With e-invoicing you process sensitive financial data from your organisation and your trading partners. Certifications such as ISO 27001, NEN 7510 and ISAE 3402 give you the assurance that your provider works in a demonstrably secure manner. This is not only sensible, in more and more sectors it is also a hard requirement. The healthcare sector requires NEN 7510 for information security, government institutions require ISO 27001, and auditors ask for ISAE 3402 as proof that the control measures of your processor are in order.

eConnect holds all of these certifications, which is relatively unique in the Dutch market. This makes it easier to meet your own compliance requirements: you can demonstrate that you use a certified processor. Moreover, the certifications are independently assessed and renewed annually, so they are always current. If you are considering switching providers or choosing an e-invoicing solution for the first time, certifications are an objective criterion for comparing providers.

Data protection is woven into the entire infrastructure at eConnect. All data is processed and stored within the EU/EEA, on servers from Microsoft Azure (Netherlands/Ireland) and Google Cloud (Netherlands/Western Europe). Communication is fully encrypted and data at rest is encrypted. Additionally, eConnect conducts annual independent penetration tests to proactively identify vulnerabilities.

The ISAE 3402 Type II certification means an independent auditor has established that control measures are not only well designed, but also actually work in practice. For organisations dealing with privacy-sensitive invoice flows, for example in healthcare or at government institutions, the combination of NEN 7510 and ISO 27001 provides additional safeguards. On the status page you can follow the availability of the platform in real time. The PSB itself has no maintenance window; updates are rolled out without downtime via rolling upgrades. For the web platform a Saturday morning maintenance window applies (02:00 to 08:00, outside business hours).

The combination of ISO 27001, NEN 7510 and ISAE 3402 Type II is unusually broad in the Dutch Peppol market. Many providers hold one or two of these certifications, but rarely all three. This makes eConnect suitable for the most demanding sectors, from healthcare institutions that require NEN 7510 to government organisations that mandate ISO 27001.

Additionally, eConnect is co-founder of the Dutch Peppol Authority and board member of OpenPeppol. This involvement in standard development translates directly into the security of the platform: we are always the first to know about new security requirements and implement them before they become mandatory. The DICO certification for the construction sector also demonstrates that we take sector-specific requirements seriously. Annual pentests and the FD Gazellen recognition confirm that rapid growth and high security standards go well together.

Absolutely. eConnect holds the NEN 7510 certification, the Dutch standard for information security in healthcare. This is a hard requirement for healthcare institutions that process invoice flows directly or indirectly related to patient information. The NEN 7510 certification was renewed in May 2024 after an independent audit.

In combination with ISO 27001 and ISAE 3402 Type II, eConnect offers the highest security level in the Dutch e-invoicing market. All data processing takes place within the EU/EEA, on servers in the Netherlands and Ireland. Data is encrypted, both in transit and at rest. For healthcare institutions that want to demonstrate to their auditor or regulator that their invoicing process is securely organised, these certifications provide concrete evidence. Various healthcare institutions, from hospitals to mental health organisations, already work with eConnect for their e-invoicing.

eConnect conducts annual independent penetration tests via a specialised firm. The full pentest report is not shared by default, but via the Compliance & Security Reports subscription (EUR 155 per month) you receive the management summary of the pentest, the ISO 27001 report, the ISAE 3402 report and other security findings with every update. This way you always have current documentation for your own compliance dossier.

For enterprise customers, the full pentest report can be made available as part of the contract agreements. Contact sales to discuss the options. The certificates for ISO 27001 and NEN 7510 are publicly available via the website of the audit organisation.

All data processing takes place within the EU/EEA. The Procurement Service Bus (PSB) runs on Microsoft Azure in the Netherlands and Ireland, the Intelligent Document Recogniser (IDR) on Google Cloud in the Netherlands and Western Europe. Data at rest is encrypted with AES-256, all communication runs via at least TLS 1.2 with preference for TLS 1.3.

The PSB stores documents for 1 to 7 days by default as transit data. Via the API, a document can be deleted immediately after processing. For long-term archiving, the platform offers a retention period of up to 10 years. All cloud hosts have their own ISO 27001 certification and modern security techniques. eConnect processes only limited personal data in accordance with the data processing agreement (GDPR).