How EIV works

Deterministic validation, not AI

EIV validates invoices against the official EN16931 / Peppol BIS3 / XRechnung Schematron rule sets, using the KoSIT validator — the same reference implementation used across the EU e-invoicing ecosystem. There is no AI or LLM involved in processing your invoice, at request time or ever. Every rule that fires is a named, published rule ID (e.g. BR-02, BR-CO-15) that you can look up in the official specification. Language models are only ever used, if at all, as a build-time tool to help write mappings — never to inspect, judge, or decide anything about a submitted invoice.

Your invoice is never persisted

An uploaded file is held in memory for the lifetime of a single request: it is parsed, sent to the validation engine, and the result is returned. It is never written to disk, never cached, and never queued for later processing. See the privacy page for exactly what is logged instead (a hash, the fired rule codes, a timestamp, and the detected format — never the invoice content).

Repair is a fixed whitelist, not a rewrite

The /api/v1/repair endpoint never touches monetary amounts, VAT rates, dates, or party identities. Arithmetic rule failures (BR-CO-*) are reported with the expected value versus the found value — they are never silently corrected. Every repair response includes a machine-readable diff and a human-readable changelog of exactly what changed, so nothing is mutated without a visible trail.

Rate limiting

The public /api/v1/validate endpoint is rate-limited per client IP address to prevent abuse. This is enforced server-side and does not depend on any client-supplied header other than the standard reverse-proxy forwarded-for address.

Questions

If you have found a security issue in EIV, please contact the service operator directly rather than filing a public report.