Security & Compliance
The Heirs E-Invoicing Middleware is built to meet FIRS e-invoicing mandates and Nigerian financial services data protection requirements.
FIRS Compliance
Every invoice transmitted through the middleware conforms to FIRS requirements:
| Requirement | How it's met |
|---|---|
| Unique Invoice Reference Number (IRN) | Auto-generated by the middleware before transmission |
| Digital signature | Applied using tenant's registered PEM certificate and public key |
| Approved format | Invoices are transmitted in FIRS-mandated UBL 2.1 XML |
| Real-time reporting | Invoices are transmitted to FIRS at the time of signing |
| Audit trail | Every invoice event is logged immutably |
Digital Signatures (PEM Credentials)
Each tenant must upload a PEM-format certificate and public key issued by FIRS or a FIRS-accredited Certificate Authority. These are used to digitally sign every invoice before transmission.
{
"certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
"publicKey": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----"
}
Credentials are uploaded via PUT /v1/tenants/{tenantId}/firs-credentials and stored encrypted at rest.
:::caution Certificate expiry Monitor your certificate's expiry date. Transmissions will fail with expired certificates. Rotate before expiry via the same endpoint. :::
Transport Security
- All API communication is over HTTPS (TLS 1.2+)
- Plain HTTP requests are rejected
- Webhook deliveries are also HTTPS-only
Data Security
| Measure | Detail |
|---|---|
| Encryption at rest | Sensitive fields (invoice notes, payment terms notes, PEM credentials) are encrypted in the FIRS data dictionary |
| API keys | Stored as hashed values — never recoverable in plaintext after creation |
| Tenant isolation | Each tenant's data is fully isolated — no cross-tenant data access is possible |
| Audit logging | Every API call is logged with timestamp, IP address, API key ID, and HTTP method/path |
API Key Security
- Keys are scoped to specific permissions — create least-privilege keys for each integration
- Keys expire after a configurable period (1–3,650 days)
- Keys can be revoked instantly via
DELETE /v1/tenants/{tenantId}/api-keys/{keyId} - Keys can be rotated (old key invalidated, new key issued) via
POST /v1/tenants/{tenantId}/api-keys/{keyId}/rotate - All key activity is logged
Regulatory Compliance
| Framework | Status |
|---|---|
| FIRS e-Invoicing Guidelines | Compliant |
| NDPR (Nigeria Data Protection Regulation) | Compliant |
| CBN Digital Finance Guidelines | Compliant |
Encrypted Fields
The FIRS data dictionary marks certain invoice fields for encryption at rest:
- Invoice notes
- Payment terms notes
These are flagged with "encryption": true in the dictionary metadata and are automatically handled by the platform — no action required from integrators.
Incident Reporting
To report a security vulnerability or suspected breach, contact the platform admin team immediately. Do not log security issues in public repositories or issue trackers.