Loading client sustainability reports into an AI tool requires absolute trust. ReportingGPT is built by a licensed Wirtschaftsprüfungsgesellschaft – we hold ourselves to § 203 StGB and § 43 WPO standards. Here is exactly how.
“Can I really upload my client's sustainability report to an AI tool? What about § 203 StGB? What about client confidentiality? What if the data is used for training?”
These are the right questions. We built ReportingGPT specifically because no existing AI tool could answer them satisfactorily. Below is exactly how we address each concern – technically, legally, and contractually.
EU data residency, military-grade encryption, and access controls built for regulated industries.
Your reports are never used for training. Period. Full transparency on how AI processes your data.
Standard DPA (Auftragsverarbeitungsvertrag) under GDPR Art. 28 – available for all paid plans.
Legal foundation
justReporting GmbH Wirtschaftsprüfungsgesellschaft is a certified auditing firm (WPG) registered with the Wirtschaftsprüferkammer. This means § 203 StGB (professional secrecy for Wirtschaftsprüfer) applies to every engagement – including ReportingGPT.
Breaching this obligation is a criminal offence under German law – carrying penalties of up to one year of imprisonment. This is not a policy choice – it's a legal obligation.
We hear this question often. Here is why a generic AI tool is not sufficient for confidential audit work.
Generic AI
ChatGPT, Copilot
Purpose-built
ReportingGPT
EU data residency guaranteed
No training on uploaded data
§ 203 StGB coverage
Signed DPA available
Audit-methodology comments
Stateless inference (no logging)
ESRS knowledge base
Audit trail for working papers
ReportingGPT is built with GDPR requirements in mind. All data is processed and stored in AWS Frankfurt (EU). A Data Processing Agreement (Auftragsverarbeitungsvertrag) under Art. 28 GDPR is available for all paid plans. We process personal data only as necessary for the review service.
All data – including uploaded reports, comments, and user data – is stored in AWS Frankfurt (eu-central-1). Data never leaves the European Union. There is no replication to non-EU regions.
No. Your reports are never used for fine-tuning, model training, or any form of machine learning improvement. AI inference is stateless via AWS Bedrock – there is no prompt or response logging by default.
ReportingGPT is built by justReporting GmbH WPG, a licensed audit firm. As a Berufsgeheimnisträger under German law, § 203 StGB (professional secrecy) applies to justReporting – making breach of confidentiality a criminal offence. Technical safeguards include AES-256 encryption, RBAC, and mandatory MFA.
Yes – if the tool meets appropriate security standards. ReportingGPT is specifically built for this use case: EU-hosted, no data training, § 203 StGB coverage, and encryption standards that meet the requirements of regulated audit firms.
At minimum: EU data residency, encryption at rest and in transit, role-based access control, audit logging, and a signed DPA. For audit firms handling client data, § 203 StGB and § 43 WPO obligations are additionally relevant. ReportingGPT is built with these requirements in mind – see our Trust Center for details on how we address each one.
We're happy to walk you through our security architecture, provide a DPA, or discuss specific compliance requirements for your firm.
