Back to guides
Security & Policy
Protecting your data is our priority. Discover our security principles, usage policies and your rights.
Security principles
TurboIntrastat adopts a multi-layer security approach: TLS 1.3 encryption for data in transit and AES-256 for data at rest, 24/7 monitoring with automatic anomaly detection, Row Level Security on 35+ tables for per-organization data isolation, OWASP security headers, CSV injection protection and certified notifications for critical actions.
Usage policy and protection
TurboIntrastat adopts a 7-level graduated enforcement scale, compliant with the Digital Services Act (Regulation EU 2022/2065), to protect the platform and its users. The fundamental principle is the minimum action sufficient for the risk: every measure is proportional and reversible where possible.
Activation triggers
Triggers that activate the enforcement scale include: anomalous request volume (possible DDoS or scraping), SQL injection or prompt injection attempts, unauthorized access to other users data, repeated violation of terms of service, upload of malicious content. Each trigger is classified by severity and activates the appropriate enforcement level.
Data retention
Retention periods are determined by the Data Protection Impact Assessment (DPIA) conducted pursuant to Art. 35 GDPR. Each data type has a specific retention period, after which it is automatically deleted.
Compliance
TurboIntrastat complies with: Regulation EU 2016/679 (GDPR) with documented DPIA, Digital Services Act (EU 2022/2065) for decision transparency, OWASP standards for application security, NIST SP 800-61 for incident response. All data is processed and stored exclusively in EU data centers.
Right of appeal
In compliance with the Digital Services Act (Art. 17), every user has the right to contest any enforcement decision. The appeal process guarantees transparency and fairness, with mandatory human review.
Enforcement scale
7-level graduated scale compliant with the Digital Services Act.
| Level | Action | Description |
|---|---|---|
| LIV 0 | Rate Limiting | Automatic traffic throttling for anomalous volume. |
| LIV 1 | CAPTCHA Challenge | Anti-bot verification for suspicious requests. |
| LIV 2 | Formal Warning | Email and in-app notification for first violation. |
| LIV 3 | Temporary Lockout | Temporary block with exponential duration (max 15 minutes). |
| LIV 4 | Temporary Suspension | Suspension from 24h to 30 days for repeated violations. |
| LIV 5 | Permanent Suspension | Indefinite suspension with right of appeal. |
| LIV 6 | Account Termination | Permanent account closure with certified notification. |
| LIV 7 | Authority Report | Report to competent authorities for cybercrime. |
Fundamental principle: the minimum action sufficient for the risk. Every measure is proportional and reversible where possible.
Retention periods
Transparent retention periods, determined by DPIA (Art. 35 GDPR).
| Data type | Period | Notes |
|---|---|---|
| Processed documents | 24 months | Automatic deletion at expiry |
| Security logs | 12 months | 90 days active + archive |
| Enforcement history | 36 months | Legal obligations |
| Account data | Contract duration | Deletion on request |
Appeal procedure
In compliance with the Digital Services Act (Art. 17), every user has the right to contest any enforcement decision.
- Appeal available within 6 months from decision notification
- Acknowledgment of receipt within 24 hours of request
- Human review completed within 5 business days
- Second appeal available within 15 days, reviewed by a different operator
- Option for out-of-court dispute resolution (Art. 21 DSA)
To file an appeal: supporto@turbointrastat.com with subject "Appeal - [Action ID]"