ChainGuard Compliance Center

Version: 1.0.0
Last Updated: 18-11-2025
Status: Production Ready

---

Table of Contents

• Overview
• Who We Are
• At a Glance
• What ChainGuard Is NOT
• Our Compliance Approach
• Onboarding & Account Actions
• Jurisdiction-Specific Compliance
• Compliance Topics
• Global Compliance Overview
• Governance
• Related Documentation
• Contact

---

Overview

Welcome to the ChainGuard Compliance Center. This area explains how ChainGuard's products fit within current regulatory frameworks and how we handle identity, data, and auditability across jurisdictions.

ChainGuard provides non-custodial Web3 security and identity infrastructure. We give regulated businesses the tools to bind wallets to verified users, enforce policy, and generate audit trails — but we never hold client assets or control user funds.

Purpose

The Compliance Center provides:

• Regulatory Clarity: Clear explanation of ChainGuard's regulatory position across jurisdictions
• Jurisdiction-Specific Guidance: Tailored compliance information for EU, US, UK, UAE, Singapore, Hong Kong, Japan, and Korea
• Topic-Based Documentation: Comprehensive coverage of data protection, KYC/AML, VAT, governance, and sanctions
• Regulatory References: Direct links to official regulatory frameworks and standards
• Compliance Evidence: Technical and organizational measures demonstrating regulatory alignment

---

Who We Are

ChainGuard is a product suite developed by Chain-Fi Labs and operated under Chain-Fi Limited, a company registered in England & Wales.

Legal Entity Details:

• Registration Number: 15507356
• VAT Number: GB461989346
• Registered Office: 128 City Road, London, EC1V 2NX, United Kingdom

For contractual and regulatory purposes, references to "ChainGuard", "Chain-Fi", "we", or "our" in this Compliance Center mean Chain-Fi Limited (and its Chain-Fi Labs development team) unless stated otherwise.

Key Personnel

• CEO & Founder: Dennis Reckermann (dennis@chain-fi.io)
• Security Engineering Lead: Mathias Pellegrin (mathias@chain-fi.io)

---

At a Glance

Role: Technology / infrastructure provider, not an exchange, broker, or custodian.

Architecture: Non-custodial by design – users keep control of their keys and assets at all times.

Governance: Compliance is overseen by CEO & Founder Dennis Reckermann and the Board.

Coverage: ChainGuard operates globally across diverse regulatory environments, including the European Union, United States, United Kingdom, Middle East, Singapore, Hong Kong, Japan, and South Korea. Each region imposes different requirements on data privacy, identity verification, financial oversight, crypto asset treatment, wallet binding, AML/Travel Rule, and custody vs non-custody requirements.

Documentation: Linked policies cover governance, security, data protection, AML/CTF, sanctions, and record-keeping.

Compliance Standards:

• ISO 27001 Ready (comprehensive control mapping)
• GDPR Compliant (Article 30 records, data protection by design)
• Multi-Jurisdictional (EU, US, UK, UAE, Singapore, Hong Kong, Japan, Korea)
• AML/CTF Compatible (KYC integration, transaction monitoring, sanctions screening)

---

What ChainGuard Is NOT

This section is identical across all jurisdictions and is critical for regulatory clarity:

ChainGuard does NOT:

• Custody funds
• Store private keys
• Transmit virtual assets
• Execute transactions
• Mediate payments
• Act as an exchange
• Act as a broker
• Fall under custodial wallet rules
• Qualify as a money transmitter
• Process fiat payments
• Take control of user funds

This protects ChainGuard from being misclassified under regulatory regimes. Our non-custodial architecture ensures we operate as a security and identity infrastructure provider, not a financial services provider.

---

Our Compliance Approach

ChainGuard is designed as a security + identity layer that provides:

Core Compliance Features

• Non-Custodial Architecture: Users maintain full control of their assets; ChainGuard never holds funds or private keys
• Identity Verification: Optional KYC integration (Sumsub) for enterprise use cases with configurable verification tiers
• Device and Wallet Binding: Cryptographic proof of ownership and device attestation
• Audit Trails: Comprehensive logging for compliance requirements (ISO 27001, GDPR, AML/CTF)
• Multi-Jurisdictional Support: Tailored compliance per region with jurisdiction-specific configurations
• VAT/GST Compliance: Automated VAT calculation and invoicing with multi-region support
• Sanctions Screening: OFAC/EU/UK/UN alignment with wallet screening and geo/IP restrictions

Compliance Implementation by Stack Component

Backend Server:

• Audit logging infrastructure (comprehensive event logging)
• OAuth 2.0 service (scope-based access control)
• Device-wallet binding (signature verification)
• Session management (audit trail with session_id, device_id, wallet_address, app_id)
• Security event tracking (failed auth attempts, suspicious activity)

Database:

• User identity tables (GDPR-compatible soft deletes)
• 2FA binding (user_2fa table linking users to wallet addresses)
• OAuth tables (full OAuth 2.0 schema with scopes and permissions)
• Audit tables (connection_logs, session_activity, security_events with 5-7 year retention)

OAuth Portal:

• OAuth consent screens (user-facing scope review and approval)
• 2FA setup/verification flows (mobile QR code scanning)
• Activity history dashboard (user-visible audit trail)
• App access management (permission review and revocation UI)

Mobile App:

• QR code scanning (device-bound signature verification)
• Wallet management (local wallet storage and signing)
• Secure key storage (device Keychain/Keystore)

Vault System:

• Dual-signature enforcement (owner + auth addresses)
• Guardian-mediated gasless transactions
• Emergency fallback paths (always-accessible withdrawals)
• Comprehensive transaction logging

For detailed technical implementation, see Project Architecture.

---

Onboarding & Account Actions (at a glance)

Account Creation Requirements

• Users are only fully onboarded after successful KYC (ID + liveness + document verification) and an initial sanctions/AML screening
• ChainGuard acts as a controller for initial onboarding and account creation
• User consent is required and passing KYC/AML is mandatory for account creation, which cannot be bypassed by clients
• If a user is flagged or results are inconclusive, the account is not activated until the case is reviewed

Account Management

• We log vault and wallet activity and may restrict or close accounts, and cooperate with authorities, where there is suspected fraud, abuse, or financial crime
• Enterprise clients can configure stricter rules or continuous screening through our APIs
• Users maintain full control of their assets even if accounts are restricted (non-custodial design)

Ongoing Monitoring

• Default: Ongoing AML monitoring is disabled by default
• Optional: Enterprise clients can enable periodic re-screening as an add-on service
• Transaction and wallet logging occurs for all users regardless of monitoring tier

For the detailed KYC and account action policy, see KYC & Account Lifecycle in the Topics section.

---

Jurisdiction-Specific Compliance

ChainGuard operates globally and provides jurisdiction-specific compliance documentation for:

European Union

• EU Compliance - GDPR, MiCA, eIDAS2, Travel Rule
• Key Regulations: GDPR, MiCA (Markets in Crypto-Assets), eIDAS2, AMLD, Travel Rule
• Compliance Position: Non-custodial architecture exempts ChainGuard from CASP classification under MiCA

United States

• US Compliance - FinCEN, state regulations, CCPA/CPRA
• Key Regulations: FinCEN MSB rules, state-by-state regulations, CCPA/CPRA
• Compliance Position: Not a money transmitter under FinCEN guidance due to non-custodial architecture

United Kingdom

• UK Compliance - FCA Crypto Asset Regime, UK GDPR
• Key Regulations: FCA Crypto Asset Regime, UK GDPR, DIATF
• Compliance Position: Security & access-control layer, not a digital identity provider

United Arab Emirates

• UAE Compliance - VARA Virtual Asset Rulebook
• Key Regulations: VARA Virtual Asset Rulebook, UAE Pass integration
• Compliance Position: Technical layer, not classified as VASP under VARA framework

Singapore

• Singapore Compliance - MAS PSA, PDPA
• Key Regulations: MAS Payment Services Act (PSA), PDPA
• Compliance Position: Does not provide payment services under PSA, exempt from MAS licensing

Hong Kong

• Hong Kong Compliance - SFC VASP rules
• Key Regulations: SFC VASP licensing regime
• Compliance Position: Technical infrastructure provider

Japan

• Japan Compliance - FSA Custody Regulations, PSA
• Key Regulations: FSA Custody Regulations, Payment Services Act (PSA), APPI
• Compliance Position: Non-custodial design exempts from custody regulations

South Korea

• Korea Compliance - FIU AML, VASP rules
• Key Regulations: FIU AML requirements, VASP licensing
• Compliance Position: Technical layer supporting compliance

Each jurisdiction page includes:

• Applicable regulations table with detailed explanations
• ChainGuard's compliance position
• Regulatory references with official links
• Implementation status and requirements

---

Compliance Topics

Explore our compliance framework by topic:

Data Protection & Privacy

• Data Protection & Privacy - GDPR, privacy rights, data minimization
• Coverage: GDPR, UK GDPR, PDPA, UAE DP Law, APPI, PIPA
• Features: Data subject rights, legal basis, data retention, transfers, sub-processors

KYC & Account Lifecycle

• KYC & Account Lifecycle - Onboarding, screening & account actions
• Coverage: KYC/KYB configuration, initial AML screening, ongoing monitoring, account policies
• Features: Sumsub integration, user consent, account creation requirements, client policies

VAT & AML

• VAT & AML - Tax compliance, anti-money laundering, crypto invoicing
• Coverage: VAT compliance, crypto invoicing, AML requirements, customer identification
• Features: Automated VAT calculation, Stripe integration, transaction monitoring, source of funds traceability

Billing & Subscriptions

• Billing & Subscriptions - Invoicing, payment methods & tax treatment
• Coverage: Billing entity, subscription model, payment methods, VAT/tax, refunds
• Features: Stripe integration, crypto payments, credit structure, account suspension

Governance & Record-Keeping

• Governance & Record-Keeping - Internal oversight, audit logs, retention policies
• Coverage: Corporate structure, governance model, compliance responsibilities, risk management
• Features: Key roles, legal entity, audit procedures, external certifications

Sanctions & Restrictions

• Sanctions & Restrictions - OFAC, restricted jurisdictions, prohibited use
• Coverage: OFAC compliance, EU/UK/UN sanctions, restricted jurisdictions, prohibited use
• Features: Wallet screening, geo/IP restrictions, sanctions list alignment

GDPR Readiness

• GDPR Readiness - Comprehensive GDPR compliance proof
• Coverage: Article-by-article mapping, technical implementation evidence, organizational measures
• Features: Data subject rights, Article 30 records, data protection by design, breach procedures

---

Global Compliance Overview

For a comprehensive view of our global compliance position, see our Global Compliance page.

The Global Compliance page includes:

• How the ChainGuard OAuth Bridge Works: Detailed explanation of our non-custodial approach
• What We Already Implement (Global, by Default): Default compliance features across all jurisdictions
• Compliance Implementation by Stack Component: Technical implementation details
• Cross-Jurisdiction Pattern: Crypto/Web3 compliance convergence
• Flow Legend & Compliance Mapping: Step-by-step compliance mapping
• Overall Compliance Status by Jurisdiction: Summary table of compliance status

---

Governance

ChainGuard's compliance and security programmes are overseen by CEO & Founder Dennis Reckermann and the Board, supported by a dedicated security engineering function. Regulatory, privacy, and security requirements are embedded into product design, infrastructure, and operations.

Governance Structure

• Board & CEO: Set overall risk appetite, approve policies, ensure resources for compliance
• Security Engineering Lead: Designs and maintains security architecture, implements technical controls

Compliance Responsibilities

• Regulatory Compliance: MiCA, AML, sanctions, record-keeping
• Privacy & Data Protection: GDPR, data subject rights, DPIAs
• Information Security: ISO 27001 alignment, security controls, incident response
• Risk Management: Risk assessment, treatment, monitoring

For detailed information about our governance model, key roles, and legal structure, see our Governance & Legal Structure page.

---

Related Documentation

Compliance Documentation

• Global Compliance - Comprehensive global compliance overview
• GDPR Readiness Proof - Comprehensive GDPR compliance documentation with article-by-article mapping and technical evidence
• Data Protection & Privacy - How we implement GDPR and privacy-by-design
• KYC & Account Lifecycle - Identity verification and account management
• VAT & AML - Tax compliance and anti-money laundering
• Billing & Subscriptions - Invoicing, payment methods, and tax treatment
• Governance & Legal Structure - High-level summary of our governance model
• Sanctions & Restrictions - OFAC compliance and restricted jurisdictions

Technical Documentation

• Project Architecture - Technical documentation and system architecture
• System Overview - Complete system architecture and components
• Security Framework - How security integrates with compliance
• OAuth Flow - OAuth 2.0 authentication flow
• Vault System - Vault architecture and security
• System Components - Component details and APIs

Additional Resources

• FAQ - General questions about ChainGuard

---

Contact

For compliance inquiries:

• Data Protection Officer (DPO): privacy@chain-fi.io
• Security Engineering: mathias@chain-fi.io

For strategic and partnership inquiries:

• CEO & Founder: dennis@chain-fi.io

---

Last Updated: 18-11-2025
Version: 1.0.0
Status: Production Ready