Overview
iden is operated by Flexcon EOOD, a Bulgarian limited liability company registered in Sofia. Flexcon is a registered СУПТО (Software for Sales Management) software manufacturer under Bulgarian National Revenue Agency regulations — the most stringent fiscal compliance framework in the European Union.
Our compliance and security posture is structured around four principles:
- Compliance is a first-class feature — not a checkbox exercise. GDPR, NRA Ordinance H-18, and EU data residency requirements are part of the architectural specification, not a retrofit.
- Defense in depth — multiple layers of access control (HMAC-signed tokens, row-level security, tenant isolation, encrypted storage) so that no single control failure exposes customer data.
- Auditability — every fiscal event, every waiver signature, every identity verification is logged immutably. Audits take minutes, not days.
- EU-first infrastructure — all customer data is hosted in Frankfurt, Germany. No transatlantic data transfers, no Schrems II complications.
GDPR & privacy
iden processes personal data on behalf of our customers (venue operators), who act as the data controller. Flexcon acts as a data processor under Article 28 of the GDPR, governed by a written Data Processing Agreement with every customer.
Our platform is designed around GDPR Article 5 principles — lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity & confidentiality, and accountability:
- Lawfulness — personal data is only processed under one of the six lawful bases (primarily: contract, legitimate interest, and consent for marketing communications).
- Purpose limitation — data collected for bookings and waivers is never repurposed for unrelated marketing without a separate, explicit consent.
- Data minimization — the waiver flow asks for the minimum information required for legal compliance (name, phone, date of birth for minors). Email is optional where possible.
- Right to access, rectify, erase — built into iden.core. Venue operators can respond to a GDPR data subject request through the admin interface in minutes.
- Integrity & confidentiality — TLS 1.3 for data in transit, AES-256 at rest via Supabase-managed encryption, row-level security enforcing tenant isolation at the database layer.
Article 28 processors
Flexcon provides a Data Processing Agreement (DPA) to every customer on request. The DPA incorporates Standard Contractual Clauses for any subprocessor that operates outside the EEA.
NRA Ordinance H-18 & СУПТО
iden.pos is built to comply with Наредба Н-18 (Ordinance H-18) of the Bulgarian National Revenue Agency — the regulation governing cash register software and fiscal reporting for all businesses accepting cash or card payments in Bulgaria.
Flexcon is registered as a СУПТО (Software for Sales Management) software manufacturer. François Dehaibe, Flexcon's managing director, is the designated guarantor of fiscal compliance — a legal requirement under Ordinance H-18 that ensures a human accountable party exists for every registered software product.
What this means practically:
- Every receipt is fiscally signed — iden.pos speaks directly to Datecs FP-700MX fiscal printers via the ErpNet.FP middleware layer. Every transaction leaves a tamper-evident fiscal record.
- Unique Sales Number (UNP) — every transaction receives a deterministic UNP. Duplicate detection and collision recovery are built into the fiscal pipeline.
- Storno / reversal workflow — proper fiscal reversals with guarded state-machine transitions. No orphaned fiscal states, no ghost cancellations.
- Appendix 29 reporting — full export of Tables 18.1-18.5 and 18.9 on demand for NRA audits and controls.
- Immutable audit log — every fiscal event is recorded to an append-only log designed for NRA inspection.
Compliance specification
The full compliance mapping is maintained as a versioned internal document (IDEN-POS-NRA-COMPLIANCE-MAP-001) that tracks every Ordinance H-18 article against its implementation in the codebase.
Security posture
iden's security model is designed around defense in depth — multiple overlapping controls at the application, API, database and infrastructure layers:
- Transport security — TLS 1.3 everywhere. HSTS enabled. No mixed content.
- Authentication — HMAC-signed capability tokens with timing-safe comparison. No cookies. SSO/OAuth for staff accounts.
- Authorization — 25+ PostgreSQL Row-Level Security policies enforce per-tenant isolation at the database layer. A compromised application server cannot access another tenant's data.
- Bot protection — Cloudflare Turnstile at the edge, Upstash Redis rate limiting on hot paths (SMS OTP, booking creation).
- Encryption at rest — AES-256 via Supabase-managed keys. Waiver signatures stored in a dedicated encrypted storage bucket.
- Audit logging — every privileged action (staff login, fiscal event, data export, waiver signature, identity verification) is logged immutably.
- Least-privilege operations — staff roles are scoped per venue. Sensitive operations require re-authentication.
- Secrets management — API keys and service credentials are stored in secure environment stores, rotated on a schedule, and never committed to version control.
Booking widget auth architecture
The public-facing booking widget never talks to the database directly. A Vercel-hosted widget server proxies every request, signs its own capability tokens, and enforces rate limits. Full design in IDEN-BOOK-AUTH-STRATEGY v2.1.
Data residency
All customer data processed by iden is stored in the European Union:
- Primary database — Supabase (PostgreSQL) hosted in Frankfurt, Germany (AWS eu-central-1).
- Object storage — Supabase Storage in Frankfurt. Waiver signature images stored in a dedicated encrypted bucket.
- Application runtime — Supabase Edge Functions run on regional edge nodes within the EU.
- Cache & rate limiting — Upstash Redis hosted in EU regions.
- Messaging — Upstash QStash for background job scheduling, EU region.
- Email delivery — Resend transactional email. Sender IP, DKIM/SPF managed by Flexcon.
The only non-EU operations involve Apple Wallet and Google Wallet pass distribution — required for the wallet pass functionality. These services operate under their respective EU data transfer frameworks and Standard Contractual Clauses.
Subprocessors
The following subprocessors may process customer personal data on Flexcon's behalf. All are bound by data protection agreements that align with GDPR Article 28 requirements.
| Subprocessor |
Purpose |
Region |
| Supabase |
Database, auth, object storage, Edge Functions |
EU (Frankfurt) |
| Vercel |
Booking widget server, edge runtime |
EU (Frankfurt & Dublin) |
| Upstash |
Redis cache, QStash job scheduling |
EU |
| Cloudflare |
Turnstile bot protection, edge DNS |
EU edge, global |
| Resend |
Transactional email delivery |
EU |
| Stripe |
Payment processing |
EU (Ireland) / global |
| myPOS |
Payment terminal integration, fiscal cloud |
EU |
| Apple (Wallet) |
Wallet pass distribution & updates |
Global (SCCs) |
| Google (Wallet) |
Wallet pass distribution & updates |
Global (SCCs) |
A current subprocessor list is available on request, and material changes are communicated to customers in advance.
Incident response
Flexcon maintains a documented incident response procedure. In the event of a personal data breach affecting a customer's data:
- Customer notification — we will notify affected customers without undue delay, in line with GDPR Article 33 timelines, with the information needed for them to notify their supervisory authority.
- Containment & investigation — the first priority is containment. A root-cause investigation follows, with corrective actions tracked to completion.
- Documentation — every incident is documented, regardless of severity, to build the organization's learning base.
- Reporting line — security issues can be reported to security@iden.software and are triaged by the founder directly.