Validators

Every check is an open, deterministic algorithm. Same input → same output. No language models, no probabilities, no hallucinations.

Why it matters: If a tax auditor asks why a record was flagged, you can explain it precisely — down to the check-digit formula. An AI model can't do that.

IBAN — ISO 13616 / mod97

DACH countries DE, AT, CH and LI. We verify the country code, the per-country expected length, and the mod97 checksum from ISO 13616. Inputs are normalised before validation (whitespace stripped, upper-cased).

DE — 22 chars (DE + 2 check + 8 BLZ + 10 account)
AT — 20 chars (AT + 2 check + 5 BLZ + 11 account)
CH — 21 chars (CH + 2 check + 5 bank + 12 account)
LI — 21 chars (LI + 2 check + 5 bank + 12 account)

Source: ISO 13616-1:2007 (International Bank Account Number). The mod97 check rejects any IBAN with a wrong checksum, regardless of whether the BLZ exists.

Steuer-ID — § 139b AO / Elster check digit

German tax identification number. We check:

Exactly 11 digits
First digit 1–9 (no leading zero)
Not all digits identical
Exactly one digit appears two or three times in the first 10 positions — per the official spec
Elster check digit on position 11

Source: § 139b German Tax Code (Abgabenordnung); algorithm spec from the Federal Central Tax Office (BZSt).

USt-IdNr — DACH VAT identification

VAT identification number for DE, AT, CH and LI. Each country uses its own published check-digit algorithm. We normalise the input (whitespace, hyphens, dots, MWST/TVA/IVA suffix), detect the country from the prefix, and verify offline — no call to BZSt, BMF, BFS or VIES.

DE — DE + 9 digits; ISO 7064 MOD 11,10 over the first 8 digits (§ 27a UStG appendix).
AT — ATU + 8 digits; BMF cross-sum algorithm (odd 1-indexed positions added as-is, even positions doubled).
CH — CHE + 9 digits; MOD 11 with weights 5,4,3,2,7,6,5,4 (BFS specification).
LI — Liechtenstein businesses receive Swiss CHEnumbers under the customs union; they validate via the same algorithm.

Sources: Federal Central Tax Office (BZSt) — Aufbau der USt-IdNr; Austrian Ministry of Finance (BMF) — UID algorithm; Swiss Federal Statistical Office (BFS) — Unternehmens- Identifikationsnummer.

DACH postal codes

Range-based validation with optional tightening from the IBAN country code. Without a country hint we use the broad 4-digit range 1000–9999 as a fallback, so a missing IBAN doesn't cause cascading errors.

DE — 01067 to 99998 (5 digits)
AT — 1010 to 9999
CH — 1000 to 9999
LI — 9485 to 9498 (only 14 codes actually exist)

Sources: Universal Postal Union, Deutsche Post AG, Österreichische Post, Die Post (Switzerland), Liechtensteinische Post.

Currency & numeric format

DACH bookkeeping data appears in three conventions; we detect them from the separator pattern, not the currency symbol.

1.234,56 — German (DE/AT): period thousands, comma decimal
1,234.56 — international (UK/US): comma thousands, period decimal
1'234.55 — Swiss apostrophe (CH/LI): apostrophe thousands, period decimal

Recognised currency markers: € / EUR, CHF / SFr / Fr., $ / USD, £ / GBP. Markers inform the currency hint, not the format-detection result.

GDPR mandatory fields

Presence and plausibility check on fields required under GDPR and the German Commercial Code: full supplier address, VAT ID (USt 1 TG format), date, invoice or document number. Structural validation only — no semantic interpretation.

GoBD — bookkeeping integrity

Formal check on the GoBD requirements for digital records: immutability (per-row hash signature), timely capture (document date vs. capture date), full document identification. The check does not replace your operational process documentation.

§ 203 StGB — tax-secrecy risks

Heuristic detection of fields that fall under professional confidentiality (tax advisors, auditors, lawyers) and would be exposed in an unprotected data transfer. Detected: client IDs, fee amounts paired with full names, taxation and payroll fields.

What we don't do

No language models (LLMs) for validation decisions — neither local nor cloud.
No pattern matching by trained models. Every rule is code you can inspect.
No “looks similar to” heuristics. A record is valid or invalid against deterministic criteria.

Source code

The validators live under services/auditor/validators/ in our internal repository. Read-only audit access is available on request. Write to hallo@aisthetix.de.

Effective: May 2026 · Aisthetix · hallo@aisthetix.de