Skip to main content

Compliance & Trust

What this covers / who it's for. The platform's compliance machinery framed as product guarantees: what a client, an operator, a regulator, or an auditor can rely on the system to do — case handling, account freezes, regulatory filings, the tamper-evident audit trail, and the encrypted document vault. Enforcement is in code, not policy documents.

Compliance cases — nothing waits forever

Compliance work items (sanctions hits, transaction alerts, held deposits, onboarding reviews…) become cases with a lifecycle of openin_reviewescalatedclosed (compliance module).

The guarantee: a case cannot silently rot. An SLA engine scans every minute; a case that breaches its deadline is escalated automatically, one rung at a time, and re-scans of an already-escalated case are no-ops (idempotent — no notification storms). Deadlines are severity- tuned per case type: sanctions/watchlist hits get 1 hour, RFIs 4 hours, re-KYC and crypto travel-rule 24 hours, transaction alerts 48 hours. Closing a case requires a recorded disposition with a written rationale.

Account freeze & closure — precise levers, precise effects

InterventionWhat the user experiencesReversible?
FreezeLogin still works; every action — including reads on the money surfaces — is refused with ACCOUNT_FROZEN (403). Incoming items park as held items.Yes — unfreeze releases held items.
ClosureTerminal. Login itself is refused.No.

Honest scope statement: V1 freezes the whole account only. Narrower scopes (a single asset, a single address) are designed for but deliberately rejected today (FREEZE_SCOPE_UNSUPPORTED) rather than half-enforced. The freeze gate is wired into the command bus itself — every money-moving command checks it — with a route-level backstop, so there is no code path around it. Freeze, unfreeze, and close are operator actions behind step-up MFA.

Regulatory filings — separation of duties in code

  • SAR (suspicious activity reports). A three-officer ladder: draftin_reviewsubmitted, where the drafter, reviewer, and submitter must be three distinct people. Reviewing your own draft is refused (SELF_REVIEW_FORBIDDEN); submitting a report you drafted or reviewed is refused (SELF_SUBMIT_FORBIDDEN) — and an unattributable submission is refused outright rather than waved through.
  • CTR (currency transaction reports). Candidates are surfaced on demand — the system aggregates a customer's completed incoming volume per day, converts to USD, and flags anyone above the configured $10,000/day threshold; operators then record the filing (candidaterecorded).
  • Travel-rule records. Opened automatically when a deposit is held for missing sender information (Money movement); an operator attaches the encrypted originator/beneficiary detail to move it from pending_originator_info to recorded. The encrypted detail is never surfaced back through any API or export.
  • Filing is a handoff in V1. Stables prepares the evidence and durably records the filing; the actual submission to regulators is performed by the finance rail (Conduit). The seam for direct filing exists; the current implementation records the handoff reference.

The audit trail — every attempt, tamper-evident

The strongest guarantee on the platform (audit module):

  • Every command attempt becomes an audit record — including the ones that failed, were denied permission, or were rejected by a business rule. A denied action leaves the same durable trace as a successful one; the denial record survives even though the action itself was rolled back. ("Show me everything this user tried to do" is answerable.)
  • Records are immutable and hash-chained. The database refuses updates and deletes on the audit table outright, and each record is linked to the previous one by a cryptographic hash — altering or removing any record breaks the chain visibly. Signed checkpoints anchor the chain, and a verification job re-checks it hourly (enabled by default).
  • Daily export to write-once storage (WORM — storage that physically refuses modification) exists and is verified after export, but ships disabled until the storage target is provisioned — a deploy-time gate, called out per the wiki's ship-state honesty rule.

The document vault — our copy first, controlled exits

Sensitive documents (KYB/KYC evidence and the like) live in an encrypted vault (documents module):

  • Store-before-forward. Our own encrypted copy exists and is committed before anything is forwarded to the provider. A provider outage can delay forwarding — never lose the document. Forwarding failures that exhaust retries land on an operator triage register (transient ones are re-driven automatically, hourly).
  • Per-document encryption. Each document has its own encryption key (envelope encryption) — which is what makes per-document crypto-shred possible.
  • Downloads only via ~90-second signed URLs, and every access is logged — who fetched which document, when. There is no unauthenticated or permanent link to document bytes.
  • Malware-scan quarantine is built (uploaded bytes are quarantined until scanned clean; rejected bytes are never served) but config-gated and ships disabled until a scanner is deployed. With scanning off, documents are admitted as clean.
  • Right to be forgotten = crypto-shred: the document's key is destroyed, leaving an unreadable tombstone. Shredding is refused inside the regulatory retention window (SHRED_BLOCKED_BY_RETENTION) — by default the 7-year compliance floor — so an erasure request can never delete evidence the law requires keeping.

Where the trust lives, in one line each

GuaranteeEnforced by
No case rotsPer-minute SLA scan, idempotent escalation
No unilateral money movementMaker/checker + co-sign (Money movement)
No self-approved filingsThree-officer SAR ladder, refused in code
Frozen means frozenThe command-bus freeze gate + route backstop
Every attempt is on the recordHash-chained, append-only audit trail, hourly verification
Documents can't leak quietlySigned-URL-only downloads, per-access logging
Erasure vs retention resolved honestlyCrypto-shred blocked inside the retention floor

← Product wiki index