Reflexion on the french SAPIN LAW application

[flotho]

Dear Community,

I would like to start a thread regarding the SAPIN french law. From now the french administration is not really explicit about the ways to certify the Odoo solution. Does anyone has some legal info?

Here are some of the resources I found :

• http://revuefiduciaire.grouperf.com/article/3661/hb/20160919173548859.html
• https://www.april.org/point-detape-sur-la-nouvelle-reglementation-des-logiciels-de-gestion-et-de-comptabilite

Some part of the law seems to be easy to certify : Hosting / Backup / Recovery are easy for the community partners to be certified.

Regarding the durability of the datas I think we have a problem with the POS. From now the POS has been designed to be working without network and all the datas are stored inside the browser database. This point could be an issue if you consider how easy it is to get the datas from the internal database (and what about the debug mode allowing to flush the orders!!!) I have some little ideas on those points :

• Find a way to block some inappropriate operation from the POS (like in debug mode)
• Find a way to store every transaction in the POSBox from the POS
• Find a way to protect the browser database with encryption
• Find a way to deliver browser application with options preventing the user from acceding to the internal database.

None of those solutions looks enough for me(everything in the client part could be changed by an experienced user/ ethic hacker).

Odoo seems to have started a reflexion on this : https://github.com/odoo-dev/odoo/commits/9.0-l10n_fr-certification-lpe . It looks like Odoo is considering that only the account_cancel module could be a problem.

Some partners have started a reflexion, (BTW thanks to Sébastien Morelle) : https://anybox.fr/blog/logiciels-de-caisse-certifies

Maybe we could start a thread here https://odoo-community.org/groups/france-24

Any feedback would be appreciated.

Regards

[sisalp]

hello, this is the most operational document I know about this: http://brochures.sisalp.fr/referentiel-certification-systemes-caisse.pdf

Some comments

• The POS is obviously a big issue. In my opinion, it requires deep reconsideration. At first, just don't use it at all.
• The account_cancel is another problem, but not for this law : rewriting accounting journals has been forbidden in France for past 500 years, it is just a patch to come back on track with legal accounting.

Some people do register payments using Odoo, in particular they consider that they can give the invoice at the desk and register the payment by setting the "paid" status of the invoice. They are wrong, already today. They must conform to payment regulations now, independently of this law. In particular it is true for non-VAT business which is not concerned by the new rule.

The law now underlines these obligations and requires tools used to register payments to get certified. This is the only new point compared with today situation.

People who are correct today, I mean who register their payments on a cash register or a paper book can keep on, no change. People who used Odoo to register their payments should immediatly register them outside Odoo. Buy a cah register of a receipt official book. People who are using the POS have a problem. They can

• get a certificate from someone. Someone can be Odoo if they move to last enterprise, provided that we trust in Odoo capability to certify the Enterprise edition. Or someone can be a third party like Anybox, but here also we must be sure Anybox does understand the certification process, which their paper doesn't show (I made the same mistakes before I studied it deeper).
• replace the POS by another certified solution, for exemple by interfacing a cash register to Odoo.

Hope this helps.

[sebastienbeau]

@flotho regarding the point of sale on our side we think about

• removing the "offline feature" for the pos synchronisation. Indeed 2017 is cheaper to paid 2 Internet connexion than doing complex development, also it's easy to use your smartphone with 3G/4G. Today I have spend some time to check if it's possible, I just did a quick dirty poc for removing the synchronization here: https://github.com/OCA/pos/pull/172
• adding an hash computation on server side like in the odoo module for account move https://github.com/odoo/odoo/pull/16935

With that solution we are sure that no POS can be lost during the synchronization as the ticket will be generate only after the synchronization (and maybe we can generate it on server side so you can reprint a ticket from the backoffice easily).

We can also print the first letter/digit of the hash on the ticket, so every ticket are a proof of the inalterability. On pure accounting side we also work on module to edit invoice after the validation for the field that do not impact your accounting so we can drop account_cancel

[legalsylvain]

Hi @flotho,

Thanks a lot for beginning this thread ! We could in a first time enumerate each point, and after create little workshops for each point. I see the following points.

1. Developpers - Accounting Part : Secure accounting modules. Blocking account_cancel module, etc...
2. Developpers - PoS Part : Secure PoS features. Basically, what you said.
3. Admin - Hosting Part : what we have to do regarding hosting. (forbid admin access, etc...)
4. Legal - Customer Part : what kind of documents we have to give to the customers. A community module to generate pdf could be welcome.
5. Legal - Self Hosting Part : Most of us are selling Odoo for customers, but we have an instance for us. Is it self-certification allowed ?

do you see other points ? Thanks.

CC

• Anybox : @smorele
• Camp2Camp : @fclementic2c, @jgrandguillaume
• Akretion : @sebastienbeau, @alexis-via
• Syleam : @alnslang
• Acsone : @sbidoul
• Agipme : @mayjo79

kind regards.

[qdp-odoo]

Please, let us know your conclusions: on our side, so far, we don't plan to do anything more than the current l10n_fr_certification module proposition (except a signed document by Fabien certifying Odoo)

best regards

[sisalp]

Quentin : do you mean Odoo Enterprise will not pass through certification process ?

[fmdl]

I think there are an other point : it the software fingerprint. In page 8 of http://brochures.sisalp.fr/referentiel-certification-systemes-caisse.pdf, the certifcation need the software fingerprint. it is possible to calculate the fingerprint of odoo code and compare with the fingerprint save on Odoo website. (that like fiscal administration can know if But there are an issue with the external addons, every addons can access to every methode, I don't know if it is possible with python to protect the account methode. (or protect cr.execute)

Maybe use https://www.postgresql.org/docs/current/static/pgcrypto.html or http://docs.postgresql.fr/9.2/ssl-tcp.html to crypt database.

[alexis-via]

I propose we speak about this during the OCA code sprint in Barcelona https://odoo-community.org/event/barcelona-code-sprint-2017-05-29-2017-05-31-58/register It will be a good opportunity to exchange our ideas and update the status of the work on this. At Akretion, we already started some devs on this topic and we will continue (maybe during the code sprint too).

[alexis-via]

For those who missed the info : https://www.lesechos.fr/thema/030387673950-revirement-bienvenu-en-matiere-de-logiciels-certifies-2094788.php The law will be changed and should only target POS software (not accounting software).

[legalsylvain]

I just made a PR to manage certification for PoS. (and for account, even if it does'nt seems necessary anymore, given the last @alexis-via remark). Thanks for your review.

https://github.com/OCA/l10n-france/pull/108

[flotho]

Thanks to the community for the tips http://proxy-pubminefi.diffusion.finances.gouv.fr/pub/document/18/22503.pdf

[Auneor]

Hi everyone How about centralizing/synchronizing the dev/discussions between all partner? I think the complexity of the law/devs needed make it difficult to have everything in a single thread like here. So some devs have been done in order to backport the odoo module l10n_fr_certification and make the pos compliant for v8 https://github.com/OCA/l10n-france/pull/108 I think there is still some problems, with the approach that odoo propose; indeed, nothing is proposed to close an accounting period, see the point 110 in http://bofip.impots.gouv.fr/bofip/10691-PGP Another problem, is with a test/demo database, that must modify reports and pos tickets to include "TEST" or "FACTICE" (point 150 from the previous URL) I didn't see anything done in l10_fr_certification for v9/10 to secure/hash PoS operation like payments, bill emited, I think it's critical and needed to comply with the law (point 130 and 140) We made a github repository here https://github.com/MohammedAuneor/lf2016 (because we didn't find this thread here when we decided to do it) but we are open to move the discussion somewhere else, here, or on other support. The approach I was thinking was more to use a global table with hashes for all the application, and to choose more carrefully what is hashed and stored in a secure/inalterable way. The only problem I see is with the point 220, that says: _Elle doit prévoir un dispositif technique garantissant l'intégrité dans le temps des archives produites et _leur conformité aux données initiales de règlement à partir desquelles elles sont créées.__ Regards

[legalsylvain]

Hi @MohammedAuneor,

Welcome in the community.

How about centralizing/synchronizing the dev/discussions between all partner? I think the complexity of the law/devs needed make it difficult to have everything in a single thread like here.

Well, this thread has a avantage to join various people of the OCA community. Let's go continuing with this, and if we have to create later work group, it will be more easy.

I think there is still some problems, with the approach that odoo propose; indeed, nothing is proposed to close an accounting period, see the point 110 in http://bofip.impots.gouv.fr/bofip/10691-PGP

Accouting is now out of the scope of the law, just Point of sale. See @alexis-via comment. (https://github.com/OCA/l10n-france/issues/105#issuecomment-309730886). Anyway, this part should be out of the l10n-france thread, because many countries require to close accounting period, and it's a global problem. And even if, it is managed by the module l10n_fr_certification_account, (#108). As all the entries are ordered, it is trivial to check that an 2016 entry has been written in 2017.

Another problem, is with a test/demo database, that must modify reports and pos tickets to include "TEST" or "FACTICE" (point 150 from the previous URL)

Good idea ! for me, it's optional, because not all configurations provide test / demo servers. But overloading all report will be a mess, and will not be very secure, as it's possible for end user to edit custom report. What about a more light approach ? As company name is set on all the report and bill, It will be more easy to just rename your company, or to have a little module, depending on xx_environment OCA / server-tools module that overload name_get function of res.company, to add (DEMO) at the end of the name.

I didn't see anything done in l10_fr_certification for v9/10 to secure/hash PoS operation like payments, bill emited, I think it's critical and needed to comply with the law (point 130 and 140)

Indeed, we have to port l10n_fr_certification_pos module. Feel free to review #108. It should be cool to have a stable 8 version, before porting it. and it will not need a lot of work.( some JS work)

The only problem I see is with the point 220, that says: Elle doit prévoir un dispositif technique garantissant l'intégrité dans le temps des archives produites et leur conformité aux données initiales de règlement à partir desquelles elles sont créées.

I don't understand that point. This is a matter of adminsys people, to grant backup. What do you propose ?

Thanks for your comment. kind regards.

[sisalp]

2017-07-21 16:46 GMT+02:00 Sylvain LE GAL notifications@github.com:

The only problem I see is with the point 220, that says: Elle doit prévoir un dispositif technique garantissant l'intégrité dans le temps des archives produites et leur conformité aux données initiales de règlement à partir desquelles elles sont créées.

I don't understand that point. This is a matter of adminsys people, to grant backup. What do you propose ?

I'm afraid 1 this point is the main one and we must all understand it. 2 no, it is not a sys-admin aspect, but THE feature any POS software MUST conform to. All others are at best "nice-to-have" only.

[legalsylvain]

Hi @sisalp. Please, be more precise.

1. What do you propose ?
2. Whad did you plan to do for your enterprise ?

regards.

[sisalp]

2017-07-21 19:29 GMT+02:00 Sylvain LE GAL notifications@github.com:

Hi @sisalp. Please, be more precise.

What do you propose ?

This law about a set of precise requirements, if you want to build a solution which conforms, you have to pass the qualification tests. The requirement Auneor talks about is key. AFAIU, some may make an error when they think they may issue attestations on a software which definitly doesn't pass most of the tests or with even no plan at all. I follow this thread trying to understand if the community will address the questions:

• is it feasable first, then maintainable ?
• are there a migration path and service offreings for existing customers.

Whad did you plan to do for your enterprise ?

For my enterprise ? I don't use Odoo. For my hosted customers who use the POS (few), either they ask their integrator, or I redirect them to people who propose solutions (few also) and they make their own choice. I'm not sure going down to more details would help in this discussion.

[jcchoquet]

For those who missed the info : https://www.economie.gouv.fr/files/files/directions_services/dgfip/controle_fiscal/actualites_reponses/logiciels_de_caisse.pdf Accouting is in of the scope of the law, for people not subject to VAT.

[fgi-odoo]

We are going to upgrade l10n_fr_certification for POS module in order to be compliant with the new legislation that we read carefully. This new module will be released asap and will be available for versions 9, 10 & 11.

Here are the functionalities we plan to cover:

• no way to cancel POS orders and journal entries
• no way to cancel or modify the balance of payment journal statements (access from POS sessions)
• hash computation on POS orders and journal entries
• interface to check the inalterability of POS orders and journal entries
• Computation of payment period's grand total (daily, weekly, monthly periods) > new object
• download of the mandatory certificate (only available for Odoo Enterprise & Online)

Is there anything else we should take into account? Have you already developed new modules covering those aspects? Your feedback will be much appreciated. Thanks!

[sisalp]

2017-10-16 16:39 GMT+02:00 fgi-odoo notifications@github.com:

Is there anything else we should take into account? Have you already developed new modules covering those aspects? Your feedback will be much appreciated. Thanks!

What is the level of coverage of theses tests : http://brochures.sisalp.fr/referentiel-certification-systemes-caisse.pdf ? Which don't conform ?

[legalsylvain]

Hi @fgi-odoo. Thanks a lot to ask to the community. Very appreciated. Are you responsible of Point Of Sale in Odoo ?

The point are pretty clear for me, except two :

• cumulative sessions for POS (daily, weekly, monthly) + computation of session's grand total

Are talking about the possiblity to generate pdf with daily / weekly / etc.. information ? Not sure to understand.

• download of the mandatory certificate (only available for Odoo Enterprise & Online)

Are you talking about the possibility to generate via Odoo the certificate. (pdf too).

thanks for your precision.

kind regards.

[legalsylvain]

@sisalp : your document is outdated. Don't it ? (décembre 2016)

After the election of Macron, see @jcchoquet remarks. If you find a up-to-date document, please share to the community.

regards.

[jcchoquet]

Hi @fgi-odoo, if you see this link : https://www.economie.gouv.fr/files/files/directions_services/dgfip/controle_fiscal/actualites_reponses/logiciels_de_caisse.pdf it is not only the POS of concerned, but also the customer payments in Odoo...

[sisalp]

2017-10-16 17:42 GMT+02:00 Sylvain LE GAL notifications@github.com:

@sisalp : your document is outdated. Don't it ? (décembre 2016)

I didn't see any evolution about how a device can be tested in the law. All discussions I saw were about environment (who, how, why...), not about compliance.

After the election of Macron, see @jcchoquet remarks. If you find a up-to-date document, please share to the community.

I don't know about these remarks. Did they change the requirements ? Any pointer ?

regards.

[sisalp]

Answering to my-self: I guess you refer to a comment in this list. Yes of course, I followed this carefully. The document I pointed is up to date from my standpoint.

2017-10-16 18:03 GMT+02:00 Dominique Chabord dominique.chabord@sisalp.org:

2017-10-16 17:42 GMT+02:00 Sylvain LE GAL notifications@github.com:

@sisalp : your document is outdated. Don't it ? (décembre 2016)

I didn't see any evolution about how a device can be tested in the law. All discussions I saw were about environment (who, how, why...), not about compliance.

After the election of Macron, see @jcchoquet remarks. If you find a up-to-date document, please share to the community.

I don't know about these remarks. Did they change the requirements ? Any pointer ?

regards.

-- Dominique Chabord - SISalp Logiciel libre pour l'entreprise Tryton et open-source Odoo, OpenERP Les Millières 74230 Serraval - France tel(repondeur) +33(0)950274960 fax +33(0)955274960 mob +33(0)622616438 http://sisalp.fr http://boutique.sisalp.fr https://twitter.com/SISalp l'actualité de vos services en temps réel.

[jcchoquet]

when I have contacted the DGFIP for this law, i have this response :

[legalsylvain]

Hi @jcchoquet thanks a lot for your link.

regards.

[fgi-odoo]

@legalsylvain yes I'm the product owner for all the sales apps (sales, pos, ecommerce, etc.).

• Cumulative sessions: This refers to topics 28, 29 & 30 of https://www.economie.gouv.fr/files/files/directions_services/dgfip/controle_fiscal/actualites_reponses/logiciels_de_caisse.pdf. We need to store the total of daily, weekly & monthly sessions and include a sum check in the inalterability tests. Therefore we think about a new business object, atop the journal entries for payments.
• Certificate: yes it is to download it in PDF.

@jcchoquet: for now balance of POS payment journals can be edited from the Accounting menu since statements stay in draft as long as you don't close the session. So the idea is to prevent the editing of such draft statements if they relate to POS journals. Therefore the only way to make corrections is through the frontend with plus and minus operations, as stated in the new regulation.

[jcchoquet]

@fgi-odoo : the new regulation is not only for cash but for all methods of payment (see topic 11 of link) for me, Accounting is in of the scope for the sales "BtoC".

[fgi-odoo]

@jcchoquet Indeed! So we will stick to the initial plan and prevent users from cancelling any journal entry, including confirmed account payments.

[jcchoquet]

the certification will be made also for the community version ?

[fgi-odoo]

No. To be certified the user will be requested to download the certificate. And this certificate will be only delivered to Enterprise customers.

[jcchoquet]

Otto Runarsson said me that the community version was certified... the accounting is in the community version, what do we will say to the customers which have the community version?

[fgi-odoo]

They will have to upgrade to Odoo Enterprise.

[jcchoquet]

for the small companies or the companies with lot of specific developpment it is not easy! I think this companies will must leave Odoo, the cost is too important to migrate...

[tkFontaine]

Hi, That module isn't enought to validate certification ? @fgi-odoo What do you mean "Enterprise customers" ? If I'm a partner, will I get that certificate ?

[jcchoquet]

@fgi-odoo, see the topic 32 of link, the certificate of the community version is possible (as for the entreprise version), if the integrator modify the accounting module it's him who is responsable...

[tkFontaine]

@jcchoquet Who's Otto Runarsson ?

[jcchoquet]

a business consultant Odoo...

[jcchoquet]

last news : As of January 1st 2018, French companies registering payments from their customers using a cash registering and/or an accounting system will be required to satisfy to certain conditions in terms of inalterability, security, storage and archiving of data (CGI art. 286, I. 3°bis).

Very soon, Odoo will launch a new module to install in your system in order to comply with those new requirements. Through it, Odoo Online and Enterprise users will be able to download the mandatory compliance certificate to deliver to the tax authorities in the event of a fiscal audit. This certificate will not be delivered to users of Odoo Community.

[sisalp]

thank you any pointer to a source ?

2017-10-18 16:37 GMT+02:00 Oxilia-info notifications@github.com:

last news : As of January 1st 2018, French companies registering payments from their customers using a cash registering and/or an accounting system will be required to satisfy to certain conditions in terms of inalterability, security, storage and archiving of data (CGI art. 286, I. 3°bis).

Very soon, Odoo will launch a new module to install in your system in order to comply with those new requirements. Through it, Odoo Online and Enterprise users will be able to download the mandatory compliance certificate to deliver to the tax authorities in the event of a fiscal audit. This certificate will not be delivered to users of Odoo Community.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

-- Dominique Chabord - SISalp Logiciel libre pour l'entreprise Tryton et open-source Odoo, OpenERP Les Millières 74230 Serraval - France tel(repondeur) +33(0)950274960 fax +33(0)955274960 mob +33(0)622616438 http://sisalp.fr http://boutique.sisalp.fr https://twitter.com/SISalp l'actualité de vos services en temps réel.

[jcchoquet]

the source is an email of Odoo.

[sisalp]

Thank you.

For non-french readers, the letter from Odoo says that Odoo-Enterprise and Odoo-Saas will be attested by Odoo-SA. Traçability of code will be insured by an additional module. No mention of any restriction of any kind to keep this attestation valid.

So if you trust in Odoo, you can expect your system to actually conform to the rules and you will be protected from lawsuits. We can expect the format of the attestation will be the one demanded by the admnistration.

This fits with previous comitments made byOdoo a year ago.

[legalsylvain]

Hi @fgi-odoo, Thanks for your answers. I don't understand the following point :

No. To be certified the user will be requested to download the certificate. And this certificate will be only delivered to Enterprise customers.

I don't understand why ? This is the same code for point of sale CE and EE. (loyalty module excepted, that has nothing to do with the certificate). So, if you can provide a certificate for EE, you can do it too for CE. Or did I miss something ?

thanks for the clarification.

[alexis-via]

@legalsylvain @fgi-odoo The certification is an engagement that the issuer of the certificate takes for his customer on the behavior of the software. The issuer of the certificate can get a fine the software is not compliant. So it is obvious that no company can do that for free.

But the law says that an integrator can also issue the certificate for this customer, cf http://bofip.impots.gouv.fr/bofip/10691-PGP.html?identifiant=BOI-TVA-DECLA-30-10-30-20160803 section 310 second entry. So, if a company runs Odoo CE, it can ask its integrator to issue a certificate. Then the integrator who issue the certificate will support the associated responsability and risks for that customer.

[jcchoquet]

@alexis-via, I am Ok with your second point. But Odoo could distribute the famous new module that allows certification for the community version (for a fee par exemple) and that it is the integrator who certifies the solution to his client, no ?

[legalsylvain]

@alexis-via :

• There is a difference between doing it for free and force users to switch to the EE Edition. Do you see the nuance ?
• I just say that once the certification work is done. (code compliance, etc.) It doesn't need extra work to certificate the CE edition as it is the same code.

So I think that do not provide certification of Odoo CE is a political choice of Odoo SA, which will harm open source side of Odoo, (at least in France). And saying that it is enough to contract with an integrator is not pro - open source comment.

regards.

[fgi-odoo]

The module will be available on community version of course. As long as Odoo provides the certificate, this will be only for Enterprise users. However we plan to get certified by an official certifier early 2018. If this really happens the certifier would distribute the certificate to any Odoo user.

[jcchoquet]

@fgi-odoo , it's really official ?

[tkFontaine]

@fgi-odoo Thank you for your feedback. Could you explain what do you mean by "the certifier would distribute the certificate to any Odoo user" ? Officialy, there are only 2 certifier (LNE & INFOCERT).

[fgi-odoo]

It's not official. By law we are not allowed to communicate more details about that unfortunately. And for sure this would not happen before 2018. The implications of that still need to be discussed.

Our goal for now is to provide the community asap with a module that makes Odoo compliant with the functional requirements of the new legislation. When it comes to the certificate, Odoo will deliver it to Enterprise users. It's an important commitment of Odoo legally speaking so we can't provide it to anyone without control. As said earlier, any integrator can deliver its own certificate to its Community customers.

We'd appreciate your feedback about the specifications listed here above. More especially about the computation of period's cumulative grand total and perpetual total for daily, weekly and monthly payment sessions (see topic 28 in FAQ). It seems to us that we need a new "session" object above the payment journal entries. But POS payments are only posted once the POS session closed, and there is no time constraint on closing POS sessions. What do you think? How would you do that?

Thanks!

[jcchoquet]

Not before 2018 ? but the law must be applied at 1st january. You think the module will be available before 2018 ? thanks for the community to provide a module!! it's a good news. For me, the payments must be saved immediately, for the POS or not (payment on invoice). See topic 19 and 20 in FAQ, if a payment must be modified, the modification must be trace.