Q&A - Response

  1. Which modalities do you support today (A/B/C/D)? Which do you recommend for fuel retail and why?
    • Response: We primarily support Modality A (Remote API) through our intermediary server. For fuel retail, we recommend a hybrid of Modality A and B.
    • Why: This allows your developers to generate XML and QR codes locally for B2C invoices (ensuring 100% uptime in remote areas) while using our Remote API to sync those invoices to ZATCA within 24 hours. For B2B, it ensures live, synchronous clearance via the gateway.
  2. Where can you host the gateway? Can you host in KSA?
    • Response: Yes. The intermediary server is hosted on Oracle Cloud Infrastructure (OCI) with data centers located in Riyadh or Jeddah. This ensures full compliance with KSA data residency requirements and provides a high-performance, in-kingdom access point for fiscal records.
  3. How do you manage certificates/keys? How is rotation handled?
    • Response: Onboarding is performed via our portal, where users set up their intermediary server instance on OCI. We recommend storing certificates and keys on the gateway (OCI intermediary server) to simplify station management and avoid duplicating sensitive keys across multiple mPOS devices. Rotation and credential management are handled through the OCI-hosted portal interface.
  4. How do you guarantee B2C reporting within 24h if connectivity is lost for hours?
    • Response:Compliance is guaranteed through a decoupled workflow. Your local POS Server will generate the XML and QR data immediately so the sale can proceed even with "on-and-off" internet. Our API handles "Waiting for Response" and "Pending" states; once connectivity is restored, the system syncs the queued invoices to the OCI intermediary server, which manages the final submission to ZATCA.
  5. What is your observed latency for B2B clearance? What do you recommend operationally?
    • Response:The system posts B2B invoices to ZATCA immediately upon receipt. Hosting on OCI in Riyadh/Jeddah minimizes local latency.
    • Recommendation: Since B2B requires live clearance (we have removed the deferred model per your instruction), the POS must have a stable connection at the time of the B2B transaction. If ZATCA returns a 503 error, the API provides a UUID and status to track the request until clearance is confirmed.
  6. How do you handle rejections and corrections? What is the reprocessing workflow?
    • Response: If ZATCA rejects an invoice, the API returns an "Error" status with full response details. For corrections, we support Credit/Debit Notes by setting the is return flag to 1, which automatically links the return to the original invoice via the return_against field.
  7. What logs/evidence do you keep, where, and for how long? How can we export them?
    • Response:We generate and store XML, QR, PDF/A-3 invoices with embedded machine-readable XML. These are archived on the OCI servers in Riyadh/Jeddah for long-term preservation and auditability. You can export these records via API or download links for specific invoice numbers or date ranges.

      • we have implemented the following incremental backup and retention policy:

      Daily: Incremental, 7 days retention.
      Weekly: Incremental, 1 month retention.
      Monthly: Incremental, 1 year retention.
      Yearly:Incremental, 5 years retention
  8. What is your upgrade policy? Can upgrades be performed without station downtime?
    • Response: We follow semantic versioning for our APIs. Because the core ZATCA logic resides on the OCI-hosted Remote API (Gateway), we can perform compliance updates on the server side without requiring downtime or updates to your local POS software.
  9. Do you support multi-tenant + multi-store + multi-device management?
    • Response: Yes. The system uses the custom_user_invoice_number to track unique transactions across different stores and devices. It also supports the automatic creation of customers and items if they do not already exist in the intermediary system.
  10. What are your security certifications / practices (if any)?
    • Response: We use TLS for all network traffic and provide a tamper-evident audit trail by storing full ZATCA response payloads and UUIDs. By utilizing OCI in KSA, we leverage Oracle's robust security infrastructure for the intermediary gateway.
Discard
Save
Draft
Was this article helpful?

Previous Page

Left

Next Page

Right

On this page

Review Changes ← Back to Content
Message Status Space Raised By Last update on