European Union Compliance
Introduction
Chain-Fi operates within the European Union as a security + identity layer that provides non-custodial Web3 security infrastructure. This page explains how Chain-Fi complies with EU regulatory requirements.
What Chain-Fi Is NOT
Chain-Fi does NOT:
- Custody funds
- Store private keys
- Transmit virtual assets
- Execute transactions
- Mediate payments
- Act as an exchange
- Act as a broker
- Fall under custodial wallet rules
- Qualify as a money transmitter
- Process fiat payments
- Take control of user funds
This protects Chain-Fi from being misclassified under EU regulatory regimes.
Applicable Regulations
| Regulation | Applies? | Explanation | Details |
|---|---|---|---|
| GDPR | ✔ | Data governance, deletion rights, minimization | See Data Protection & Privacy. We process personal data for identity verification, device binding, and audit trails. Full compliance with data subject rights, legal bases, and data minimization principles. |
| MiCA | ⚠ Partial | Does NOT apply as CASP (custodial services) | We do NOT custody funds, store private keys, or operate as a trading platform (see "What Chain-Fi Is NOT" above). Our non-custodial vaults and identity services fall outside MiCA CASP definitions. However, we may assist VASPs with compliance tools. |
| eIDAS2 | ⚠ Partial | Device binding is NOT a qualified eID | We do NOT provide qualified electronic identification or trust services. Our device binding provides cryptographic proof of device ownership but is not a qualified eID under eIDAS2. We integrate with eIDAS-aligned KYC providers. |
| Travel Rule | ⚠ Integration Only | Does NOT apply directly (non-custodial) | We do NOT transmit virtual assets or act as a VASP (see "What Chain-Fi Is NOT" above). However, we provide wallet binding, audit logging, and policy tools that help VASPs and financial institutions implement Travel Rule requirements when they connect to KYC/on/off-ramp services. |
Chain-Fi's Compliance Position (EU)
GDPR Compliance
Chain-Fi fully complies with GDPR requirements:
- Data minimization: Only collects data necessary for service operation
- User rights: Access, rectification, erasure, portability, and objection rights
- Legal basis: Clear legal bases for all data processing (contract, legitimate interest, legal obligation)
- Data transfers: Standard Contractual Clauses (SCCs) for international transfers
- Privacy by design: Built-in privacy protections at the architectural level
See our Data Protection & Privacy page for detailed information.
MiCA (Markets in Crypto-Assets Regulation)
Chain-Fi does not qualify as a CASP (Crypto-Asset Service Provider) under MiCA because:
- We do not provide custody services
- We do not operate as a trading platform
- We do not provide exchange services
- Our vaults are non-custodial smart contracts
Our role is limited to security automation and identity verification, not crypto-asset services as defined under MiCA.
eIDAS2
Chain-Fi's device binding is not a qualified eID or trust service under eIDAS2, and we are not a Qualified Trust Service Provider (QTSP).
We integrate with eIDAS-aligned KYC / QES providers (e.g. Sumsub-style services) and bind the verified identity to an Apple/Google-attested device with configurable expiry.
This allows regulated entities to use Chain-Fi as a high-assurance authentication + device-binding layer inside an eIDAS-compliant flow, without us claiming eID or QTSP status.
Travel Rule
For MiCA / AMLD / Travel Rule scenarios, Chain-Fi's wallet/vault binding, audit logging and policy engine help VASPs and financial institutions implement:
- Strong customer authentication
- Linkages between KYC'd users and on-chain addresses
- Verifiable activity logs for their own regulatory reporting
What We Already Implement
- Non-custodial architecture (no MSB/VASP/custody roles) – documented in VAT/AML positioning
- Identity/wallet/device binding –
user_2fatable,deviceWallet.jsservice, OAuth scope-based permissions - AML-compatible logging –
connection_logs,session_activity,security_eventstables with 5-7 year retention capability - GDPR legal bases & rights – Soft deletes (
deleted_at), user profile management, consent screens in portal - Sanctions screening infrastructure – Database structure ready; service integration needed
What Needs to Be Addressed
- eIDAS2 integration: KYC provider integration (Sumsub/other) with eIDAS-aligned evidence storage and expiry management
- VAT OSS: Invoice generation service with One-Stop Shop (OSS) VAT calculation and reporting
- GDPR data export/deletion: Automated data export and deletion workflows triggered by user requests
- Device attestation: Apple App Attest / Google Play Integrity API integration for attested device proofs
Official Regulatory References
- GDPR — https://eur-lex.europa.eu/eli/reg/2016/679
- MiCA — https://eur-lex.europa.eu/eli/reg/2023/1114
- eIDAS2 — https://digital-strategy.ec.europa.eu
- Travel Rule — https://www.fatf-gafi.org
Related Documentation
- Data Protection - Detailed GDPR compliance
- VAT & AML - Tax and billing compliance
- Global Compliance - Overall compliance framework
- Project Architecture - Technical documentation
Contact
For EU-specific compliance inquiries:
- Data Protection Officer (DPO): privacy@chain-fi.io
Next: Explore other jurisdictions or review compliance topics.
