UAE-grade compliance. Built by people who read the actual regulations.
PINT AE 1.0, Peppol DCTCE, XAdES-BES, FTA Corner-5 reporting — implemented end-to-end. This page is the honest version: what we conform to today, where we are in the accreditation queue, and what we will not claim until the certificates are in our hands.
Standards we conform to.
The five specifications below define UAE e-invoicing. Every invoice that leaves Fincore is built against all of them — not "mostly", not "soon".
PINT AE 1.0
UBL 2.1 syntax · Peppol BIS Billing 3.0 base · UAE localisation (TRN, Emirate codes, AED tax breakdowns, Arabic descriptions).
Peppol DCTCE 5-corner
Decentralised Continuous Transaction Controls and Exchange. Sender AP → Receiver AP → FTA reporting corner, end-to-end signed.
XAdES-BES digital signature
XML-DSig with X.509 certificates pinned to the issuing TRN. Enveloped signature, SHA-256 digest, RSA-2048 minimum.
FTA Corner-5 reporting
Real-time reporting payloads to the FTA platform on every cleared invoice, credit note, and debit note. Acknowledgement persisted per document.
UAE VAT — Cabinet Decision 106/2025
Mandate scope, record-keeping, and penalty regime fully encoded into the product. Wave 1 (Jan 2027) onwards.
Where we are in accreditation.
No theatre. If a row says "in progress", we mean the application is filed and the auditor is booked. If it says "blocked", we tell you what the blocker is.
| Programme | Status | Target | Notes |
|---|---|---|---|
| FTA ASP accreditation | In progress | H1 2027 | Application track active. Wave 1-ready by Jan 2027. |
| OpenPeppol AP certificate | Pending | Q4 2026 | Awaiting UAE entity incorporation (Ajman Free Zone). |
| SMP registration | Blocked | Q4 2026 | Blocked on AP certificate — auto-unblocks on Peppol issuance. |
| ISO/IEC 27001:2022 | Audit prep | Q1 2027 | ISMS scoped. Stage 1 audit booked. Statement of Applicability v0.4. |
| ISO 22301 (BCP) | Drafting | Q2 2027 | Documentation phase. RTO/RPO targets locked: 4h / 15min. |
| SOC 2 Type II | Planned | Post-GA | Observation window starts after general availability. |
We will update this table the day each status changes. If a target slips, we say so here first.
UAE-resident, with a sovereign-mode plan.
During the pilot, tenant data lives in Railway's us-west2 region — chosen for operational maturity while we cut the production switchover.
A sovereign-mode toggle is on the roadmap for general availability: it pins all primary data, backups, and key material to Azure UAE Central. Pilot customers can opt in at GA at no additional cost.
Today (pilot)
Railway us-west2. Encrypted at rest, daily backups, 15-minute PITR window.
At GA (planned)
Azure UAE Central. Customer-managed keys via Azure Key Vault. Cross-region DR within UAE.
What's in the platform today.
The controls below are live in production code — not aspirational.
HMAC-signed webhooks
Every outbound event carries an HMAC-SHA256 signature with a rotating tenant secret. Replay window: 5 minutes.
Encrypted at rest + in transit
AES-256 at rest via managed Postgres. TLS 1.3 in transit. Customer secrets sealed with envelope encryption.
Tenant-scoped rate limiting + audit log
Per-tenant token buckets. Immutable audit log on every state change — invoice, user, key, webhook.
Better Auth sessions
Rotating opaque session tokens, HTTP-only secure cookies, optional UAE Pass OIDC for production tenants.
Cabinet Decision 106/2025 — what non-compliance costs.
Penalty figures published by the FTA. Our penalty radar surfaces the at-risk documents before the fines do.
| Offence | Fine |
|---|---|
| Failure to issue e-invoice / e-credit note | AED 5,000 per document |
| Failure to transmit on time (per document) | AED 100 (capped AED 5,000 / month) |
| Failure to implement e-invoicing system | AED 60,000 per year |
| Failure to keep records / archives | AED 10,000 – 20,000 |
| Submission of incorrect data | AED 500 – 5,000 per document |
| Repeat offence (within 24 months) | Doubled, up to applicable cap |
Figures sourced from the UAE Cabinet Decision 106/2025 administrative penalty schedule. BlueWhale Fincore Standard (AED 99/mo) pays for itself the first time it stops a single AED 5,000 late-transmission cap from hitting.
Frequently asked compliance questions.
Are you FTA-accredited today?+
No. We are on the FTA ASP accreditation track with a target of H1 2027 — comfortably ahead of the Wave 1 mandate in January 2027. We will not claim accreditation until the certificate is issued. Until then, the platform is built strictly to PINT AE 1.0 and Peppol BIS 3.0, so a customer onboarded today will be Wave 1-ready on day one of accreditation.
Do you hold a Peppol Access Point certificate?+
Not yet. The Peppol AP application is pending UAE entity incorporation (Ajman Free Zone, in progress). Until our AP is live, we route through a partner-accredited AP under a transit agreement — your documents still travel the certified 5-corner path.
Where is my data stored?+
Production data is hosted in Railway us-west2 during the pilot. A sovereign-mode toggle is planned for general availability that pins all tenant data to Azure UAE Central. Pilot tenants can request sovereign mode at GA at no extra cost.
What happens to my invoices if BlueWhale Fincore goes away?+
Every cleared invoice, signed XML, and FTA acknowledgement is exportable as a portable archive (UBL XML + PDF/A-3 + manifest JSON) at any time. There is no lock-in on the data layer.
How do you handle Arabic-language invoices and TRN validation?+
Arabic descriptions, supplier names, and addresses are first-class fields in PINT AE — not afterthoughts. TRNs are validated against the FTA registry format and check-digit at issue time, with a soft warning if the registry lookup is unreachable.
Talk to our compliance lead.
Architecture diagrams, SoA drafts, sample PINT AE payloads, security questionnaires — whatever your procurement team needs. One human, one inbox.
compliance@bluewhalefincore.com