Veri*factu Compliance Plugin for Perfex CRM

Overview

In response to the upcoming mandatory Spanish tax regulations (Ley Crea y Crece), I developed a specialized plugin for Perfex CRM that ensures full compliance with the Veri*factu standard. This project involved deep-diving into the technical requirements set by the Spanish Tax Agency (AEAT) to guarantee that every invoice generated is "non-alterable, traceable, and secure."

The solution automates the generation of compliant billing records, creates the mandatory chaining of records (hash linking), and prepares the system for real-time reporting to the government, well ahead of the 2027 deadline.

Technology Stack

• Core Framework: PHP, CodeIgniter (Perfex CRM Architecture)
• Security & Encryption: OpenSSL (for Digital Signing), SHA-256 Hashing algorithms
• Digital Certificates: X.509 certificates (.p12 / .pfx) handling
• Data Exchange: XML (FacturaE compatible) & SOAP/WSDL
• Visual Standards: QR Code Generation (ISO/IEC 18004)

Key Features

• Chained Record Architecture (Hash Linking): Implemented a sophisticated "chaining" logic where each invoice includes a unique hash of the previous record. This ensures that any attempt to modify or delete a past invoice breaks the chain, rendering the system's integrity verifiable at all times.
• Cryptographic Digital Signing (.p12/.pfx): Developed a secure module to upload and manage Digital Certificates. The plugin uses OpenSSL to apply an electronic signature to each billing record, guaranteeing the authenticity of the origin and the integrity of the invoice data as required by the AEAT.
• Dynamic Veri*factu QR Code Engine: Built a custom generator that embeds a specific URL into a QR code on every PDF invoice. This allows any recipient or tax inspector to scan the document and verify in real-time if the invoice has been correctly registered in the Tax Agency's database.
• Immutable Audit Logs: Created a "Legal Log" within Perfex CRM that records every interaction with an invoice (creation, modification, or cancellation) with an encrypted timestamp, preventing any retroactive data manipulation.
• Automated XML/SOAP Transmission: Designed the API layer to handle the "Veri*factu" mode, enabling the automatic and instantaneous transmission of billing records to the AEAT servers via secure SOAP requests.

Technical Deep-Dive: Security & Compliance

To meet the strict "non-alterability" requirement, the plugin intercepts the invoice finalization process to execute two critical steps:

1. Signature Flow: The system retrieves the encrypted certificate from a secure directory, signs the data payload, and stores the resulting signature in a protected database table.
2. The Verification Link: The QR code is generated using a specific syntax incorporating the fingerprint of the digital signature.

The Challenge

Veri*factu requires more than just a "send" button; it demands a fundamental change in how databases handle records. The challenge was to modify Perfex CRM’s native billing flow to be strictly sequential and immutable without breaking its core functionality or the user experience for the end-user.

The Result

A production-ready plugin that positions the client as an early adopter of the 2027 mandate. The CRM is now technically audited to prevent fine-heavy non-compliance issues, providing peace of mind to business owners and ensuring that their billing software is a "certified-ready" system under Spanish law.