How do we securely handle your consent to execute payments on your bank account?

How do we securely handle your consent to execute payments on your bank account?

Hi, my name is Sven Beauprez and I am responsible for all things technical of the TOCO Platform.

As you could read in previous blogs and will be able to read in future blogs, TOCO is meant to be your one stop shop for all you company administration, including payments without the need to go to your banking application. And this not only for Belgium, but throughout the whole European Union (and also UK). In this post I lift the corner of the veil on a part of security that is crucial for banking integrations, especially for payment initiation, and which was approved by the National Bank of Belgium (NBB) 

TOCO aggregates a lot of data from different systems, such as retrieving your accounting information from accounting software and your financial transactions from banks. At the same time, we upload data and trigger actions on those systems, such as uploading invoices ready to be processed by your accountant and payments to be processed by your bank.

All those integrations require an end-user consent and we need to make sure that you and only you are able to retrieve your data and you and only you can execute actions on your data (eg. pay with your bank account)

We only have deep integrations with external systems that can be setup securely. For banks, this is fine and most banks are ready to setup this integration (they have to, because of the European PSD2 directive). For accountancy systems, this is a different story. Not all those systems are ready for secure deep integrations. If you are an accountant, please contact our support team to know which accountancy software we support today and which packages are on the roadmap (we co-operate with a few of the vendors to make their software more secure).

For all supported deep integrations, we use the same high security standard, which means accountancy system integrations are on the same high security level as banking integrations. When an integration is setup with a bank for example, we need to get your consent to be able to read account information and to initiate a payment with your bank account. When you give us this consent, we get a unique key (token) for you from your bank to use in future conversations with your bank.

You can compare this key/token with a unique key to an office building. The owner of the key is known, and you can easily track when the owner has entered the building. This is also true for the consent token you gave us via your bank, when we use this token to initiate a payment on your account, every party knows exactly that you – and only you – initiated this payment on TOCO – and only on TOCO – and for that specific account – and only that account. TOCO receives consent tokens from a lot of different users, so we have to be very careful with what we do with those tokens.

Now a little bit more in depth technical on how we securely store this token in our backend. We use a vault in which tokens are stored encrypted. The encryption keys used to encrypt the token, are also encrypted with a master encryption key. The vault can only be unsealed via the master key. That’s already a lot of encryption, but it does not stop here!

The master encryption key, needed to access the vault data, is on its turn encrypted via a key management system (KMS)  and must be decrypted with the KMS. The KMS keeps cryptographic keys used for encrypting and decrypting data.

This is only tip of the iceberg on the security measures we took and our whole security setup was reviewed and approved by the National Bank of Belgium (NBB). Since day one in spring 2019, this setup has been put in place. Security is not an after thought at TOCO.

Your accountant on TOCO or not, we’ll make it work!

Your accountant on TOCO or not, we'll make it work!

We just released a new version of TOCO where you can easily indicate your accountant and start collaborating.

Wether your accountant is on TOCO or not, we’ll make it work! 🤝

Hi, my name is Jonas, Lead Analyst of TOCO. As you could read in my previous blog, TOCO stands for Together Connected. The first and most important connection as an SME to smooth your financial administration, is the one with you accountant. We just released a new version of TOCO where you can easily indicate your accountant and start collaborating. Wether your accountant is on TOCO or not, we’ll make it work! 🤝

Indicate your accountant

As a first step TOCO needs to know who your accountant is before you can start collaborating. Go via the TOCO menu to Settings – Accounting where you can start the flow. As soon as you start typing the name or VAT number of your accountant, you will see suggestions of possible matches.
No worries, in order not to forget selecting your accountant, we’ll give you a hint above your Inbox.

From here on there are two possibilities: your accountant is on TOCO or not. When your accountant is on TOCO, there is a final approval of the accountant to accept you as Client. Once they accept, all is done and you can start sending documents from your TOCO Inbox to your accountant.

When your accountant is not yet on TOCO, you are asked to fill in your contact person details. You only need to fill in the name, e-mail and phone number. That’s it, all is set and done and you can now too send your documents from your TOCO Inbox to your accountant.

Accountant not on TOCO

As an accountant who is not yet on TOCO, you will receive an e-mail of the documents sent by the SME. This e-mail already indicates which document types and how many of them are transferred to you. The documents can be downloaded via a zip file, which will contain all documents grouped in folder per document type.

Do you want to optimize your flow as an accountant?
Start using TOCO Start for accountants for free!

What does multi-tenancy mean in a platform like TOCO?

What does multi-tenancy mean in a platform like TOCO?

Hi, my name is Sven Beauprez and I am responsible for all things technical of the TOCO Platform.

As you could read in previous blogs, TOCO is a platform for the SME where he can centralize all his company related administration, such as invoices, company files, insurance documents, financial transactions (automatically imported from the bank, details will come in a future blog), etc. This alone is already very powerful for the SME and in the coming weeks there will be a new release where the SME can even communicate with his accountant not on the platform.

But we also see that most accountants are open to TOCO when one of their clients is using TOCO for his administration, which unlocks the full power of the platform for that SME. When the accountant is using one of the supported accountancy packages and/or reporting solutions, the SME gets automatically updates from the accountant when something is changed in his accounting records.

To make this happen, an accountant is set up as a tenant on the platform. Think of the platform as a business ecosystem where different business occupy its own space within a high-rise building. This building is a multi-tenant building with many tenants. In a strict multi-tenant platform such as Shopify, each shop is a tenant and each tenant is in fact an isolated website. Users have a seperate login for each tenant, even if a user is a client of multiple shops. This is of course the idea of Shopify and this model works perfectly for them.

In TOCO, an accountant can manage his clients on the platform and when a user logs in for an SME, he will be connected with his accountant. But in reality a user can manage/have more than one SME and each SME can be linked to a different accountant, or even be on TOCO without a connected accountant. Having multiple logins would be a bad user experience.

To make this happen, the authorization model is setup in such a way that a user can easily switch from SME and automatically ends up in the new tenant when doing so. In other words, a user can have 1 login to manage different SMEs with potentially different accountants.

This multi-tenancy setup underneath opens the door to new use cases where cross-tenants, such as banks, notaries, auditors, etc. have SME clients over the different tenants on the platform.

By building upon the architecture above, we have a very flexible platform for all use cases where SME communicate and share data with different kind of parties with a different involvement on the platform.

What is the current status of the TOCO platform?

What is the current status of the TOCO platform?

Hi, my name is Sven Beauprez and I am responsible for all things technical of the TOCO Platform.

October 2019 was an important milestone for TOCO. This was the first production release of the platform and it allowed our first users to test and grow the platform. Since then quite some users onboarded and use TOCO together with their accountant, fully integrated with the accountancy system of the accountant.

To give more insights into the platform and all the features we have today or that are expected in the near future, we start a blog series around the product and the architecture underneatch, the latter being more technical. In the coming weeks, Evelien and Jonas – our Produt owner and Business Analyst – will talk about documents, accountancy packages, bookings, payments, bank transactions, reports and much more to explain how to work with it in TOCO.

Next to that, I will elaborate on the architecture of our multi-tenant platform, the security, the availability, the business continuity, the different integrations, etc. to explain how we tackle different non-functional requirements and what we have done on a technical level to get a PSD2 license from the NBB (National Bank Belgium).

Just to give you a taste already, I’ll leave you with the webinar we recorded just after releasing into production. Lieve gives an overview of the platform in a demo environment, explaining some of the features that were available already in October 2019 (in Dutch). Know that we have worked hard since then to extend the platform with a lot more interesting features, which you will get to know in the next few weeks/months.