SuSa Analysis with AI:
Why data protection doesn't have to be a compromise
Tax advisors, controllers, and finance managers face a dilemma: AI tools promise enormous time savings in the analysis of trial balances. But where does the sensitive client data flow?
Why classic AI tools are problematic for tax advisors
The manual analysis of a trial balance takes 30 to 60 minutes, depending on the complexity. Identifying anomalies, calculating key figures, preparing questions for the client meeting. This is repeated for every client.
ChatGPT, Claude, or Gemini could help. But: Are tax advisors allowed to upload client data to US American cloud services? The answer is more complex than a simple yes or no.
Legal framework: § 203 StGB and § 62a StBerG
§ 203 StGB: Tax advisors as holders of professional secrets
Tax advisors are among the holders of professional secrets according to § 203 StGB. The unauthorized disclosure of client secrets is a criminal offense and can be punished with imprisonment of up to one year or a fine.
§ 62a StBerG: When IT service providers are permitted
With the “Law on the Reorganization of the Protection of Secrets in the Cooperation of Third Parties” (BGBl. I S. 3618, in force since November 9, 2017), the involvement of IT service providers was regulated:
- Domestic service providers (§ 62a Para. 1-3 StBerG): Access to client data permitted without consent if required for the service. The prerequisite is a contract in text form with a confidentiality obligation.
- Foreign service providers (§ 62a Para. 4 StBerG): Access only permitted if the level of protection abroad is comparable to that in Germany. The Chamber of Tax Advisors recommends explicit client consent for foreign service providers.
Practical note: With US AI providers (OpenAI, Anthropic, Google), it is difficult to verify a comparable level of protection in accordance with Section 62a (4) StBerG. Many chambers of tax advisors therefore recommend obtaining the client’s express consent or refraining from transferring data. With EU providers such as Mistral, the third-country problem in data protection does not apply, but here too, Section 62a remains an independent test criterion.
Translated with DeepL.com (free version)
GDPR and Schrems II: Data transfer to the USA
The transfer of personal data to the USA has been legally complex since the Schrems II ruling by the ECJ (July 2020). Even with the EU US Data Privacy Framework (July 2023), residual risks remain for particularly sensitive data.
The solution: SuSa Analysis with auraHub
With auraHub, we use an AI platform that solves exactly this problem. The solution runs on a German server and enables the secure use of various AI models. We have configured the “SuSa Analysis” micro app specifically for the evaluation of trial balances.
Data protection in detail
Aspect | Details |
Server location | Germany (data center) |
File storage | Automatic deletion of temporary files after processing |
Conversations | No permanent storage of conversation content |
Transfer | HTTPS encryption (TLS 1.3) |
GDPR | EU server location as a basis. Full GDPR compliance also results from the data processing agreement, technical and organizational measures (TOMs), and documented deletion concept. |
On Premises | Installation on own servers possible |
AI providers in comparison: Who uses my data for training?
auraHub supports four leading AI providers. The most important question for tax advisors: Is my data used for training the AI models? Here are the facts (as of January 2025):
Provider | Training | Storage period | Location / § 62a Assessment |
No (since 3/2023) | 30 days | USA (EU Data Residency available for Enterprise) → Consent recommended | |
No (API) | 30 days | USA (regional processing possible, storage USA) → Consent recommended | |
No (Standard) | 30 days | EU (France) → Third-country issue is eliminated, Section 62a remains a checkpoint | |
No (Paid API) | 55 days | USA/EU (depending on the product) → Consent recommended |
Recommendation for compliance-oriented use: With Mistral, a European AI provider is available. The servers are located in France, and data processing is carried out within the EU by default. This eliminates the third-country problem in data protection. However, for Section 62a of the German Tax Advisor Act (StBerG), the “comparable level of protection” assessment criterion remains relevant. If you are unsure, client consent is recommended even for EU providers.
What does the storage period mean? The API providers temporarily store requests for abuse detection (Abuse Monitoring). This data is used exclusively for security purposes, not for model training, and is automatically deleted after the specified period.
How the SuSa analysis works
- DATEV Export: Export SuSa as CSV (SKR03 or SKR04)
- Upload: Upload file to auraHub
- Analysis: AI evaluates the data
- Result: Structured evaluation in seconds
What the analysis delivers
Executive Summary
A compact summary of the most important findings in three to five sentences.
Key figures with traffic light system
- Liquidity ratios (1st, 2nd, 3rd degree)
- Equity ratio
- Revenue development
- Receivables and liabilities structure
- Personnel expense ratio
Anomaly detection
- Unusual balance changes
- Conspicuous account developments
- Potential posting errors
Questions for the client meeting
Automatically generated checklist with specific questions about conspicuous items.
For whom is the AI-supported SuSa analysis suitable?
- Tax advisors and tax firms: Quick preparation for client meetings
- Controllers: Monthly evaluations in minutes instead of hours
- CFOs and Finance Directors: Executive summaries for management
- Auditors: Initial plausibility check
- Management consultants: Quick company analysis during due diligence
Frequently asked questions about SuSa analysis with AI
Are tax advisors allowed to use AI for client data?
Yes, under certain conditions. Since the amendment of § 62a StBerG in 2017, tax advisors may involve IT service providers if a contract in text form with a confidentiality obligation exists. For foreign providers (e.g. from the USA), the Chamber of Tax Advisors additionally recommends client consent. The most legally secure option is the use of an EU provider such as Mistral.
Is my data used for AI training?
When using APIs (rather than the free web interfaces), your data is not used by default for model training by the providers mentioned. OpenAI has excluded this for API use since March 2023, as have Anthropic and Mistral. The data is temporarily stored for security monitoring (abuse monitoring) and then automatically deleted. Deviating regulations may apply to feedback functions or specific features. Please check the respective terms of use.
What is the difference between ChatGPT and the API?
The free ChatGPT web interface may use user data for model training (opt out possible). The paid API, which is used by platforms such as auraHub, generally does not use your data for training. In addition, the API offers shorter storage periods and the option of Zero Data Retention.
How long will my data be stored by the AI providers?
The storage period varies: OpenAI stores API data for 30 days, Anthropic also for 30 days, Mistral for 30 days, and Google for 55 days. This storage is used exclusively for abuse detection. After that, the data is automatically deleted. All providers offer Zero Data Retention options for enterprise customers.
Which AI provider is best suited for tax advisors?
From a data protection perspective, Mistral offers advantages: The French company operates its servers in the EU by default and is subject to the GDPR. This eliminates the third-country problem. However, please note: § 62a StBerG is an independent professional standard. In case of uncertainty, many chambers recommend obtaining client consent even with EU providers. For pure analysis quality, all four providers deliver comparably good results.
Can I operate the SuSa analysis on my own server?
Yes, auraHub can be installed as an on-premises solution on your own servers. In this case, the data only leaves your infrastructure for communication with the AI provider of your choice. Alternatively, we offer a hosted solution on German servers.
What does the SuSa analysis with auraHub cost?
We offer various license models for individual law firms and larger tax consulting companies. Contact us for an individual offer. A demo of the SuSa analysis is free of charge.
Do all providers offer Zero Data Retention (ZDR)?
ZDR is available depending on the provider, contract, and product, but is not automatically active. OpenAI offers ZDR for Enterprise and certain API configurations. Google stores data for 55 days by default with the Gemini API for abuse monitoring; true ZDR requires separate agreements in the Vertex AI context. Similar regulations apply to Mistral and Anthropic. If ZDR is important for your law firm, clarify the exact conditions directly with the provider or use auraHub on your own servers.
AI for tax advisors without data protection compromises
One hour of manual work becomes one minute with AI. And that without compromising on data protection.
The three most important points: (1) API data is not used for training by default with the providers mentioned. (2) With Mistral, an EU provider is available, eliminating the third-country problem in data protection. (3) auraHub runs on German servers with automatic data deletion. For maximum compliance, documented client consent is additionally recommended for sensitive client data.
The combination of a German server, automatic data deletion, and the option of an EU provider makes auraHub a data protection-compliant alternative to ChatGPT and Co.
Request a demo now
Would you like to see the SuSa analysis in action? We will show you in 15 minutes how the micro app works and answer your questions about data protection and compliance.
Post Tags :
Share :
SuSa Analysis AI, Trial Balance Analysis, Tax Advisor AI, GDPR AI Tax Consulting, Balance Sheet Analysis AI, auraHub Tax Advisor, Mistral EU AI, Data Protection Tax Advisor, AI Law Firm Software, Automated Balance Sheet Analysis, Key Performance Indicator Analysis AI, Tax Consulting Digitalization, AI Compliance Tax Advisor
More articles on this topic
Individual instructions for AI: How to optimally use ChatGPT and Claude to achieve better results.
AI platform for companies: AI platform with micro apps and enterprise search for structured AI use.
AI Governance thought pragmatically: How to introduce AI guidelines without stifling innovation.
Custom GPTs in the company: Limitations of Custom GPTs and why alternatives are necessary for Enterprise.