Vatidator

VAT Compliance Suite

Documentation · Last updated May 2026

Overview

VAT Compliance Suite is a Business Central extension that automates EU VAT number validation, prevents risky postings, and stores tamper-evident audit proof for every validation. It also includes Privacy & GDPR Assessment for scanning your BC data model for PII risks.

The extension communicates with the Vatidator API (hosted on Microsoft Azure, EU West Europe), which queries official VAT registries and national company registers and returns a structured validation result with a unique proof identifier.

Installation

  1. Open your Business Central environment and go to Extension Management.
  2. Install the signed VAT Compliance Suite extension package provided during onboarding (or, once published, directly from Microsoft AppSource).
  3. Follow the installation wizard to complete the install.
  4. After installation, navigate to VAT Validation Setup to configure the extension.

Minimum requirement: Business Central 2026 Wave 1 (application 28.0.0.0) or later.

Initial Setup

Navigate to VAT Validation Setup (search in BC). Fill in:

  • API URL - provided in your welcome email (e.g. https://vat-api.vatidator.com)
  • Bearer Token - your subscription license key
  • Posting Block - Customers - enable to block sales postings for invalid/unchecked VAT numbers
  • Posting Block - Vendors - enable to block purchase postings
  • Stale After (Days) - number of days after which a validation result is considered stale (default: 90)
  • Bulk Batch Size - how many VAT numbers are sent to the registry per request during bulk validation (default: 10, range: 5-20). This controls chunk size only - you can bulk-validate any number of customers or vendors; larger sets are simply processed in more batches.

Single Validation

On any Customer Card or Vendor Card, use the Validate VAT action in the ribbon. The result (Valid / Invalid / Unchecked) appears in the VAT Status field with the last validation date and company name returned by the registry.

Bulk Validation

From the VAT Validation Dashboard, use:

  • Validate Unchecked - validates all entities with no previous result
  • Validate Stale - re-validates entities where the result is older than the Stale After threshold
  • Validate Selected - validate only selected rows in the Customer List or Vendor List

Bulk runs are tracked in the Bulk Run Log with start time, record count, status (Completed / Partial / Failed), and per-batch progress. A Partial status means some batches succeeded before an error - re-running will process only the remaining unchecked entities.

Posting Block

When enabled, the posting block fires on Sales and Purchase posting events. If the counterparty's VAT number is Invalid, Unchecked, or Stale (configurable), the posting is stopped with an error message. The posting block is configurable per entity type (Customer / Vendor) and can be disabled for Credit Memo flows if needed.

Audit Log & Proof Records

Every validation generates a Proof Record with:

  • Unique Proof ID
  • VAT number and country
  • Validation result (valid / invalid / error)
  • Company name and address as returned by the registry
  • Timestamp
  • Source registry (VIES, HMRC, etc.)

Proof records are accessible via the VAT Proof Viewer page and are retained according to your plan (12 months: Starter / 5 years: Professional / custom: Enterprise).

Stale Detection

A validation result becomes "Stale" when it is older than the configured Stale After (Days) threshold. Stale entries are highlighted in the dashboard and are included in the "Validate Stale" bulk action. The posting block can be configured to treat Stale the same as Unchecked.

Job Queue - Scheduled Re-validation (Premium)

On Premium, scheduled re-validation runs through the standard Business Central Job Queue. Set up a recurring Job Queue Entry for VAT Compliance Suite (for example, nightly) and it automatically re-validates all Unchecked and Stale entities on your chosen schedule, keeping VAT data current with no manual effort.

Privacy & GDPR Assessment - Overview

The Privacy Assessment module scans your Business Central data model (tables, fields, pages) for PII-sensitive fields, missing UI protection (masked/hidden fields), and API exposure risks. It generates a scored risk report with a finding list categorised by severity (High / Medium / Low).

Assessment is design-time only - it does not scan live data records, does not export data, and does not guarantee GDPR compliance. It is a risk indicator tool to support your compliance programme.

Running a Privacy Scan

  1. Navigate to Privacy Assessment Setup and enter your API URL and Bearer Token.
  2. Open Privacy Assessment Overview.
  3. Click Run Assessment Now.
  4. When complete, the Risk Score and finding summary are updated. Click View Findings to see the full list.

Interpreting Findings

Each finding contains:

  • Severity - High / Medium / Low
  • Entity - the table and field involved
  • Finding type - e.g. "PII field without UI masking", "API-exposed sensitive field"
  • Remediation suggestion - actionable guidance (Professional plan)

Use the Show High Only filter to focus on critical findings first.

Supported Countries

Country / RegionRegistryNotes
All EU member statesVIESOfficial EU VAT system
GB (Great Britain)HMRCPost-Brexit, separate registry
XI (Northern Ireland)VIESBrexit protocol
NO (Norway)National registryNon-EU EEA
CH (Switzerland)National registryNon-EU
BR (Brazil)National registryCompany tax ID (CNPJ)

FAQ

Does the extension modify standard BC objects?

No. It is a clean-core per-tenant extension (PTE) built on standard Business Central APIs. No standard objects are modified.

Is data sent outside my BC environment?

Only VAT numbers and country codes are sent to the Vatidator API for registry queries. No customer names, addresses, or financial data leave your BC environment. The API is hosted on Microsoft Azure, EU West Europe.

What happens if VIES is unavailable?

The service automatically retries transient registry errors. If a registry stays unavailable, the affected records are marked accordingly and the bulk run is flagged Partial, re-running retries only the failed records.

Can I use the extension without an internet connection?

No. Live validation requires connectivity to the Vatidator API and official registries. Cached results (already validated records) remain accessible offline.