[ CAPABILITIES / SHIPPED ]
Calmony DD owns every step: register a tenant mandate via Modulr, submit through the BACS rail, hold collected funds through the clawback window, then forward verified money to the agent's Griffin client account. 179 shipped features. No gaps.
[ MANDATE / AUDDIS ]
CreateMandateWorkflow validates the payer's bank details, generates a unique mandate reference, submits to Modulr's AUDDIS process, and polls for the result over three BACS working days — surviving worker restarts and provider delays without losing state.
UK sort code format and modulus check before submission
AES-256-GCM encrypted account numbers — last-4 shown in UI, full value only decrypted for Modulr submission
Legally required DD advance notice email sent to payer automatically
Idempotent on mandate reference — safe to retry without duplicate submissions
ADDACS and AWACS messages auto-applied: cancellations and bank-detail changes reflected immediately

Bank details pass modulus check. Mandate reference issued. AUDDIS packet dispatched to Modulr.
CollectionSchedulerCron picks up due collections. SubmitCollectionWorkflow calls Modulr, transitions status, and schedules the Day+3 settlement check.
HoldCollectedFundsWorkflow confirms Griffin has credited the holding account, creates a hold record, and releases automatically on Day+5 unless an ARUDD arrives.
ForwardFundsWorkflow computes the releasable amount after reserve top-up, calls Griffin createTransfer, records the forwarding with all included collection IDs, and emails the agent's PDF statement.
[ COLLECTIONS / BACS CYCLE ]

The collections detail page renders submitted → in clearing → settled (or returned) as a visual timeline. Operators see exactly where each payment sits in the cycle, with submission cutoffs, settlement dates, and forwarding dates on the collection calendar.
Sortable, filterable table — filter by status, mandate, agent, or date range
Month and week collection calendar showing all cutoffs and settlement dates
BACS working-day calendar seeded from Pay.UK — no ad-hoc date arithmetic
Bulk CSV import with row-by-row validation and a downloadable error report
Duplicate-collection guards to prevent double-charging tenants
[ EXCEPTIONS / RECONCILIATION ]
Every BACS return, failed mandate, stuck workflow, and reconciliation mismatch lands in the exceptions queue — triaged, severity-scored, and ready for operator action.
The exceptions board uses columns New / Investigating / Awaiting Provider / Resolved. Cards carry severity, age, and assigned operator. Click any card to see the full context and act — retry the workflow, escalate, or mark resolved.
ARUDD returns decoded against the full BACS reason-code catalogue — retry-eligible codes auto-schedule a re-submission
Daily reconciliation cron matches Modulr settlement files against Griffin holding-account transactions — mismatches auto-surface as exceptions
Stuck-workflow detector flags mandates or collections stalled past BACS working-day thresholds
Indemnity claim escalation timer escalates to 'critical' after 3 BACS working days without review
Ledger double-entry integrity check runs nightly — orphaned entries create exception rows

[ FORWARDINGS / LEDGER ]

Each forwarding computes the releasable amount as collected holdings past the clawback window, minus a per-agent rolling reserve sized against trailing 30-day collection volume, minus any pending indemnity holds.
Every money movement writes paired debit/credit entries — accounts: payer_bank, modulr_in_transit, griffin_holding, griffin_client, reserve, indemnity_loss
Reports query the double-entry ledger, never aggregate domain tables directly
Per-forwarding PDF statement: transfer amount, included collections, reserve top-up, clawbacks
Monthly agent statements with Excel export via exceljs
Forwarding failure triggers an urgent email to the agent and a critical exception row within seconds
[ SECURITY / COMPLIANCE ]
Row-Level Security on every domain table. Encrypted PII vault. Full audit trails on financial mutations. A session for org A cannot read or act on any row belonging to org B.
Payer account numbers encrypted at the application layer. Last-4 displayed in the UI; full value decrypted only for Modulr submission. Every decrypt operation writes an audit entry.
Postgres Row-Level Security policies on every table, keyed on org_id. An isolation test suite asserts cross-tenant data access is impossible across every tRPC procedure and REST endpoint.
Every lifecycle event — mandate.activated, collection.settled, forwarding.completed — is delivered as an HMAC-signed webhook. Consumers verify the signature before processing.
[ OPERATOR / DASHBOARD ]
The dashboard landing shows active mandates, collections due in the next 10 working days, in-clearing volume, holding-account balance, funds releasable today, reserve balance, and exceptions awaiting action — all in a single view with sparklines.
Command palette navigates instantly between any entity. Timestamped rich-text notes attach to any payer, mandate, collection, holding, or exception. The provider log UI lets you search, filter, and replay any Modulr or Griffin API call for incident response.
The agent onboarding wizard links the Modulr submitter profile under Calmony's SUN, provisions a Griffin holding account, and links the agent's Griffin client account. All live collection submission is gated until each step is complete.
Per-agent monthly statements show opening balance, every settlement, clawback, forwarding, and reserve movement to a closing balance. Export to Excel or PDF — all sourced from the double-entry ledger.
[ API / INTEGRATIONS ]
Every capability is exposed via a stable versioned REST API authenticated by org-scoped API keys. An idempotency-key header on every endpoint means re-sends never create duplicate mandates or collections.
createPayer, createMandate, scheduleCollection, cancelMandate, listCollections, getForwardings — all scoped per agent org. API keys cannot cross tenant boundaries.
mandate.activated, collection.settled, collection.returned, forwarding.completed and more. Consumers register endpoints and secrets via the webhook management UI.
Every BACS state transition runs inside a Temporal workflow that survives deploys and infrastructure failures without losing track of in-flight money movement.
[ AUTOMATION / BACKGROUND WORKERS ]
Daily BACS reconciliation Pulls Modulr settlement files and Griffin holding-account transactions each morning. Flags under/over, missing, and unexpected amounts.
Stuck-workflow detector Finds mandates stuck in pending_auddis for more than 5 BACS working days and collections stalled in submitted or in_clearing for more than 4 days.
Mandate 13-month lapse expiry Weekly sweep auto-expires mandates with no collected payment in 13 months, cancels remaining scheduled collections, and notifies the agent.
BACS calendar freshness check Keeps the bacs_calendar table valid for 90 days ahead, refreshing from gov.uk's bank-holidays API before the window narrows to 30 days.
Weekly agent digest Monday 08:00 UK time: total collected, total forwarded, pending indemnity claims, open exceptions by severity, mandates activated/cancelled, and BACS returns with retry status.
Webhook health monitor Every 5 minutes: warns subscribers approaching the consecutive-failure threshold, enforces auto-pause at the limit, and auto-resumes on a successful probe after 24 hours.
Ledger integrity check Nightly verification that every completed forwarding has a ledger pair and every collected holding has a ledger debit — orphaned entries surface as exception rows.
Provider webhook unresolved sweep Hourly re-dispatch of any ADDACS, AWACS, ARUDD, or indemnity webhook that failed initial routing — capped to prevent runaway processing.
[ FAQ / FEATURES ]
Join the waitlist and we'll be in touch when Calmony DD is ready for your letting agency. Questions? Email us at sf-core-org-support-calmony-dd@saas-factory.ai