Security

Security overview

How EI BNC Compta handles your data, what runs locally, and what — if anything — leaves your machine.

Your data never leaves your device

Everything stays in your browser. EI BNC Compta stores all accounting data — income, expenses, invoices, client records — exclusively in your browser's localStorage. No AlfaNest server receives or processes your bookkeeping data.

AlfaNest Labs operates no database, no cloud sync, and no analytics pipeline for this product.

What runs where

Application logic — runs entirely in your browser (HTML + JavaScript, loaded once).
Accounting data — stored in localStorage on your device. Cleared only if you clear browser data or export and delete manually.
License activation — your license key is verified against the AlfaNest license server at first activation only. No accounting data is transmitted during this check.
Mistral AI scan (optional) — if you configure a Mistral API key in Settings, the selected document content is sent directly to api.mistral.ai using your own key. AlfaNest Labs does not route, store, or log this traffic. If you do not configure a key, no data is sent anywhere.
Third-party libraries — pdf.js, JSZip, and font assets are loaded from CDN at startup. These requests carry no personal or accounting data.

Backup and export

EI BNC Compta includes a built-in backup export (JSON and PDF). You are responsible for keeping your own backups. Backups are stored on your device; AlfaNest Labs does not receive copies.

If you clear your browser storage without an export, data is permanently lost. This is by design: local-first means you control your data entirely.

Dependency security

Third-party libraries included in the application are reviewed at each release. A Software Bill of Materials (SBOM) is generated as part of the build process. We publish security patches for known vulnerabilities in a reasonable timeframe; see support policy for update terms.

Vulnerability reporting

If you discover a security issue in EI BNC Compta, please report it through our coordinated disclosure process:

Email: security@alfanestlabs.com
Policy: Vulnerability disclosure policy

We aim to acknowledge reports within 48 hours and provide an initial assessment within 5 business days.

EU Cyber Resilience Act (CRA)

EI BNC Compta is sold on the EU market. AlfaNest Labs is working towards full compliance with Regulation (EU) 2024/2847 (CRA) ahead of the December 2027 deadline. Vulnerability reporting obligations under Art. 14 apply from September 2026.

We do not claim CE marking or formal CRA conformity at this time. This page is provided for transparency per CRA spirit requirements.

Contact

For security matters: security@alfanestlabs.com
For general support: contact@alfanestlabs.com

Last updated: May 2026