CAE Market security: integrity, traceability and compliance

No operator can post or cross orders without first having passed the Know Your Customer (KYC) procedure applied by CertificAhorro. The control combines automated verifications against public databases and manual review by HM Capital SARL's compliance team.

Mandatory items of the KYC file:

• For Sujetos Delegados: verification of the MITECO accreditation (Art. 9 of Real Decreto 36/2023) cross-checked against the public SD registry published by the Ministry for the Ecological Transition.
• For Sujetos Obligados: verification of obligated-party status pursuant to Art. 70 of Ley 18/2014 (accredited retailers and distributors).
• Official identity document of the legal representative with proven powers of representation.
• CIF and company name cross-checked against public databases (commercial registry, MITECO directory).
• Sworn statement regarding the intermediation chain. Art. 6 of Real Decreto 36/2023, in its interpretation applicable since 15 December 2024, limits the chain to a single intermediary between the action's executor and the Sujeto Obligado. The statement is reinforced by a penalty clause of 150% of the amount in the event of proven falsehood.

The validation period is 2 to 5 business days. The review is manual and not subcontracted. Accreditation is renewed annually and suspended immediately if any of the supporting documents ceases to be valid (MITECO certificate expiry, loss of regulatory role, unreported change of representative).

All sale contracts are generated automatically with the regulatory data required by Art. 17.2 of Orden TED/815/2023: identification of the parties, unique CAE identifier, volume in MWh, agreed price, issue date and particular conditions. The document includes the 150% penalty clause on the seller's sworn statements as well as the mandatory tax mentions.

The signature is executed by means of a simple electronic signature (SES) compliant with Art. 25 of EU Regulation 910/2014 (eIDAS), integrated via DocuSeal. The Regulation states literally that an electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic form (Art. 25.1). Each signature generates a complete audit trail: document SHA-256 hash, timestamp, IP address, user-agent, and the sequence of opening, reading and signing events.

The signed document is stored on Cloudinary in an authenticated-type folder, that is, with access restricted by signed token. Access from the platform goes through an authenticated proxy that verifies RBAC: only the parties to the contract, the administrator team and the Compliance Officer can download the document. The download is recorded in MktDocAccess, subject to the same immutability guarantees as Layer 5.

See the dedicated page /firma-electronica for an exhaustive breakdown of the eIDAS flow applied across the entire CertificAhorro platform.

The administrative audit log (AdminAuditLog) records every sensitive action carried out on the platform: an administrator's intervention, the freezing of a listing on authority request, the publication of a new version of the Terms and Conditions, access to a contractual document. The log is protected by append-only PostgreSQL triggers installed at the database level.

The BEFORE UPDATE and BEFORE DELETE triggers installed on the AdminAuditLog, LegalAcceptance and MktDocAccess tables raise the Postgres error ERRCODE 42501 (insufficient_privilege) outside the dedicated audit_admin role, which is not provisioned in the application runtime (NOLOGIN). The web application can at no point modify or delete an audit entry: writing is done in append mode, and any UPDATE or DELETE attempt aborts the transaction.

Market transactions (MktTransaction) are frozen in COMPLETED or CANCELLED state: only the fields tied to dispute management (dispute*, relatedParties*) and the updatedAt field can evolve once the operation is closed. The remaining financial and contractual fields are immutable.

Daily external copy signed with SHA-256:

The admin-audit-daily-export cron (GitHub Actions, running at 02:13 UTC) exports in CSV format all AdminAuditLog entries from the previous day, computes the file's SHA-256 hash and sends it as an attachment to the billing@certificahorro.es mailbox. Workspace archiving (the Google server's SMTP timestamp) creates an external tamper-evident copy: any subsequent divergence between the database and the archived CSV is detected by recomputing the SHA-256. The cron works as a heartbeat: the email is sent even on days with no activity, which allows an interruption of the log to be detected.

Document retention: ten years pursuant to Art. L102 B of the French Tax Procedures Code applicable to HM Capital SARL, aligned with the retention period for accounting records applicable to the market's cross-border invoices. There is no automatic purge.

Regulatory upgrade path: should the CNMC require a qualified cryptographic proof in the future, the AdminAuditLog structure already includes the sequence, prevHash and rowHash fields needed for a hash chain anchored to a Time Stamping Authority (TSA) compliant with RFC 3161, with provision for activation on FreeTSA and, in qualified mode, FNMT-RCM Ceres. Activation is not deployed by default as it is deemed disproportionate for a non-financial CAE operator: the compensating controls described (append-only triggers + daily external copy + restricted DB credentials with semi-annual rotation and 7-day PITR backups on Railway) are considered sufficient in the current regulatory context of the CAE market.

Contact for auditors and authorities

CertificAhorro maintains a single regulatory point of contact aimed at MITECO, CNMC, AEPD, courts and the State's security forces and bodies. The page /mercado-cae/contacto-regulatorio describes the listing-freeze procedure, the response times (execution of urgent precautionary measures in under 24 business hours, ordinary requests in under 10 business days), the identified competent authorities and the legal basis applicable to each type of request.

Institutional supervision of the market: MITECO (Real Decreto 36/2023 and Orden TED/815/2023 on the CAE System and its National Registry), CNMC (Ley 3/2013 on energy markets and competition defense) and AEPD (EU Regulation 2016/679 and Ley Orgánica 3/2018 on personal data processing).