Collection Integration with Accounting Systems

1. Purpose and Scope

This document describes how accounting/ERP systems integrate with the Sunbay Collection Platform to enable:

• Single collection flows: collection workflows defined per invoice, composed of one or more Email/SMS steps executed according to a configured notification schedule.
• Recurring collection flows: workflows that periodically aggregate all unpaid invoices for each recipient and send Email or Email + SMS notifications according to a configured frequency.

The integration is designed as one-way data ingestion into Sunbay:

• The accounting system remains the system of record for invoices and their financial lifecycle.
• Sunbay reads invoice and debtor data from external data sources and uses it to drive collection flows.
• Sunbay does not modify accounting data via API; any reconciliation into accounting is handled by the organisation’s own processes (e.g. posting rules, imports, reporting).

Invoicing data can be provided to Sunbay via two primary mechanisms:

• Direct API integration with accounting software (preferred where the system exposes suitable endpoints).
• Google Sheets data source, populated from exported invoice data (e.g. CSV exports) when the accounting system does not expose APIs.

This document focuses on:

• Integration endpoints and data sources used by Sunbay.
• Data model and mapping (invoice and debtor data required by Sunbay).
• Security and compliance (transport, authentication, data protection).
• Operational aspects (scheduling, idempotency, error handling).

---

2. High-Level Architecture

• Accounting/ERP System
  • Exposes a secure HTTP(S) API that returns invoicing data required for collections, or
  • Allows export of invoices (e.g. CSV) which can be loaded into a Google Sheets document connected to Sunbay.
  • Applies business rules to decide which invoices are eligible for collection.
• Data Source Layer
  • API-based source: a REST-style API exposed by the accounting system or an integration layer in front of it.
  • Spreadsheet-based source: a Google Sheets document containing invoice and debtor data, regularly refreshed from the accounting system via exports/imports or automation.
• Sunbay Collection Platform
  • Periodically reads and refreshes data from configured sources (API or Google Sheets) to obtain the current list of invoices to be paid.
  • Maps and validates data and injects it into single and recurring collection flows.
  • Orchestrates notification workflows (Email and/or SMS) according to configured schedules and frequencies.
  • Provides delivery status and reporting for notifications (Email/SMS sent, delivered, opened, clicked) in per-flow overviews, and aggregates key metrics across all collection flows in global dashboards.
• Direction of communication
  • Integration is one-way into Sunbay: data is pulled or read from external sources; external systems do not call Sunbay as part of this process.
  • There is no requirement for webhooks or callbacks from Sunbay into the accounting system.

---

3. Data Model and Mapping

3.1 Core Entities

Each invoice record provided to Sunbay (via API or Google Sheets) is mapped to internal invoice and recipient entities. The following fields are used by the current collection implementation.

• Invoice identification
  • InvoiceNumber (string, required): Invoice identifier used across the platform.
  • InvoiceId (string, optional): External system identifier for the invoice.
• Amounts and currency
  • Amount (decimal, required): Invoice amount.
  • Currency (string, required): Currency code.
• Recipient (customer) details
  • CustomerName (string, required): Recipient name, used in messages and UI.
  • CustomerAddress (string, required): Recipient address, used in email templates.
  • CustomerPhoneNumber (string, required for SMS): Used for SMS delivery and validation.
  • CustomerEmail (string, required for email): Used as primary email recipient.
  • CustomerEmailCc (string, optional): Additional email recipient (CC).
  • CustomerId (string, optional): External system identifier for the customer.
• Invoice dates and terms
  • IssueDate (DateTime?, optional): Invoice issue date.
  • DueDate (DateTime, required): Invoice due date, used for scheduling.
• Payment and document data
  • BankAccount (string, required): Bank account used in templates and validations.
  • InvoiceUrl (string, optional): Public URL to the invoice document, used for attachments when the accounting system exposes accessible links.
• Other fields
  • CustomFields (Dictionary<string,string>?, optional): Custom key–value pairs exposed in the UI and templates where configured.

3.2 Example Unpaid Invoices Response (Customer Endpoint → Sunbay)

Sunbay expects the customer integration endpoint (described in section 5) to return a list of unpaid invoices.
The example below shows the expected shape of a single invoice object in the invoices array.

Example response payload:

{
  "invoices": [
    {
      "invoiceNumber": "2025-0001",
      "invoiceId": "12345",
      "customerName": "Example Seller Sp. z o.o.",
      "customerId": "54321",
      "customerCountryCode": "PL",
      "customerAddress": "Street 1, 00-000 City, Country",
      "customerPhoneNumber": "+48123456789",
      "customerEmail": "john.doe@example.com",
      "customerEmailCc": "accounting@example.com",
      "issueDate": "2025-12-01T00:00:00Z",
      "dueDate": "2025-12-25T00:00:00Z",
      "amount": 199.99,
      "currency": "PLN",
      "bankAccount": "PL00105000997603123456789123",
      "invoiceUrl": "https://example.com/invoices/2025-0001.pdf",
      "customFields": {
        "contractNumber": "AKG321"
      }
    }
  ]
}

Sunbay maps the invoices array from the customer endpoint to its internal invoice and recipient models using the fields described in section 3.1.

---

4. End-to-End Process Flows

4.1 Single Collection Flow

1. Sunbay ingests invoices from configured data sources
   • API-based integration: Sunbay calls the configured Invoicing/Collections API on an agreed schedule (e.g. every 15 minutes, hourly, daily) and requests invoices that are new or updated since the last sync.
   • Google Sheets–based integration: Sunbay reads invoices from a configured sheet that is populated from exported accounting data.
2. Validation and mapping in Sunbay (single process)
   • Sunbay validates mandatory fields for single flows (customer name, invoice number, customer contact data, etc.).
   • Invalid or incomplete records are flagged in Sunbay for review and are not sent for collection until corrected.
3. Creation of collection items and notifications in Sunbay
   • For each valid invoice, Sunbay creates an internal single collection item.
   • Collection steps (email/SMS) are scheduled per invoice; each notification relates to exactly one invoice and uses that invoice’s data for placeholders and attachments.
4. Status visibility
   • Collection statuses are visible in Sunbay and can be used for reconciliation and reporting.
   • The accounting/ERP system remains the system of record for financial postings; Sunbay does not update accounting entries.

4.2 Recurring Collection Flow

1. Sunbay ingests invoices for recurring flows
   • Invoices are imported for a recurring collection flow using the same invoice structure as for single flows.
2. Validation and mapping in Sunbay (recurring process)
   • Sunbay validates mandatory fields for recurring flows (invoice number, customer contact data, bank account, etc.).
   • Invalid or incomplete records are flagged in Sunbay for review and are not sent for collection until corrected.
3. Grouping logic for recurring collections
   • Sunbay groups invoices by recipient using CustomerId.
   • For each customer, Sunbay creates a recurring collection condition instance which aggregates all unpaid invoices.
4. Recurring handling and notification pattern in Sunbay
   • When recurring conditions are scheduled and executed, Sunbay sends one notification per recipient rather than per invoice.
   • Email notifications contain a table of all invoices included in the condition instance, along with an aggregated summary (for example total amount due per currency).
   • SMS notifications can include a comma-separated list of invoice numbers in the message body, representing all invoices covered by that recurring reminder.
5. Status and reporting
   • Collection statuses are visible in Sunbay and can be used for reconciliation and reporting.
   • The accounting/ERP system remains the system of record for financial postings; Sunbay does not update accounting entries.

---

5. Integration Interface (API-Based Source)

5.1 Endpoint Overview

For direct API integration, Sunbay expects a REST-style HTTP(S) API exposed by the accounting system or an integration layer. Typical pattern:

• HTTP Method: POST (recommended) or GET.
• URL: Agreed per environment (e.g. https://example.com/api/collections/invoices).

The API should return a list of unpaid invoices and MAY support filters and paging, for example:

• Returning all currently unpaid invoices in a single call, or
• Returning unpaid invoices for a given period or filter (for example fromDueDate / toDueDate, or updatedSince), and/or
• Returning invoices in pages when the volume is high.

The exact filtering and pagination strategy is decided and implemented by the integrating company.

5.2 Request Example (POST)

{
  "pageSize": 500,
  "pageNumber": 1
}

• pageSize: Maximum number of invoices in one page.
• pageNumber: Number of the page to return (starting from 1).

5.3 Response Example

The response body contains an invoices array with invoice objects in the shape described in section 3.2. For example:

{
  "invoices": [
    {
      "invoiceNumber": "2025-0001",
      "invoiceId": "12345",
      "customerName": "Example Seller Sp. z o.o.",
      "customerId": "54321",
      "customerCountryCode": "PL",
      "customerAddress": "Street 1, 00-000 City, Country",
      "customerPhoneNumber": "+48123456789",
      "customerEmail": "john.doe@example.com",
      "customerEmailCc": "accounting@example.com",
      "issueDate": "2025-12-01T00:00:00Z",
      "dueDate": "2025-12-25T00:00:00Z",
      "amount": 199.99,
      "currency": "PLN",
      "bankAccount": "PL00105000997603123456789123",
      "invoiceUrl": "https://example.com/invoices/2025-0001.pdf",
      "customFields": {
        "contractNumber": "AKG321"
      }
    }
  ]
}

5.4 Error Responses

Standard HTTP status codes and a structured error body are recommended, for example:

• 400 – Invalid request payload or parameters.
• 401 / 403 – Authentication/authorization failure.
• 429 – Rate limit exceeded (if applicable).
• 500 – Unexpected server error.

Error body example:

{
  "errorCode": "INVALID_PARAMETER",
  "message": "fromDate must be a valid ISO 8601 date.",
  "correlationId" : "47d96e4c-314c-45cc-a979-1c0928729169"
}

---

6. Security

6.1 Transport Security

• All calls from Sunbay to API endpoints MUST use HTTPS/TLS 1.2+.
• Only strong cipher suites and secure protocol versions should be allowed.

6.2 Authentication and Authorization

For API-based integrations, several options are supported; the final choice aligns with the organisation’s security policies:

• API Key
  • A dedicated API key is issued for Sunbay.
  • The key is sent in a header (e.g. x-api-key).
  • Simpler to implement than OAuth2.
• OAuth 2.0 Client Credentials
  • Sunbay obtains an access token from an Identity Provider using client ID/secret.
  • Each API call includes Authorization: Bearer <access_token>.
  • Scopes/roles in the IdP define what Sunbay is allowed to access.

In all cases:

• Access is limited to a dedicated technical client for Sunbay.
• Authorisation rules in the API ensure that this client only accesses data belonging to the configured scope.

6.3 Data Protection

• In transit: All data is encrypted using TLS.
• At rest in Sunbay:
  • Data is stored in encrypted databases.
  • Backups are encrypted as well.
  • Sunbay stores only data necessary to execute collections and operate flows.

6.4 Logging and Audit

• Sunbay logs all incoming/outgoing API calls with:
  • Timestamp, endpoint, HTTP status code, correlation IDs.
• Sensitive fields (API keys, tokens, full account numbers) are never logged.
• Audit trails are kept for key operations (e.g. changes to collection configurations and flows).

6.5 Secrets Management

• Credentials (client secrets, API keys, certificates) used for integrations are stored in a secure secrets manager or in an encrypted database, depending on the chosen authorization type.
• Secrets are rotated according to agreed schedules and procedures.
• Secrets are never embedded in code or configuration files.

6.6 Infrastructure and Data Processing

• Hosting platform
  • Sunbay backend services and databases are hosted in Microsoft Azure data centres located in the European Union.
  • All application data handled as part of collection flows (invoices, recipient details, configuration) is stored and processed within this Azure environment.
• Email delivery (SendGrid)
  • Sunbay uses SendGrid as the email delivery provider.
  • SendGrid is configured to use European infrastructure for sending and processing emails related to Sunbay notifications.
  • Only the data required to send notifications (e.g. recipient email address, name, and message content) is passed to SendGrid.
• SMS delivery (SMSApi)
  • Sunbay uses SMSApi as the SMS delivery provider.
  • SMSApi is configured to use European infrastructure for sending and processing SMS notifications.
  • Only the data required to send SMS (e.g. recipient phone number and message content) is passed to SMSApi.
• Data processing flow
  • Invoice and recipient data is received from the customer system, stored in Azure databases, and used to generate Email/SMS notifications according to configured flows.
  • For Email notifications, relevant recipient and message data is transmitted securely to SendGrid for delivery.
  • Delivery events (e.g. sent, opened, clicked) are processed back into Sunbay for reporting and monitoring.

---

7. Idempotency, Retries, and Robustness

7.1 Idempotency

To avoid duplicate processing in API-based integrations:

• Sunbay can send a request identifier (e.g. X-Request-Id header) on each call.
• The API should treat repeated requests with the same identifier as idempotent (same response or safe no-op).
• Within the payload, the combination of InvoiceId (or InvoiceNumber) and CustomerId should uniquely identify an invoice.

7.2 Retries

• If Sunbay receives a transient error (network failure or 5xx status), it will retry with exponential backoff.
• 4xx errors (e.g. validation issues) are treated as non-transient and surfaced as integration errors.
• APIs should be prepared for occasional retries of the same request and handle them idempotently.

7.3 Correlation and Troubleshooting

• Error responses from APIs should include a correlationId that is logged on the provider side.
• Sunbay logs its own correlation identifier for each request.
• During incident analysis, these identifiers can be used to quickly locate relevant log entries across systems.

---

8. Scheduling and Time Handling

• Pull frequency
  • Sunbay reads from configured data sources on a configurable schedule, e.g. every 15 minutes, hourly, or daily.
  • Frequency is agreed during onboarding based on volume and operational needs.
• Time zones and date formats
  • All timestamps exchanged via API should be in UTC using ISO 8601 (e.g. 2025-12-19T10:00:00Z).
  • If local dates are also exposed (e.g. local due dates), the time zone context should be clearly documented.

---

9. Non-Functional Requirements

• Performance
  • APIs should be capable of returning up to an agreed number of invoices (e.g. 500–5000) within a reasonable time (e.g. < 5–10 seconds per page).
  • Pagination is required for high-volume scenarios.
• Availability
  • Integration endpoints should be available during agreed collection windows.
  • Sunbay is designed for high availability and will surface errors if endpoints are unavailable beyond retry thresholds.
• Rate limiting
  • If APIs enforce rate limits, these should be aligned with Sunbay’s call frequency.
  • Error 429 Too Many Requests with clear Retry-After headers is recommended.

---

10. Onboarding and Configuration Checklist

• Network & Security
  • Agree base URL(s) for integration APIs (test and production).
  • Choose and configure authentication method (OAuth2, API key).
• API Design
  • Finalise request/response schemas (fields, types, mandatory/optional fields).
  • Implement support for pageSize, pageNumber.
  • Standardise error response format including correlationId.
• Google Sheets Design (if sheet-based)
  • Define sheet structure and column mapping to the fields in section 3.
  • Establish a robust process to keep the sheet in sync with accounting data (manual export/import, automation, or scheduled scripts).
• Data Mapping
  • Map internal accounting fields (invoice, customer, amounts, dates, bank account) to the fields listed in section 3.
  • Decide how to populate optional fields such as invoiceUrl and customFields.
• Scheduling & Operations
  • Agree the initial frequency for Sunbay to read from each data source.
  • Define retry thresholds and alerting/monitoring on all sides.
• Testing
  • Set up a test/sandbox environment or test data set for integrations.
  • Run end-to-end tests for:
    • Single collection scenarios (per-invoice notifications).
    • Recurring scenarios (per-recipient notifications with invoice lists).
    • Error scenarios (invalid data, unavailable API, rate limiting, malformed sheet content).

---

11. Open Questions for Integrating Teams

To tailor this integration to a specific environment, the following aspects are typically clarified during onboarding:

1. Authentication model (API-based)
   • Preferred mechanism for Sunbay calling integration APIs: API key or OAuth2 client credentials.
2. Network topology
   • Whether access will be over the public internet with IP allowlisting, or via VPN/private connectivity.
3. Data model specifics
   • Which fields (e.g. in SAP or other accounting systems) map to InvoiceId, InvoiceNumber, etc.
4. Eligibility rules
   • Conditions that determine that an invoice is eligible for collection (e.g. status, days overdue, dunning level, manual flags).
5. Volume expectations
   • Expected daily and peak volumes of invoices to be collected.
   • Specific time windows (e.g. end-of-month) with significantly higher volume.
6. Error handling preferences
   • Behaviour when an API or sheet-based source contains a mixture of valid and invalid invoices:
     • Ignore invalid entries and continue, or fail the batch/page and require correction and retry.

Clarifying these points allows Sunbay to finalise configuration and proceed with implementation and end-to-end testing of collection flows.