Arratech Connect, Capability Brief

What is Arratech Connect?

Arratech Connect is a software-as-a-service (SaaS) platform for sending, receiving, validating, and archiving electronic business documents over the Peppol network. Your suppliers and customers exchange invoices, credit notes, and related documents with you through Arratech instead of through email attachments or one-off portals.

Arratech is a certified OpenPeppol Service Provider, identifier PSE000778. We operate our own Peppol Access Point (the AS4 endpoint that talks to other service providers) and our own Service Metadata Publisher, which is how the Peppol network looks up where to deliver documents addressed to you.

We offer two access models on day one:

  • Shared Access Point. You connect to the Peppol network through Arratech's own Access Point. This is the default and suits most buyers.
  • Whitelabel Access Point. Arratech hosts your own Access Point under your service-provider identity. Suited to buyers who are themselves approved Peppol Service Providers and want their own identity on the network.

All infrastructure is defined as code, versioned in git, and deployed through automated pipelines.

Image

Where does our data live? (Data residency)

Data residency, meaning which country your documents are stored and processed in, is one of the first things we settle when we onboard you, and it shapes everything below.

The default: AWS Europe (Frankfurt), eu-central-1. Every customer without a specific residency requirement is onboarded here. In this region we run the full stack: our Peppol Access Point and SMP, the Connect Portal, the REST API, and the long-term document archive. Your business documents, the Peppol envelope, and the AS4 transport metadata that proves their authenticity are all stored encrypted in Frankfurt, and all processing happens in-region. Arratech is in production in the EU today, and exchanges Peppol documents cross-border globally through our certified Service Provider identity PSE000778.

Expanding beyond the default: other clouds and more AWS regions. The platform is built for multi-region and multi-cloud deployment. The same OpenTofu modules deploy a self-contained stack into another AWS region, and where a national qualification requires it we deploy to other clouds. For example, a SecNumCloud-qualified module on GCP S3NS serves the French market. Wherever you are onboarded, your data stays in that region or cloud. Arratech is actively deploying into additional AWS regions and additional clouds as customer demand and national mandates require.

Which countries do we support? Arratech supports document exchange across many countries, including jurisdictions adopting the new continuous transaction control (CTC) mandates. National mandates and our coverage change constantly, so the authoritative, up-to-date list is held by our Sales team. Contact Sales for current country coverage and the timeline for your specific market.

How do we send and receive invoices?

Your team sends and retrieves documents through two channels, with a third channel for event notifications:

  • Connect Portal at app.arratech.com. A web application for your operators to view, search, and act on documents, manage participants, and configure the organisation.
  • REST API at api.arratech.com. The integration surface for your enterprise resource planning system, your accounts-payable workflow, or any custom automation. Documented OpenAPI specification at app.arratech.com/docs/api/swagger.
  • Webhooks. Outbound HTTPS callbacks to your endpoints when document status changes, so you do not need to poll. Webhooks are notify-only: the platform calls your endpoint to tell your system that something happened. You submit documents through the API or the Portal, never through a webhook.

A typical outbound invoice flows like this. Your enterprise resource planning system posts the invoice through the REST API. Arratech validates it against the relevant Peppol Business Interoperability Specification and any country-specific rules. The platform looks up the recipient's Access Point through the Peppol Service Metadata Publisher and Service Metadata Locator, packages the document, signs and encrypts it under our OpenPeppol public-key infrastructure certificate, and dispatches it over AS4 to the recipient's Access Point. Status updates flow back to your system through the API and webhooks.

A typical inbound document flows the reverse way. The sending Access Point delivers the document to our AS4 endpoint, we validate it, and we make it available to your team through the Portal, the API, and webhook notifications.

How does it integrate with our ERP?

Today: API-led integration, no named ERP or accounting connectors. You integrate Arratech Connect with your enterprise resource planning system through the REST API and webhooks. That keeps the integration explicit, version-controlled, and under your team's control. We provide the OpenAPI specification, a demo organisation mode that lets your team test end-to-end flows on capped sample data, and engineering support during integration.

Is it secure enough for our auditors?

Security and operational posture, as currently in place:

  • Encryption at rest. AES-256 across every data store, managed through AWS Key Management Service. Peppol public-key-infrastructure private keys are additionally protected at the application layer with a customer-managed key and encryption-context enforcement.
  • Encryption in transit. All external traffic over HTTPS with a minimum of TLS 1.2 and TLS 1.3 supported. Certificates are issued and auto-renewed by AWS Certificate Manager. Peppol AS4 messages are signed and, where applicable, encrypted under our OpenPeppol certificate.
  • Identity and multi-factor authentication. Identity is managed by Amazon Cognito. Time-based authenticator apps (Google Authenticator, Microsoft Authenticator, 1Password, Authy, and similar) and SMS one-time codes are supported as second factors. Multi-factor authentication is enforceable per organisation: as an administrator you can require it for every member of your organisation. Arratech personnel with access to logs, metrics, or data are required to use multi-factor authentication by internal policy.
  • Network protection. AWS Web Application Firewall sits in front of every public endpoint, with managed rule sets and rate limiting on sensitive paths.
  • Threat detection and audit logging. Amazon GuardDuty for managed threat detection, AWS CloudTrail for an immutable record of every cloud-control-plane action including S3 object-access events, Amazon CloudWatch for service metrics and alarms, and Drata for continuous automated compliance checks.
  • Backups. DynamoDB point-in-time recovery within the last 35 days, Amazon S3 object versioning, daily OpenSearch snapshots, and the entire environment reproducible from git.
  • Incident response. A real, operated process: detection, triage, containment, remediation, post-incident review, and customer communication where applicable.

Compliance attestations available today: Drata-driven continuous compliance monitoring; OpenPeppol Service Provider certification under identifier PSE000778.

How do we get our data out?

The REST API supports document retrieval, status retrieval, and listing endpoints, so your team can pull data on demand into a downstream system or warehouse. Webhooks push status changes as they happen.

For long-term archival, every accepted document is retained as the original business document XML together with the Peppol envelope and the AS4 transport metadata that proves authenticity, in encrypted Amazon S3 storage. Retention is configurable per deployment to match the country mandate that applies to you; tell us your jurisdiction and we will confirm the applicable retention window in writing.

How do you ship changes?

Continuous delivery. Multiple deployments per week is the steady state. Higher-risk changes use a canary mechanism at the load balancer for pre-production verification before opening to all traffic.

Three fully isolated environments back this: dev, staging, and production. Each has its own AWS account, its own Cognito user pool, and its own data. Staging mirrors production topology so end-to-end behaviour can be validated before promotion. The same OpenTofu modules deploy each environment, so parity is structural rather than aspirational.

Where do we go from here?

If you are evaluating Arratech Connect, the practical next steps are:

  • Tell us which country or countries you need to send and receive in, and what your residency posture is.
  • Tell us which enterprise resource planning system or accounts-payable workflow Arratech needs to integrate with, and what your timeline looks like.
  • Ask us anything on this brief if something is unclear. We will answer all questions with our engineering and compliance teams.