Why the GST application is routed through the resilient tech

Hi everyone!

I have been exploring the new GST India compliance application which has been contributed by resilient tech and the team.
There is one question that I have in my mind.

Why the APIs are routed from a company’s server but not directly to GST suvidha portal?
the concerns are known to everyone as security and data leaks etc.

Looking forward discuss this through.

Thank you.

Hello Prashant,

We have answered this multiple times in other places. But let me answer it in this forum as well.

Why is the API not routed directly through government servers?

GST APIs are not distributed directly by the government. They are distributed by authorized GSPs and ASPs.

Note that Resilient Tech has registered as an ASP with Adaequare GSP, and is required to follow the guidelines prescribed for ASPs.

Why is the API not routed through GSPs like it used to be done in v13?

Multiple reasons:

1. UX

• Instead of making users purchase different APIs like e-Waybill API, e-Invoice API, Public API, GST Returns API separately from the GSP, we wanted to provide a consistent UX and bundle all APIs into a simple package.
• There is a Minimum Order Qty (MOQ) that needs to be purchased for each API when purchasing from a GSP. This makes sense due to the scale at which GSPs work, but it can be excessive for SMEs using ERPNext. With our offering, we wanted to make the APIs accessible to more users.
• Through our offering, we’re also providing the feature to roll over existing API credits at the next purchase.
• We believe that APIs as critical as these should be easily accessible. The end user shouldn’t be expected to get in touch, negotiate, and come to an agreement with GSPs for each API.

2. Reliability and Sustainability

• We wanted an architecture that makes it easy to switch over to another GSP should the need arise.

• We wanted a stable revenue stream to sustain the development and maintenance of the app. Given the criticality and the dynamic nature of taxation rules and regulations in India, this is a must.

  We are hoping to be able to help ERPNext be a reliable solution for Indian business in the long run.

I have concerns about security, data leaks, etc.

• We do not ask for and store passwords. We went for e-mail authentication instead.
• We do not log transaction level data. Our logs are limited to API access, which is used only internally for billing purposes. We do not share these with a third party unless legally required.
• The access logs are not stored on our server. They are stored as AWS Cloudwatch Logs. We only query them to retrieve the count of API credits consumed.
• Additionally, we are working to open source the Frappe app that we use to manage our API very soon. Anyone is free to inspect the source code.
• We are happy to submit to regular security and privacy audits from the Frappe team (Frappe uses our offering for their enterprise customers). We are also happy to submit to audits by an independent third party, if anyone here wants to sponsor the same.

Considering above points, I would argue that our offering doesn’t require trust at all. We are in the process of drafting our T&C and Privacy Policy to make these things explicit.

I hope I was able to address your questions / concerns. Do let me know if you need further clarification.

Hi Sagar! Thank you so much for responding.
I am satisfied with your answer and I must say you guys have done a commendable job building the GST app.

my main concern is still there!
here is one situation I have been in recently hence the reason behind this topic as well.

I was consulting with a prospect for their implementation. They were quite interested in how ERPNext handles GST. I gave them a complete demo of the whole process, told them that they have to purchase credits for their transactions.

Next, they raise the question of security and they are not comfortable with their data going through the intermediary server. I assured them that this is all secured and your data is not being captured.

He said even WhatsApp provides end-to-end encryption but people have problems trusting that.

See, the point here is to gain the trust of people while implementing a solution for them.
they feel like they are being bound to the solution (this is the only way to do GST in ERPNext, not the feeling of open source).
People ask for alternatives and there should be options.

I am again thankful to the team for building this application and I am personally using it but the question stays there.

Thanks & Regards,

You’re confusing two different aspects here, Prashant.

India Compliance, just like ERPNext, is fully Open Source and available for anyone to use, modify and distribute under the terms of the GNU GPLv3 license. All features being made are available free of cost.

However, Open Source does not mean open to anything and everything that the users wish for.

Let’s put India Compliance aside for a moment and take the example of the e-Commerce Integrations app. It provides integrations with a lot of operators like Flipkart and Amazon through Unicommerce, a paid aggreagator of sorts. Most of the times, these operators do individually provide free APIs to integrate with. But whether or not any feature or fix is implemented is always at the maintainers’ discretion.

This is the whole reason why forks exist. You are free to modify and redistribute as long as you confirm with the app’s GPLv3 license and release the modified source code. Your colleague @Maheshwari_Bhavesh is already working on this, AFAIK.

For reasons that I’ve already mentioned in the above reply, and the fact that we don’t have the demand and resources to cater to this requirement, we don’t intend to implement it within the app as of now.

This can always change, and nothing is set in stone. Perhaps the government will start providing the API directly and we will decide to integrate with that instead. Or perhaps you want to sponsor something like this?

FWIW, I hope you guys choose to go with the current solution. I am open to setting up a screen sharing call to walk your team and client through our current offering, it’s backend implementation and the details about precisely why it is secure and privacy-friendly. Even more so than integrating with some GSPs directly.

At the same time, I don’t intend to engage in this conversation further, unless you want to sponsor it. I’d rather focus on building features that a majority of users are asking for, willing to sponsor, and will genuinely benefit from.

Peace

Peace be upon everyone @snv .

I may not affirm to the fact that you are comparing GST (a bare necessity for using ERP in India) with Unicommerce.
I am happy to get on the call and we can actually discuss the sponsorship thing.
What say @Maheshwari_Bhavesh?

Yes we can @aa_prashant