Security

Security is built into every layer of VerifyVAT.
This page outlines the measures we take to protect API keys, validate input, and ensure that registry lookups remain safe, predictable, and tamper-resistant.

For information about terms, personal data, and GDPR, see Legal notes.

Transport security

All API traffic is served exclusively over HTTPS.
Requests made over plain HTTP are automatically redirected to HTTPS before being processed.

API key protection

API keys are treated as sensitive credentials:

• keys are encrypted at rest
• generated as high-entropy UUIDv4 values
• validated on every request
• scoped to the individual account that created them
• never logged, never exposed in server logs

You can view your keys in the dashboard at any time.
When displayed, keys are decrypted on the fly and shown only to you.

Keys can be created, paused, renamed, or revoked from Profile › API Access.
See Authentication for details.

Input validation

VerifyVAT validates all input before performing any lookup:

• entity IDs are trimmed, normalised, and restricted to a safe alphanumeric subset (plus a small number of permitted symbols such as + or *)
• unsupported ID formats, invalid country codes, or malformed JSON return bad-request errors
• invalid requests never reach registry connectors

This protects both your integration and our infrastructure.

Rate limiting and abuse protection

Rate limits serve both billing and security purposes:

• burst limits prevent sudden spikes or misuse
• daily limits restrict abusive automated traffic
• limits are hard, exceeding them returns a 429 error immediately

See Error handling for detailed error codes.

Registry access and sanitisation

VerifyVAT communicates only with official, vetted registry sources.
No user-controlled URLs are ever contacted.

Some registries return unstructured HTML.
In these cases, we extract only the required, well-defined fragments.
No arbitrary script execution or browser-like behaviour occurs, and parsing is fully isolated.

Logging and traceability

VerifyVAT logs only what is necessary for debugging and operational visibility like the request trace-id, normalised endpoint parameters, and status or execution details.

API keys and other sensitive data are never logged.
Logs are retained for a short operational window and deleted automatically.

Including the trace-id when contacting support helps us locate your execution trace and investigate any issues.

Data storage

VerifyVAT does not persist registry responses beyond their cache lifetime.

• responses are cached according to the rules in Caching and stale data
• cached entries expire automatically
• identifiers are stored only in their normalised form
• no PII is retained beyond what appears in registry responses, and even that is never stored long-term

The platform retains only what is strictly necessary to serve fresh and accurate results.

Infrastructure and redundancy

VerifyVAT runs on a distributed, redundant infrastructure across multiple European regions.
Requests are processed close to users, with automatic failover and high availability.

Caching, registry access, and rate limiting are designed to operate reliably even during partial upstream outages.

Best practices

To keep your integration secure:

• treat API keys as production secrets
• never embed keys in client-side code
• rotate or revoke keys immediately if compromised
• monitor usage via the CW-Billable-Overage response header
• rely on Error handling for safe branching logic