident is logged under Org Settings → Logs
- Optionally, a notification is sent to Admins
- Manual re-sync or override is available through the UI
Show Can I delete my data or request removal of synced records?
Show Can I delete my data or request removal of synced records?
Yes. Antei fully supports GDPR and DPDP data erasure workflows. You can request deletion at:
- Entity level (e.g., invoices, contacts)
- Org-wide level (entire workspace)
Show Does Antei allow for IP whitelisting or restricted access?
Show Does Antei allow for IP whitelisting or restricted access?
Yes — IP-based access controls are available for enterprise plans. These can be applied to:
- Dashboard login access
- Public APIs
- Vault document access routes
Show Is Antei SOC 2 compliant?
Show Is Antei SOC 2 compliant?
We are currently SOC 2 Type I compliant and undergoing SOC 2 Type II certification. Our systems align with SOC 2 principles for:
- Access control and role-based permissions
- Session and token management
- Logging, observability, and incident response
Show Do you sign DPAs or custom agreements?
Show Do you sign DPAs or custom agreements?
Yes. We offer Data Processing Agreements (DPAs) and can support additional contractual clauses (e.g., SCCs, jurisdictional routing) upon request.Contact legal@antei.com to initiate the process.
Show How does session and token security work in Antei?
Show How does session and token security work in Antei?
- Session tokens expire after 10 minutes of inactivity
- Vault sessions expire after 5 minutes and require password re-entry
- All API tokens are encrypted and validated against user + org scope
- No tokens are ever stored in browser local storage
- All APIs are rate-limited and pass through multi-layered authorization checks