Trust Codabox

At Codabox, trustworthiness is not an empty promise but the result of expertise, deliberate choices, and continuous efforts. One third of our development capacity is dedicated to the security and scalability of our robust, high-performing systems and integrations. We work according to the ISO standard and meet the highest requirements for security, processing integrity, and continuity.

At Codabox, the confidential and sensitive data that is so crucial to a smooth accounting process is always in good hands.

Last updated on: 2 July 2026

Data Management

Codabox guarantees maximum protection of both the personal data and the financial and accounting data that we are entrusted to process for our customers. This added value should not be underestimated: after all, we’re processing sensitive, confidential data.

Data Protection

When processing personal data, we respect the right to privacy and strictly comply with all applicable legislation, including the GDPR.

Read more
  • The privacy policy governs the collection, processing, and protection of personal data, in compliance with data protection laws, including the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Directive on privacy and electronic communications (or “ePrivacy Directive”).
  • We only process personal data on a lawful basis and for specified, legitimate purposes: to fulfill contractual obligations or to improve the security and reliability of our services.
  • We ensure that all parties are fully informed about the types of data we collect and how their personal data is processed.
  • A Data Protection Officer (DPO) has been appointed, as described in the GDPR.
  • A Data Protection Compliance Assessment (DPCA) is performed annually.

More info or contact us.

Limited Data Processing

The mandate clearly states that we may transfer financial and accounting data as a service, while the right to access/view transactions is strictly limited.

Read more
  • Codabox acts on behalf of the account holder/legal representative. The mandate is signed by the legal representative and validated by the bank. The mandate can be revoked at any time.
  • The Codabox mandate allows us to obtain specific financial and accounting data from the relevant service provider(s), process that data, and digitally transfer it to a specific recipient (our customer) designated by the signatory.
  • The mandate does not allow us nor the recipient to initiate transactions on the account(s) and/or credit card(s). We may only view/analyze the data for the purpose of expanding our services and/or optimizing the intended flow of information. The mandate does not give us the right to view or modify the data for any other purpose.
  • Internal controls are in place to enforce this and strictly limit employee access to the permitted scope of the mandate.

No Processing of Sensitive Credit Cardholder Data

We follow global standards to ensure that we never see or process sensitive data, such as credit card numbers, in the CARO service.

Read more
  • The Payment Card Industry Data Security Standard (PCI DSS) is a global data security standard that regulates how organizations store, process, and transmit cardholder data, such as Unmasked Primary Account Numbers (PAN), cardholder names, expiration dates, and service codes.
  • The Codabox service CARO adheres to the requirements for Self-Assessment Questionnaire A by ensuring that no credit card-related information (e.g., PAN, expiration date, service code) is stored or processed in our systems.

More information about this policy.

Data Hosting and Backup

The processed data is protected and secured thanks to reliable infrastructure in Europe.

Read more
  • All customer data (such as CODA or SODA files, as well as all other customer data) is hosted in European data centers. This means that all data is processed according to strict privacy rules: we guarantee strong compliance with data protection and regulatory requirements, in particular the GDPR. The data centers also maintain the highest standards regarding physical access.
  • The databases are automatically backed up every day.
  • We regularly verify that those backups can actually be restored.

Business Continuity

Business continuity management is based on worst-case and crisis scenarios and is intended to safeguard the interests of key stakeholders.

Read more
  • We have a disaster recovery plan for our systems and data if faced with a disruptive incident, such as a data center outage or the Codabox office becoming unusable.
  • With the necessary measures and procedures, we can ensure that we are back online within a reasonable time frame (prioritizing infrastructure first and then restoring data).
  • The disaster recovery procedures can be executed by all development engineers and are tested regularly.

Incident Management

Incident management focuses on detecting problems and restoring service as quickly as possible to minimize the impact on business operations.

Read more
  • Codabox follows Wolters Kluwer Global IT Service Management (ITSM). The Incident Management Process (part of ITSM) at Wolters Kluwer is designed to manage incidents so that any degradation in service is restored according to the SLA (service-level agreement). Different SLAs are defined based on the severity and the customer impact of the incident.
  • All employees involved in the ITSM process receive regular training on our response procedures.
  • You can always follow the status of the Codabox service on our system status page, which provides up-to-date information 24/7 in the event of scheduled maintenance or temporary interruptions or delays. You can also subscribe to receive automatic notifications.

Security

We make every effort to protect our systems and sensitive data against unauthorized access, misuse, and cyber threats. This means you can trust that your data is always secure and that our services continue to operate in a stable and reliable way.

Network Security & Intrusion Detection

Our network security is designed to provide maximum protection for both internal and external communications.

Read more
  • A cybersecurity platform protects our network from the internet.
  • Communication between the network and the outside world is highly secure.
  • Employees who work remotely use a secure connection.
  • A Wolters Kluwer-wide intrusion detection system enables us to continuously monitor our network and detect potential security incidents at an early stage.

Authentication and Authorization: Employees

Network access is strictly secured, and employee access rights are determined based on role and profile.

Read more
  • We maintain an acceptable use policy for company resources and end-user devices that can connect to the corporate network.
  • Through regular access reviews and a clear policy, we ensure that every employee always has the appropriate access (based on the “need-to-know” and “least privilege” principles). Access rights are restricted or expanded for new employees, employees who change roles, or employees who leave the company.

Authentication and Authorization: MyCodabox Users

We apply strict policies and robust controls to protect personal data.

Read more
  • Authentication and KYC (know your customer): we thoroughly verify the identity of our users. Our KYC process meets the highest security standards required by banks.
  • Authorization and access control: we apply robust controls to prevent unauthorized access to personal data. As a customer, you can specify or restrict user access for employees/colleagues in the MyCodabox portal as needed.
  • Password policy: we apply strict requirements for setting passwords.
  • Two-factor authentication: we offer the option to enable 2FA (using an authenticator app) at the user level.

Cryptography

Our cryptographic controls define how data is protected during transmission and storage across all systems and integrations.

Read more
  • Banks: critical data exchanges with banks are safeguarded using highly secure cryptography. For each bank, the level of security is aligned with that bank’s specific requirements and policy.
  • Accounting software: the information we send to accounting software is always transmitted via secure connections (SSL).
  • Storage: all of our data is also encrypted at rest (while stored in the database). This protects it against unauthorized access.

Pen testing

Pen testing is an essential part of our security strategy to prevent and mitigate potential risks.

Read more
  • During penetration testing, we simulate cyber attacks on our systems, networks, or applications to identify potential weaknesses and address them where necessary.
  • Our penetration testing policy includes both black-box and white-box testing. The simulations are highly targeted so as to identify critical issues in the code.
  • Penetration testing is performed at regular intervals, as well as proactively when releasing a major new component.

Security Testing

Through regular code and application scanning, we safeguard the integrity of our software systems and ensure that your data can only be accessed for legitimate purposes.

Read more
  • Through strict policies and continuous code monitoring (code scanning), we guarantee security and ensure code quality, maintaining optimal reliability and durability of our software.
  • We do regular security checks on our application by simulating potential attacks.
  • Should any vulnerability be detected, we follow established internal guidelines and procedures to effectively assess, prioritize, and remediate it within defined time frames.

Antivirus Scanning

All files that are uploaded and exchanged between parties are subject to antivirus scanning and malware protection. If malware is detected, the file is blocked immediately.

Office Security

Physical security at the Codabox office is strictly controlled to protect people, systems, and sensitive information.

Read more
  • Physical access to the Codabox office is strictly limited to identified and authorized individuals.
  • Procedures are in place to grant, change, or revoke access rights as needed.
  • Access is controlled and secured through a badge system, camera surveillance, motion detection and alarm (control room), as well as fire alarm.
  • The building is ISO certified.

Human Resources Security

Security is also an important point of focus when it comes to human resources, including confidentiality agreements.

Read more
  • Employees and contractors who work for Codabox are bound by confidentiality agreements, which are included in their contracts.
  • Human Resource security is further optimized through the internal policies and procedures established for the other topics mentioned here, such as Authentication and Authorization, Physical Security, and Security Awareness Training.

Security Awareness Training

To strengthen our security posture, we invest in continuous security awareness training and maintain clear responsibilities at the team level.

Read more
  • We ensure that our employees stay informed through regular training sessions and workshops.
  • In each team, one person is appointed to ensure that the team remains focused on security in day-to-day operations and development.

Financial & Legal

Being an established company, we can offer our customers certainty, stability, and continuity, but most importantly legal clarity and contractual guarantees. No surprises – always a reliable partnership.

Wolters Kluwer

We are part of Wolters Kluwer, a globally established and financially robust organization. This means Codabox is a reliable partner and that we can guarantee our customers long-term stability and trustworthy service.

Read more
  • Wolters Kluwer (Euronext: WKL) is a global leader in information solutions, software, and services in the following sectors: health, tax and accounting, corporate performance & ESG, financial corporate compliance, and legal & regulatory.
  • The group serves customers in more than 180 countries, maintains operations in over 40 countries, and employs more than 21,000 people worldwide.

Customer Agreement

Our two-party contract provides our customers with clarity and legal certainty.

Read more
  • The Codabox service agreement provides clear information about the products and services, terms and conditions, and prices.
  • Codabox’s liability is clearly and contractually defined. This gives both parties legal certainty.
  • The contract contains clear provisions on service discontinuation, mandate termination, and contract cancellation. Codabox specifies the procedures and timelines while ensuring accounting continuity.

Compliance with Legal and Contractual Requirements

A compliance policy covers the rules and regulations related to legal and contractual requirements to avoid violations of legal, statutory, regulatory, or contractual obligations regarding information security as well as all other security requirements.

Customer Service

At Codabox, you are never on your own: when needed, you can count on fast, expert, tailored assistance.
This allows you to continue working smoothly and worry-free.

Codabox Helpdesk

A team of experts is available every day to provide free, personalized customer support.

Read more
  • The support team offers a personalized approach and is available every workday by phone and email in Dutch, French, and English. Support is free of charge.
  • The phone line (from 9:00 AM to 5:00 PM) is a direct point of contact with two support employees who can help you right away.
  • You can also consult our extensive online knowledge base containing up-to-date answers to frequently asked questions, as well as tips, guidance, and instructions for all day-to-day operations in the MyCodabox user platform.

Onboarding and Follow-Up

Both during and long after onboarding, our teams offer ongoing guidance to ensure optimal use of our services and platforms.

Read more
  • The Support team offers personalized and proactive guidance, including at onboarding, when setting up delivery, and in case of a merger.
  • From onboarding onward, our Customer Success team follows up with personalized advice for optimal use of the Codabox services and the MyCodabox portal. On-site visits are also possible (no fees charged).

Questions?