A specialised platform serving the Spanish CAE system
CertificAhorro is the SaaS service for managing Certificados de Ahorro Energético files operated by HM Capital SARL unipersonal. It is designed for accredited delegated subjects, obligated parties, installers, engineering firms and ESCOs operating within the CAE system governed by Real Decreto 36/2023 and Orden TED/815/2023.
Mission
Professionalising CAE management in Spain
The Certificados de Ahorro Energético system established by Real Decreto 36/2023 is a young, technically demanding framework undergoing rapid regulatory change. Each CAE file must combine calculation rigour aligned with the official IDAE templates, documentary traceability consistent with Orden TED/815/2023, verification by an ENAC-accredited entity and processing before the Gestor Autonómico of the competent autonomous community, prior to its registration in the National Register and its subsequent settlement.
CertificAhorro's mission is to provide all participants in the CAE system with a single platform covering the full file lifecycle, from the initial calculation to the settlement of the certificate, with verifiable regulatory guarantees and operational capacity at scale. The goal is to reduce the technical and documentary cost of processing, lower the risk of rejection by the verifier or the Gestor Autonómico, and allow accredited delegated subjects to focus their resources on case handling and commercial activity.
CertificAhorro positions itself as a neutral compliance-support tool. It does not replace the responsibility of the delegated subject nor the validation of the ENAC verifier, but it provides the automated controls, standardised documentation and traceability required by the regulatory framework.
Our experience
Verified and controlled functional coverage
The credibility of a CAE platform is measured by the comprehensiveness of its regulatory coverage and by the transparency with which it submits to control. CertificAhorro publishes the results of its internal audit with 156 verified control points across 10 domains, covering both the regulatory compliance of the CAE system and the technical security of the platform.
Verified control points
156
Spread across 10 domains, from authentication to code quality. Internal audit, 19 April 2026.
Integrated IDAE catalogue
114 templates
The entire official catalogue approved by Orden TED/845/2023, with the applicable formulas and technical parameters.
Lifecycle covered
10 stages
From the preliminary calculation to registration in the National Register and the settlement of the CAE.
Breakdown of the compliance and security audit
156 control points spread across ten domains covering the full chain: authentication and sessions, access control, input validation, data protection, order book integrity, traceability, infrastructure, resilience, CAE compliance and code quality. Methodology based on direct inspection of the deployed code, verification of automated tests and case-by-case traceability with explicit references to the BOE articles.
156
Points
total
151
Compliant
strict
1
Partial
justified
4
Not applicable
N/A
1 751
automated tests (51 suites)
0
vulnerabilities npm audit
0
application any occurrences (strict TypeScript)
Notable technical controls: bcryptjs password hashing plus zxcvbn policy (minimum score 3), dual TOTP MFA with AES-256-GCM envelope encryption, complete HTTP security headers (HSTS 2 years preload, X-Frame-Options DENY, CSP with dynamic nonce), systematic multi-tenant isolation (where: { id, organisationId }) on all business routes, Upstash Redis rate limiting shared across Railway replicas, append-only PostgreSQL triggers on the administrative and legal audit logs, server-side DOMPurify sanitisation of all HTML in legal documents. The only partial point (F6.10, tamper-evidence) is documented with compensating controls (daily external CSV copy signed with SHA-256 + DB immutability triggers + restricted access).
Regulatory approach
Aligned with the Spanish and European regulatory framework
The platform is designed as a compliance-support tool for private participants in the CAE system. It maintains no institutional relationship with the MITECO, the IDAE, the CNMC or any Gestor Autonómico. All legal references cited in the service point to the official texts published in the Boletín Oficial del Estado.
CertificAhorro processes personal data as a data controller within the meaning of the GDPR. The privacy policy and the cookie policy are available at /confidencialidad and /politica-cookies.
Team and governance
Service operator
- Legal name
- HM Capital
- Legal form
- SARL unipersonal, share capital 440.000 €
- Registered office
- 55 Rue du Bois d'Amour, 86280 Saint-Benoit, Francia
- Registration
- Registre du Commerce et des Sociétés de Poitiers, SIREN 843 444 464
- Intra-Community NIF
- FR37843444464
- Representation
- Hugo Manteau, Asociado-Gerente
Registration with the French commercial register is equivalent to registration with the Spanish commercial register for the purposes of Article 10.1.a) of Ley 34/2002 (LSSI-CE). The permanent point of contact for supervisory authorities (MITECO, CNMC, AEPD) and the corresponding procedure are described on the Regulatory contact page.
Contact
Let's talk
Customer support
For any commercial, technical or contractual enquiry relating to the CertificAhorro service.
support@certificahorro.esLegal and regulatory matters
Single point of contact for supervisory authorities, official requests and the exercise of GDPR rights.
legal@certificahorro.es