Compliance

Built for GoBD-relevant requirements. Audit-proof. Immutable.

LedgerLou provides technical functions that support GoBD-relevant requirements: an append-only ledger, cryptographic audit hashes, irreversible period closings and complete document linking are not add-on features but core building blocks of the architecture. Whether a specific set of books is GoBD-compliant in a concrete case additionally depends on the configuration, usage, data completeness and internal controls of the taxpayer.

Append-only ledgerAudit hash (SHA256)Period closingReversal instead of deletionEU data residency10-year retention

What is the GoBD?

The Grundsätze zur ordnungsmäßigen Führung und Aufbewahrung von Büchern, Aufzeichnungen und Unterlagen in elektronischer Form sowie zum Datenzugriff (GoBD) define the German tax authorities’ requirements for electronic bookkeeping systems. They apply to every company that keeps its books in digital form and form the basis for tax audits carried out by the Finanzamt.

The GoBD prescribes:

How postings must be recorded and retained
That subsequent changes must be logged or prevented
What access rights tax auditors have to bookkeeping data
How long records must be retained (10 years)

GoBD requirements and the LedgerLou implementation

1. Immutability and completeness

“Every entry must be made in such a way that it cannot be changed without leaving a trace of the change.” — GoBD margin no. 91

Append-only ledgerThe ledger_events table is technically append-only. A database rule (PostgreSQL trigger) blocks every UPDATE and DELETE on ledger entries — even for database administrators. There is no API endpoint and no admin function to delete or modify postings.

Reversal instead of deletionIncorrect postings are not deleted, but corrected by a reversal entry (offsetting posting). Both entries remain permanently visible in the ledger — the original posting and the reversal correction, each with timestamp and user ID.

Debit = credit validationEvery posting is checked for balanced debit and credit positions before being written. Unbalanced journal entries are rejected by the system — an incomplete entry can never reach the ledger.

2. Traceability and audit trail

“The bookkeeping must be structured in such a way that it enables an expert third party to obtain an overview of the business transactions within a reasonable amount of time.” — GoBD margin no. 30

Cryptographic audit hashEvery ledger_event receives a SHA256 hash over its core fields (amount, accounts, date, description, tenant) at write time. The hash is stored with the entry and can be used to verify data integrity at any time.

Complete timestamp chainEvery posting carries created_at (UTC), booking_date (economic date) and — for reversals — a reference to the original posting ID. Every action is attributed to a user ID or an API key.

Posting originEvery entry records its origin: manual posting (Dashboard or REST API), agentic posting (which key/agent) or imported bank document. The path from document to posting is fully reconstructable.

3. Timeliness of recording

“Cash receipts and cash payments shall be recorded daily.” — GoBD margin no. 47

Postings can be recorded with any economic date (booking_date). The technical recording date (created_at) is stored separately — the time gap between the economic date and when it was recorded is therefore auditable for every entry.

The GoBD requirement for timely recording is considered met when postings are recorded within 10 days of the economic event. LedgerLou does not enforce this deadline technically, but makes it visible and verifiable for every entry through the timestamp comparison.

4. Period closing and period integrity

Irreversible period closingClosed periods (locked) cannot be reopened. There is no API, no admin command and no database operation to unlock them. The database trigger check_period_lock() blocks every attempt to post into locked periods at the database level.

Closing hashOn every period closing, a closing hash is computed: SHA256(tenant_id | period | last_audit_hash). This hash chains the closing to the immutable ledger state at the moment of locking — any subsequent manipulation would invalidate the hash.

P13 / P14 adjustment periodsIn addition to the regular monthly periods, LedgerLou supports the adjustment periods customary in tax law: P13 (balance-sheet adjustments) and P14 (tax corrections). Both are locked independently of the regular monthly period and are tracked separately in the audit log.

5. Document retention and duplicate protection

“Every posting must be based on a document.” — GoBD margin no. 65

Document linkingPostings can be linked directly to uploaded documents (PDF, image). Documents are stored in Hetzner Object Storage (Germany) with an immutable SHA256 content hash. The link between posting and document is persisted in the ledger.

Duplicate protectionEvery uploaded document receives a SHA256 content hash. An identical document cannot enter the ledger a second time — duplicate postings of the same document are technically impossible.

6. Data access for tax auditors (Z1 / Z2 / Z3)

“Upon request, the taxpayer must provide data to the auditor in a machine-evaluable form.” — GoBD margin no. 164

The GoBD defines three access types for tax audits:

Z1Direct read-only access to the systemAuditor API key with read-only scopes for journal, bank and reports

Z2Indirect access — reports on requestREST API endpoints for journal, P&L, balance sheet, BWA, open-item lists and account sheets — all machine-evaluable

Z3Handover on data carrier — export of the bookkeeping dataDATEV export (CSV) and a structured JSON export of all posting data including metadata and audit hashes

7. Retention periods

“Books of account must be retained for 10 years.” — § 257 HGB, § 147 AO

Unlimited ledger retentionLedger entries are never deleted automatically. The append-only model ensures that all postings remain permanently available for the entire lifetime of the tenant. Automatic deletion after retention periods expire is not provided.

Documents in EU object storageUploaded documents (PDFs, images) are stored in Hetzner Object Storage in Germany. Data never leaves the EU at any point. The storage architecture is designed for long-term retention.

8. Data security and tenant isolation

PostgreSQL Row Level SecurityTenant isolation is enforced at the database level through PostgreSQL Row Level Security (RLS). Every query sets the session variable app.current_tenant — rows belonging to another tenant are technically invisible, even in the case of faulty application logic.

EU data residency (Hetzner Germany)Database, Redis, object storage and all AI processing steps run exclusively on Hetzner infrastructure in Germany. AI requests go to the Mistral EU API (api.mistral.ai) — no data leaves the EU.

Scope-controlled accessEvery access — even within a tenant — is restricted to the minimum by the scope system. API keys for tax advisors, agents or integrations receive only the explicitly necessary rights. The admin scope is never delegable via OAuth or MCP.

GoBD compliance overview

ImmutabilityAppend-only trigger on ledger_eventsDatabase

CompletenessDebit = credit validation before every postingApplication

TraceabilitySHA256 audit hash per journal entryDatabase

Period integrityIrreversible closing + closing hashDatabase

Document retentionSHA256 content hash + Hetzner Object Storage DEInfrastructure

Duplicate protectionUnique document hash prevents duplicatesApplication

Timestampscreated_at (UTC) + booking_date stored separatelyDatabase

Data access Z1/Z2/Z3Auditor keys, REST API, DATEV exportApplication

Tenant isolationPostgreSQL Row Level SecurityDatabase

10-year retentionNo automatic deletion, unlimited retentionInfrastructure

EU data residencyExclusively Hetzner Germany + Mistral EUInfrastructure