Frequently asked questions

Scell.io is a unified B2B API for issuing compliant electronic invoices (Factur-X, UBL, CII) and collecting simple electronic signatures (SES) compliant with the European eIDAS regulation. It targets software publishers, integrators and businesses that want to automate these workflows without building a regulatory infrastructure in-house.

Scell.io is a dematerialisation operator (OD). We are not a PDP. As an OD, you can generate compliant electronic invoices in all required formats (Factur-X, UBL, CII) and transmit them through our partner SuperPDP.

No subscription. Scell.io runs on prepaid credits. You purchase a credit pack (starting at €50) and each operation consumes credits: €0.04 per invoice issued, €1.20 per signer (not per document — a document sent to 3 signers costs 3 × €1.20 = €3.60). Credits are valid for 12 months. No hidden fees, no commitment.

Yes. Every account has an isolated sandbox environment, accessible via keys prefixed with sk_test_*. Sandbox calls do not consume credits and do not produce any legally valid document. You can switch between production and sandbox from the dashboard or via the X-API-Key header of your requests.

Scell.io generates invoices compliant with European standards: Factur-X (Minimum, Basic WL, Basic, EN 16931, and Extended profiles), UBL 2.1, and CII (Cross Industry Invoice). These formats cover the requirements of the French 2026 reform and the EN 16931 standard. The format can be selected per API call based on your recipient's needs.

Numbering is fully automatic and managed by Scell.io. Each invoice receives an internal identifier in the format DRAFT-XXXXX upon creation, then a definitive sequential number in the format XXXXX-YYYYMM-NNNNN upon issuance (where XXXXX is your tenant identifier, YYYYMM the year and month, and NNNNN the rank in the sequence). This unbroken chronological numbering complies with French tax obligations.

The Reliable Audit Trail (PAF) is the set of documentary elements that justify the chain between a purchase order, a delivery note, and an invoice. Scell.io automatically stores the required metadata (order references, dates, party identifiers) and associates them with each issued invoice to satisfy the requirements of Article 289 of the French General Tax Code during a tax audit.

From September 2026 (large companies and mid-sized businesses) and then 2027 (SMEs, micro-businesses), all French B2B transactions must be issued and received in structured electronic format via a PDP or the PPF. Scell.io prepares your clients today: the invoices generated already comply with the technical specifications and workflows expected by the future public invoicing portal.

Scell.io implements the Simple Electronic Signature (SES) as defined by the eIDAS regulation (EU 910/2014). This level is suited to standard commercial contracts, quotes, terms and conditions, and internal documents. We do not offer Advanced (AES) or Qualified (QES) signatures: if your use case requires a higher level, contact us to evaluate the available options.

During a signing workflow, a 6-digit one-time code (OTP) is sent by SMS to the signer's phone number. It must be entered within 10 minutes to validate the signing act. This mechanism provides an additional timestamped identity proof, integrated into the document's audit log. The SMS is delivered by our eIDAS-certified signature partner through a European SMS operator, and it is included in the per-signer cost (€1.20 per signer, not per document).

Yes. The API accepts an array of signers per signature request. You can define a sequential order (each signer is notified after the previous one has validated) or a parallel mode (all signers are contacted simultaneously). The document is only considered fully signed once all parties have validated.

eIDAS SES signatures carry evidentiary value recognised before European courts. Each signature comes with a comprehensive audit log: signer identity, certified timestamp, IP address, recorded consent, validated SMS OTP. This evidence file is exportable as a PDF from your dashboard and serves as the supporting document in the event of a dispute.

Scell.io publishes three official SDKs: a TypeScript/JavaScript SDK (compatible with Node.js, Deno, and the browser), a PHP SDK (compatible with Laravel, Symfony, and native PHP), and an MCP (Model Context Protocol) server that allows AI agents such as Claude to call the API directly from automation workflows. All are available on npm and Packagist.

The Scell.io API supports four modes depending on the usage context: (1) Sanctum SPA via HttpOnly cookies for the scell.io dashboard, (2) secret key sk_* via the X-API-Key header for server-to-server calls (invoices, signatures, webhooks), (3) publishable key pk_* via X-Publishable-Key for client-side JavaScript widgets of partner tenants, (4) tenant key via X-Tenant-Key for multi-tenant endpoints (legacy mode).

Scell.io sends webhooks via HTTP POST to notify your system of key events: invoice issued, signature completed, OTP expired, payment received, etc. Each request is signed with a shared secret via HMAC-SHA256 (X-Scell-Signature header). You can configure multiple destination URLs, filter by event type, and manually replay a webhook from the dashboard.

All Scell.io data is hosted in France on Scaleway infrastructure (Paris zones, datacenters certified ISO 27001 and HDS). Three separate S3 buckets coexist: one for active files (invoices in progress, signed documents), one fiscal archive bucket with Object Lock COMPLIANCE for 11 years, and one PostgreSQL backups bucket (daily pg_dump retained 30 days + continuous WAL streaming retained 7 days). PostgreSQL database and Redis queues sit in the same zone. No transfers outside the EU are performed.

Yes. Scell.io acts as a data processor within the meaning of Article 28 of the GDPR for the personal data you transmit to it. A DPA (Data Processing Agreement) is available and can be signed from your client portal. Data is processed according to the minimisation principle, a processing register is kept up to date, and you have the right to data portability and erasure.

Issued invoices are archived for 11 years on a dedicated S3 bucket with Object Lock in COMPLIANCE mode — the archive cannot be deleted or modified before that period, not even by our own administrators. This duration covers Article L102 B of the French Tax Procedure Book (VAT) and Article L123-22 of the Commercial Code. You can export all your invoices as PDF/A or raw JSON at any time via the API or the dashboard.

Four cumulative layers. (1) Object Lock COMPLIANCE on the archive bucket: no file can be deleted or overwritten for 11 years, not even by a Scell.io administrator. (2) SHA-256 hash chain isolated per tenant and per sub-tenant: each invoice carries a hash that includes the previous one, any tampering breaks the chain and is detected by our daily health check. (3) OpenTimestamps Bitcoin timestamping: the closure hash is submitted to 3 public calendars and anchored in a Bitcoin block within 1 to 6 hours, proving the priority of the invoice at a given moment — verifiable offline by anyone, with no dependency on Scell.io. (4) PostgreSQL triggers at the database level: any write to fiscal tables automatically creates the chain entry, even if the application code is bypassed. A complementary RFC 3161 TSA timestamp is available as an option.

The API and the website are served behind TLS 1.2 / 1.3 with Let's Encrypt certificates that auto-renew. HSTS enabled, ECDHE AES-GCM / CHACHA20 cipher suite. No client data crosses the network in clear text. The current certificate for api.scell.io and scell.io is valid until June 12, 2026.

Scell.io relies on the following providers, all bound by GDPR-compliant DPAs: Scaleway (hosting and storage, France, ISO 27001 and HDS), SuperPDP (Factur-X / UBL / CII generation engine and transmission via the PDP network, EU), an eIDAS-certified signature provider (EU-SES infrastructure and associated SMS OTP, EU), BulkGate (SMS gateway outside the signing flow, EU), OpenTimestamps (open public Bitcoin timestamping service — only a SHA-256 hash is submitted, no personal data leaves our infrastructure). The complete and up-to-date list is available in our privacy policy.