1. Overview
Vatidator is a B2B SaaS extension for Microsoft Dynamics 365 Business Central and Salesforce CRM that validates business tax identifiers against official tax authority registries and approved external validation data sources (such as VIES for EU member states, HMRC for the United Kingdom, Brreg for Norway, the Swiss UID Register, and BrasilAPI for Brazil). This policy describes how we protect customer data and operate our service securely.
This document is intended for IT security and procurement teams reviewing Vatidator for use in their organization.
2. Data We Handle
Vatidator is not designed to process consumer or end-user data. The service may process limited business contact or tax data if it is present in the customer's ERP/CRM systems or returned by external registries.
| Data type | Examples | Sensitivity | Source |
|---|---|---|---|
| Tax identifiers (VAT, USt-IdNr., Qualified Invoice Issuer Number, etc.) | HU12892312, DE811569869 | Business identifier; may be personal data for sole traders or natural persons acting in a business capacity | BC/SF customer records (your ERP/CRM) |
| Customer/vendor names | "BMW AG", "IKEA Magyarország Kft" | Business data; may include personal data in sole-trader cases | Your ERP/CRM records |
| Registered addresses | "Sepapaja tn 6, Tallinn" | Business registry data; may be personal data in sole-trader cases | Returned by official registries |
| Validation timestamps | 2026-06-22T15:11:59Z | Operational metadata | Generated by Vatidator |
| Proof hashes | SHA-256 of registry response | Audit/security metadata | Generated by Vatidator |
| Tenant identifier | Anonymous UUID | Pseudonymous operational identifier | Bearer token mapping |
Out of scope (we do not collect):
- Consumer / end-user personal data
- Financial data (payment information, account numbers)
- Document contents (invoice lines, contracts, payment terms)
- Login credentials of your users
Where data qualifies as personal data under GDPR (for example for sole traders), Vatidator processes it only for the purpose of tax validation, audit evidence generation, and service operation, in accordance with the applicable Data Processing Agreement.
3. Roles under GDPR
Vatidator typically acts as a data processor for the customer's tax-validation activity, with the customer acting as the data controller. The customer determines whose VAT/tax identifiers are validated and for what business purpose.
Vatidator may act as a data controller for limited activities related to the operation of the service itself, including:
- Account, billing, and contact data
- Security event logs and audit data for fraud / abuse prevention
- Aggregated, non-personal service-usage metrics
A Data Processing Agreement (DPA) reflecting these roles is available to customers on request.
4. Data Residency & Infrastructure
| Component | Provider | Region | Purpose |
|---|---|---|---|
| API backend | Microsoft Azure App Service | EU (West Europe) | Validation API endpoints |
| Database | Microsoft Azure Database (PostgreSQL) | EU (West Europe) | Audit logs, proof records, tenant mapping |
| Container registry | Microsoft Azure Container Registry | EU | Application image storage |
| CDN / DNS | Cloudflare | Global (anycast) | Public marketing site only |
| Estonia HQ | Vatidator OÜ, Sepapaja tn 6, 15551 Tallinn | EU | Legal entity, billing |
Application hosting, primary database, and audit storage are located in the EU. Customer audit records and proof data are stored in EU-based Azure regions.
Registry-query destinations may include non-EU jurisdictions. For validation purposes, Vatidator may transmit the minimum required tax identifier and country code to the relevant official or publicly available tax/business registry. Some registries are located outside the EU/EEA, for example, HMRC in the United Kingdom, the Swiss UID Register, Brreg in Norway, or BrasilAPI in Brazil, where the customer has enabled validation for those jurisdictions. Such queries are limited to the data required to perform the validation; details are listed in the Sub-processor and External Registry Disclosure.
5. Data Minimization
When querying external registries, Vatidator transmits only the minimum data required for validation. Specifically:
- The tax identifier (e.g.
HU12892312) - The country code (e.g.
HU) - Where required by the registry, a minimal authentication token issued to Vatidator (not the customer's credentials)
Vatidator does not transmit to external registries:
- Invoice line items, document contents, or amounts
- Payment data or financial information
- Customer-internal document references (these stay within the Vatidator audit log only)
- Login credentials of the customer's users
6. Encryption
| In transit | TLS 1.2 or higher on all HTTPS endpoints. HTTP redirects to HTTPS. Internal Azure traffic encrypted by Azure's managed networking. |
| At rest | AES-256 encryption on Azure Database (Transparent Data Encryption). Application backups encrypted at storage layer. |
| Secrets | API tokens are generated using cryptographically secure random values and stored only as one-way hashes, never in plaintext. API keys for upstream services are held in Azure App Service configuration, with a planned migration to Azure Key Vault as the platform matures. |
7. Access Control
Customer-side multi-tenant isolation:
- Each customer is identified by a unique Bearer token issued by Vatidator
- All API requests must include the Bearer token in the
Authorizationheader - Tenant ID is derived server-side from the token, customers cannot impersonate each other
- Audit log entries are scoped to the issuing tenant
Tracking headers (BC and Salesforce extensions):
The Vatidator BC and Salesforce extensions attach diagnostic headers to outbound HTTP requests:
X-BC-Tenant-Id/X-SF-Org-Id, your environment identifier (sent by the extension itself)X-BC-Environment/X-SF-Environment, Production or Sandbox indicatorX-BC-Ext-Version/X-SF-Ext-Version, extension version
These headers are used for traceability and diagnostics only, they are not used as the sole basis for authentication or authorization. The Bearer token remains the only authentication mechanism.
Internal-side staff access:
- Founder-only access during the current early-stage operations phase
- No shared accounts
- Azure RBAC with least privilege for any future contractors
- SSH/RDP access to production is disabled (Azure App Service is managed)
8. Audit Logging & Evidence
Every validation request generates an audit log entry containing:
- Timestamp (UTC)
- Tax identifier queried
- Tenant identifier
- Result (Valid / Invalid / Service Unavailable)
- Authority that responded (VIES, HMRC, etc.)
- SHA-256 hash of the full registry response (tamper-evident proof)
- Document context (Invoice ID, Order ID) when supplied by the extension
Audit records are append-only at application level and protected by tamper-evident hashing, entries are not updated or deleted through normal application logic, and the hash makes any post-hoc modification to a registry response detectable.
For enterprise plans, immutable blob storage and/or external timestamping (such as eIDAS-qualified time-stamps) may be enabled on the roadmap as a stronger non-repudiation guarantee.
Customers can retrieve audit log entries through the BC/Salesforce extension UI, exported reports, or authenticated API endpoints, direct database access is never granted to customers.
Retention: Audit log entries are retained for the duration of the customer subscription plus 7 years, unless a different retention period is agreed in the customer contract or required by applicable law. Customers may request earlier deletion via written notice, subject to legal retention obligations.
9. Logging Policy (Application & Operational Logs)
Vatidator's application and operational logs are designed to support debugging and security investigations without exposing sensitive material:
- Authentication tokens are never logged in plaintext, only token-fingerprint identifiers are logged (where logging at all)
- Sensitive HTTP headers (
Authorization, custom credentials) are redacted from request logs - Failed validation attempts may be logged with tenant identifier and timestamp for abuse detection, without exposing failed-payload credentials
- Logs containing operational metadata are retained per Azure Log Analytics default retention; longer retention available on enterprise plans
- Logs are accessible only to authorized Vatidator staff (currently founder-only)
10. Sub-processors and External Registries
See Sub-processor and External Registry Disclosure for the current list of:
- True sub-processors (Azure, Cloudflare, etc.) that process customer data under our DPA
- External validation registries (VIES, HMRC, Brreg, UID Register, BrasilAPI) that Vatidator queries on behalf of customers, these are independent data controllers, not sub-processors
We notify customers of material sub-processor changes via email and on the disclosure page at least 30 days before the change takes effect.
11. Incident Response
| Event type | Initial response target | Customer notification |
|---|---|---|
| Suspected critical security incident | 4 hours | As soon as material impact is confirmed |
| Confirmed personal data breach affecting customer data | 4 hours | Without undue delay, target within 24 hours |
| Service outage >1 hour | 1 hour | Via status page and email where applicable |
| Sub-processor incident affecting Vatidator | 24 hours | As applicable per impact |
Incident contact: [email protected]
GDPR breach notification:
Where Vatidator acts as a data processor, we notify the affected customer (acting as controller) of a personal data breach without undue delay after becoming aware of it. The customer (as controller) is then responsible for any required notification to the competent supervisory authority and to data subjects, per GDPR Article 33–34.
Where Vatidator acts as a data controller for the affected processing activity, we notify the competent supervisory authority, where required by GDPR, without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The competent supervisory authority is determined by applicable lead supervisory authority rules and may include the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).
12. Compliance & Maturity Roadmap
Vatidator operates as an early-stage B2B SaaS provider with security controls appropriate to its current scale and risk profile. Our security program is designed to mature progressively as customer requirements and platform scale increase.
Current early-stage operations:
- GDPR-aware data handling with a Data Processing Agreement available on request
- EU-based hosting and audit storage for Vatidator-managed customer data
- Tenant-scoped access controls and authenticated API access
- Tamper-evident audit logging using cryptographic hashes
- Documented incident response and recovery procedures
Planned security maturity roadmap:
- Migration of secrets to Azure Key Vault
- Formal security control register
- Annual external penetration testing
- SOC 2 Type 1 readiness assessment
- SOC 2 Type 2 audit
- ISO 27001 certification evaluation
- Immutable audit storage and/or eIDAS-qualified timestamping for enterprise plans
We do not currently hold SOC 2 or ISO 27001 certification. Customers requiring these certifications may request our current security controls summary, risk assessment, and maturity roadmap for procurement review.
13. Vulnerability Disclosure
We welcome reports of security vulnerabilities through our Vulnerability Disclosure Policy.
Coordination contact: [email protected]
14. Business Continuity
- Infrastructure runs on Microsoft Azure App Service in a paid production tier. Microsoft publishes availability SLAs for eligible App Service configurations; Vatidator's own customer SLA, where applicable, is defined in the applicable service agreement.
- Database point-in-time restore is enabled (Azure-managed, 7-day window for daily operational recovery).
- Long-term audit records are retained separately from operational backups, per Section 8.
- Application code, infrastructure-as-code, and database schema are version-controlled in private Git repositories.
- Founder maintains a documented runbook for service recovery.
Internal recovery objectives (not constituting a contractual SLA unless explicitly included in the customer agreement):
- Recovery Time Objective (RTO): 4 hours
- Recovery Point Objective (RPO): 1 hour
15. Contact
For security questions, procurement reviews, or to request a Data Processing Agreement:
- Security disclosures:
[email protected] - General inquiries:
[email protected] - Legal entity: Vatidator OÜ, Sepapaja tn 6, 15551 Tallinn, Estonia. Registry code 17526048.
This policy is reviewed at least annually and updated whenever there is a material change in our security posture, sub-processor list, or external registry coverage.