The EU Single Rulebook (AMLAR) becomes law in 393 days. Is your compliance program ready?

Customer & auditor disclosure — Security and assurance materials. Treat downloaded artefacts per your policy.

Security · Data protection · European Union

Twelve control domains — current posture satisfactory

Security & trust centre

How we protect customer and end-user data while running Instant Compliance: architecture, access, vendors, resilience, and ongoing monitoring — EU data residency, GDPR-first, eIDAS-compliant.

Security programme overview

Instant Compliance is a Software-as-a-Service platform for EU AML/CFT compliance under AMLAR, AMLD6, and the emerging EU Single Rulebook. We process sensitive financial and identity data for regulated European obliged entities, so confidentiality, integrity, and availability are central to how we design and operate the product.

Our security programme covers governance, access, data protection, infrastructure, application security, cloud operations, AI use, third parties, incident readiness, physical reliance on cloud providers, legal obligations, and continuous monitoring. We organise and review those areas on an ongoing basis — not only when an assessment is published. All customer data is hosted exclusively within the European Union.

We also use structured assurance approaches so customers and auditors can work from comparable evidence. Downloadable assurance materials are listed under Certificates we hold below.

Assessment & assurance documents

DSS-1200 is Instant Compliance's own internal security framework. We carry out a structured self-assessment of our controls against it on a periodic basis. This is a self-review conducted by Instant Compliance, not an independent third-party certification. Our independent SOC 2 and ISO 27001 certifications are currently in progress, and our infrastructure is hosted in AWS data centres that hold SOC 1, SOC 2 and ISO 27001 certification. We'll publish further independent attestations here as we obtain them.

DSS-1200 — Internal Security Self-Assessment

Instant Compliance Pty Ltd · self-assessed · issued 28 April 2026

Download

System overview & architecture

Instant Compliance operates a modern, cloud-native architecture designed for high availability and defence-in-depth security. Data stored at rest by Instant Compliance is hosted in the European Union (AWS Frankfurt); certain transient processing (KYB document extraction, the browser-extension contact-name lookup, and the in-app support assistant) is performed by US-based AI sub-processors disclosed below. Cross-border transfers are covered by GDPR Article 28 DPAs and Standard Contractual Clauses where applicable.

Infrastructure & hosting

ComponentTechnologyLocationPurpose
Application hostingVercel (Edge Network)Frankfurt, EU (primary)Frontend & API layer with built-in DDoS mitigation
Primary databasePostgreSQL via Prisma 6.4AWS eu-central-1 (Frankfurt)Primary data store for all application records
File storageAWS S3AWS eu-central-1 (Frankfurt)Secure storage for PDFs, KYC documents, and compliance artefacts
Background processingAWS LambdaAWS eu-central-1 (Frankfurt)Asynchronous and scheduled background jobs

Identity & authentication

ComponentTechnologyNotes
Session managementNextAuth.js v5 + @auth/prisma-adapterSessions stored securely in PostgreSQL
OAuth providersGoogle OAuth, Microsoft OAuthLeverages provider-managed MFA
Email/password authNextAuth.js credential providerPasswords hashed using bcrypt
KYC/KYB verificationSumsub WebSDKeIDAS-compliant identity verification for end-customer onboarding

Third-party sub-processors

Each sub-processor has been selected based on demonstrated security posture, GDPR compliance, and contractual data protection commitments. GDPR Article 28 DPAs are in place with all sub-processors that handle personal data; cross-border transfers from the EU are covered by Standard Contractual Clauses where applicable. The first five rows are the AI / identity sub-processors most material to personal-data disclosure.

Sub-processorPurposeData processedRegion
Anthropic (Claude API)KYB document extraction (company extracts, trust deeds)Full PDF document content including personal data of directors, shareholders, trustees, settlors, appointors and beneficiaries — processed transiently; not used for model trainingUnited States
GroqBrowser-extension contact-name inferenceUser email address + sanitised page HTML — processed transiently; not retained by defaultUnited States (AU, CA, FI, SA regions available)
OpenAI (gpt-4o-mini)In-app support assistant — via EK HubChat content and organisation-authored knowledge base contentUnited States
PineconeKnowledge-base vector retrieval for the support assistant — via EK HubVector representations of organisation-authored knowledge baseUnited States (EU eu-west-1 and Singapore available; default us-east-1)
SumsubKYC/KYB identity verification (eIDAS LoA High)Identity-document images and biometric data — held on Sumsub-controlled infrastructureEuropean Union (subject to GDPR)
StripeBilling & subscription managementPayment card data (PCI DSS compliant)United States / Ireland
HubSpotCustomer relationship managementContact and account informationUnited States
AblyReal-time pub/sub notificationsApplication event dataUnited States
PostHogProduct analyticsAnonymised usage eventsEU (EU-hosted instance)
Google Calendar APIScheduling integrationsCalendar event metadataUnited States
Nodemailer / ResendTransactional email deliveryEmail addresses and notification contentUnited States

Intra-group note: The in-app support assistant is provided via EK Hub, a product of Squiggly Labs Pty Ltd — the 100% owner of Instant Compliance. OpenAI and Pinecone are the underlying providers for that assistant. The assistant has no code path to KYC, KYB, identity, or customer records; it is scoped to the organisation’s authored knowledge base plus the live conversation.

Infrastructure security pedigree

ProviderSecurity tierVerified certifications
AWSTier 1: Enterprise GradeSOC 2 Type 2, ISO 27001, PCI DSS, FedRAMP, GDPR, HIPAA
VercelTier 1: Enterprise GradeSOC 2 Type 2, ISO 27001, PCI DSS v4.0, GDPR, HIPAA
AnthropicTier 1: Enterprise GradeSOC 2 Type 2, ISO 27001, FedRAMP, HIPAA, CSA STAR
OpenAITier 1: Enterprise GradeSOC 2 Type 2, CSA STAR
PineconeTier 1: Enterprise GradeSOC 2 Type 2, ISO 27001, HIPAA, GDPR
GroqTier 1: Enterprise GradeSOC 2 Type 2
SumsubTier 1: Enterprise GradeSOC 2 Type 2, ISO 27001, PCI DSS, GDPR, eIDAS
StripeTier 1: Enterprise GradeSOC 2 Type 2, PCI DSS Level 1
HubSpotTier 1: Enterprise GradeSOC 2 Type 2, HIPAA, GDPR
PostHogTier 1: Enterprise GradeSOC 2 Type 2, GDPR, HIPAA (EU-hosted)
AblyTier 1: Enterprise GradeSOC 2 Type 2, HIPAA, GDPR
ResendTier 1: Enterprise GradeSOC 2 Type 2, GDPR

Risk management & treatment plan

Instant Compliance maintains a formal risk management programme to identify, assess, and mitigate risks to the confidentiality, integrity, and availability of customer data. Risks are evaluated based on their likelihood of occurrence and potential impact, resulting in a risk score that dictates the required treatment strategy.

Risk IDDescriptionInherentTreatment & controlsResidual
RSK-01Unauthorised access to production database containing sensitive KYC data.HighMitigate: Database is isolated within a private VPC. Access requires VPN and MFA. Strict RBAC enforced. No public endpoints exposed.Low
RSK-02Data loss due to infrastructure failure or ransomware attack.HighMitigate: Automated daily backups of PostgreSQL database. Backups stored in geographically redundant S3 buckets with versioning enabled to prevent malicious deletion.Low
RSK-03Vulnerabilities introduced via third-party open-source dependencies.MediumMitigate: Automated dependency scanning integrated into CI/CD pipeline. Build fails if high/critical CVEs are detected. Regular dependency updates scheduled.Low
RSK-04Exposure of sensitive data via overseas AI sub-processors (Anthropic for KYB extraction; Groq for the browser extension; OpenAI and Pinecone for the in-app support assistant via EK Hub). Cross-border transfer outside the EU triggers GDPR Chapter V obligations.MediumMitigate: Commercial-tier agreements with each provider so customer content is not used for model training; zero-data-retention / no-retention configurations enabled where supported. Payloads scoped to the minimum required context; support assistant has no code path to KYC, KYB, identity, or customer records. GDPR Article 28 DPAs in place; cross-border transfers covered by Standard Contractual Clauses where applicable.Low
RSK-05DDoS attack causing platform unavailability.MediumTransfer/Mitigate: Leveraged Vercel's edge network infrastructure which provides inherent, globally distributed DDoS mitigation and WAF capabilities.Low

Business continuity & disaster recovery

Instant Compliance has established a Business Continuity and Disaster Recovery (BCP/DR) plan designed to ensure the rapid restoration of services in the event of a catastrophic failure, natural disaster, or significant security incident.

Our cloud-native architecture is inherently resilient. The frontend is deployed across Vercel's globally distributed edge network. Primary AWS infrastructure (PostgreSQL and S3) is deployed across multiple Availability Zones within eu-central-1 (Frankfurt), providing redundancy against single-datacenter failures while keeping data within the EU.

  • Recovery Time Objective (RTO): 4 hours — maximum acceptable downtime after a declared disaster before services must be restored.
  • Recovery Point Objective (RPO): 1 hour — maximum acceptable data loss; automated backup schedule supports restore to within one hour prior to an incident.

The PostgreSQL database undergoes automated, continuous backups. Transaction logs are archived every 5 minutes, and full snapshots are taken daily. Backups are stored in a separate, secured AWS S3 bucket (eu-central-1) with versioning enabled. Restoration procedures are documented in engineering runbooks and tested annually via simulated disaster recovery tabletop exercises.

Human resources security controls

Security begins with personnel. Strict HR security controls ensure employees and contractors understand their responsibilities and are vetted before access to company systems or customer data.

Background screening

  • Verification of identity and right to work in the relevant jurisdiction.
  • Verification of employment history and professional references.
  • Criminal history screening for all personnel with access to production systems or sensitive customer data.

Security awareness training

Formal security awareness training upon hire and annually thereafter, covering phishing and social engineering, secure passwords and MFA, data privacy (including GDPR obligations and sensitive KYC/AML data handling), and incident reporting. Completion is tracked by HR; failure to complete mandatory training results in suspension of system access.

Onboarding & offboarding

Onboarding: Access granted on a role-based, least-privilege basis; MFA required before initial login; acknowledgement of Acceptable Use and Information Security policies.

Offboarding: Documented checklist executed on termination; access to email, Slack, AWS, and GitHub revoked within 24 hours; company hardware remotely wiped and recovered.

Vulnerability management programme

Continuous vulnerability management identifies, assesses, and remediates weaknesses in application code, third-party dependencies, and cloud infrastructure.

  • Dependency scanning (SCA): Automated scanning against known vulnerability databases; high or critical CVEs halt the build until patched or updated.
  • Static application security testing (SAST): Pull request scanning for hardcoded secrets, injection flaws, XSS, and related issues.

In our most recent full-stack security audit, high-severity issues were found in outdated NPM packages; engineering triaged, updated packages, deployed patches, and a re-scan confirmed remediation of all high and critical findings.

Remediation SLAs (by CVSS / exploitability)

  • Critical: remediated within 48 hours of discovery.
  • High: remediated within 14 days of discovery.
  • Medium: remediated within 30 days of discovery.

Security control domains

We group controls into twelve domains (D-01–D-12) for clarity and external review — the same structure used in our latest structured assessment. Each area below is operating at satisfactory posture as of 28 April 2026. Expand a row for detail; the signed DSS-1200 PDF has the full narrative if you need it for audit or procurement.

D-01Satisfactory

Governance & Risk Management

Executive-led security programme and risk register in place

Expand for control details

Instant Compliance maintains a formal security programme overseen by the Chief Executive Officer (Simon Giles) and Chief Technology Officer (Mike Giles). Security responsibilities are clearly delineated between executive leadership and engineering. A formal risk register is maintained and reviewed regularly to identify, evaluate, and mitigate threats to the platform. Security considerations are embedded into product planning and engineering decisions at the outset of each development cycle.
D-02Satisfactory

Identity & Access Management

MFA enforced; least-privilege access model

Expand for control details

Access to production infrastructure — including AWS, Vercel, and the PostgreSQL database — is strictly limited to authorised engineering personnel operating under the principle of least privilege. All production access requires multi-factor authentication (MFA). Customer authentication is secured via NextAuth.js with session data stored in the database. OAuth integrations with Google and Microsoft delegate authentication to those providers' enterprise-grade identity platforms, which enforce MFA at the provider level. Access rights are reviewed periodically and revoked promptly upon personnel changes.
D-03Satisfactory

Data Protection & Privacy

AES-256 at rest; TLS 1.2+ in transit; EU residency for stored data; transient AI processing in the US; GDPR Article 28 DPA

Expand for control details

All customer data, including database records and S3-stored documents, is encrypted at rest using AES-256 encryption. All data in transit between the client, the Vercel edge network, and AWS infrastructure is encrypted using TLS 1.2 or higher. Data stored at rest by Instant Compliance is resident in the European Union (AWS eu-central-1 Frankfurt and Vercel EU deployment region). Identity-document images and biometric data are held by our identity-verification sub-processor Sumsub on Sumsub-controlled infrastructure, not at rest on Instant Compliance infrastructure. Certain transient processing happens outside the EU: full PDFs of KYB documents are sent to Anthropic (US) for structured extraction; the browser extension sends email + sanitised page HTML to Groq (US) for contact-name inference; the in-app support assistant sends chat and knowledge-base content to OpenAI and Pinecone (US, via EK Hub). Where supported, these AI sub-processors are operated under zero-data-retention and/or no-training arrangements; cross-border transfers are covered by GDPR Article 28 DPAs and Standard Contractual Clauses where applicable. AWS S3 buckets are configured to block all public access; file retrieval requires authenticated, time-bound presigned URLs generated by the application backend, ensuring that no document is ever directly accessible without authorisation.
D-04Satisfactory

Infrastructure & Network Security

WAF & DDoS protection via Vercel; no public admin ports

Expand for control details

The Vercel deployment platform provides inherent DDoS protection and Web Application Firewall (WAF) capabilities at the edge network layer, protecting the application from volumetric attacks and common web exploits. AWS security group configurations are maintained to restrict inbound traffic to only the ports and protocols required for application operation. Administrative access to infrastructure is never exposed to the public internet. Environment separation is enforced, with development, staging, and production environments maintained as distinct, isolated configurations.
D-05Satisfactory

Application & Software Security

Automated audit completed; all high CVEs remediated

Expand for control details

Security is integrated directly into the software development lifecycle at Instant Compliance. All code changes require peer review and approval before being merged into the production branch. The codebase and its full dependency tree are subjected to automated security scanning. A comprehensive vulnerability audit was conducted before our latest published assessment; all identified high-severity vulnerabilities were successfully remediated, resulting in a clean scan result. Secrets and API keys are managed via environment variables and are never committed to source control.
D-06Satisfactory

Cloud & Container Security

Serverless architecture; least-privilege IAM roles

Expand for control details

Instant Compliance utilises managed, serverless infrastructure via Vercel and AWS Lambda, which abstracts underlying operating system management and patching responsibilities to the respective cloud providers. This architecture significantly reduces the attack surface compared to traditional virtual machine deployments, as there are no persistent servers requiring manual patching or hardening. AWS Lambda functions are assigned IAM roles with the minimum permissions required to execute their specific tasks, adhering strictly to the principle of least privilege at the compute layer.
D-07Satisfactory

AI & Emerging Technology Security

Anthropic (KYB extraction), Groq (extension), OpenAI + Pinecone (support assistant via EK Hub); no training data exposure

Expand for control details

Instant Compliance uses four AI sub-processors. (1) Anthropic Claude API performs automated extraction of structured data from KYB documents — the full PDF is sent transiently; results are stored in PostgreSQL and not re-sent. (2) Groq is called by our browser extension to infer a contact name from a user’s email address and sanitised page HTML; processed transiently, not retained by default. (3) OpenAI (gpt-4o-mini) powers the in-app support assistant and (4) Pinecone provides vector retrieval over the organisation’s authored knowledge base. The support assistant is delivered via EK Hub, a product of Squiggly Labs Pty Ltd (our parent company); it is scoped to the knowledge base plus the live conversation and has no code path to KYC, KYB, identity, or customer records. We rely on each provider’s enterprise commitments that customer content submitted via the API is not used to train or improve their foundation models, and we enable zero-data-retention configurations where the provider supports them. Cross-border transfers from the EU are governed by GDPR Article 28 DPAs and Standard Contractual Clauses where applicable. AI-generated outputs are treated as advisory and remain subject to human review within the compliance workflow; no automated AI decision is presented as a definitive legal determination without appropriate context.
D-08Satisfactory

Supply Chain & Third-Party Risk

Continuous monitoring; GDPR Article 28 DPAs with all sub-processors; intra-group EK Hub arrangement with Squiggly Labs

Expand for control details

Third-party software dependencies are continuously monitored for known vulnerabilities via automated SCA tools. Sub-processors are selected based on their ability to demonstrate robust security postures and GDPR compliance; key sub-processors including AWS, Vercel, Anthropic, OpenAI, Pinecone, Groq, Sumsub, and Stripe (PCI DSS Level 1) maintain their own rigorous security certifications. Data Processing Agreements (DPAs) under GDPR Article 28 are in place with all sub-processors that handle personal data on behalf of Instant Compliance customers; cross-border transfers are covered by Standard Contractual Clauses where applicable. The in-app support assistant is delivered via EK Hub, a product of our parent company Squiggly Labs Pty Ltd, under an intra-group data-processing arrangement; OpenAI and Pinecone are the underlying providers. A complete sub-processor list is available on request.
D-09Satisfactory

Incident Response & Resilience

Automated DB backups; defined RTO/RPO and response process

Expand for control details

The distributed, serverless architecture of the Instant Compliance platform provides inherent high availability and resilience against localised infrastructure failures. The PostgreSQL database is configured with automated backups, enabling data recovery in the event of an incident, with a defined RTO of 4 hours and RPO of 1 hour. An incident response process is maintained by the engineering team, with defined escalation paths to executive leadership. Application errors and anomalies are monitored in real-time, enabling rapid detection and response to potential security events. Personal data breaches are handled per GDPR Article 33/34 notification obligations.
D-10Satisfactory

Physical & Environmental Security

Cloud-native; physical security delegated to AWS/Vercel

Expand for control details

Instant Compliance operates as a cloud-native company and does not maintain physical data centres or server rooms. Physical and environmental security for all production infrastructure is managed entirely by our cloud providers (AWS Frankfurt and Vercel EU), both of whom maintain rigorous physical security controls that are independently audited under SOC 2 and ISO 27001. For endpoint security, company devices used to access production systems are required to have full-disk encryption enabled and strong authentication configured.
D-11Satisfactory

Compliance & Legal Obligations

AMLA / AMLD6; GDPR; eIDAS compliance

Expand for control details

Instant Compliance is designed specifically to assist EU obliged entities with their obligations under the EU Anti-Money Laundering Regulation (AMLAR), the Sixth Anti-Money Laundering Directive (AMLD6), and the requirements administered by the new EU Anti-Money Laundering Authority (AMLA). The platform is built with GDPR as a first-class design constraint — data minimisation, purpose limitation, and retention schedules are built into the product rather than bolted on. Identity verification flows are compliant with eIDAS Level of Assurance "High" standards. Legal and regulatory obligations are reviewed by executive leadership on an ongoing basis as the EU Single Rulebook is published.
D-12Satisfactory

Continuous Monitoring & Threat Intelligence

Real-time monitoring via Vercel, PostHog, automated scanners

Expand for control details

Application performance, errors, and security-relevant events are monitored continuously. PostHog (EU-hosted instance) provides visibility into application usage patterns, enabling the detection of anomalous behaviour. Vercel's platform provides real-time logging and alerting for edge network events. Automated scanning tools provide continuous monitoring of the dependency tree for newly disclosed vulnerabilities, ensuring that the engineering team is promptly notified of any emerging supply chain risks that require remediation.

Domain status overview

Snapshot from our latest structured review: all twelve control domains satisfactory. Nothing was rated as failing or requiring immediate remediation as of 28 April 2026. The formal outcome is recorded in the signed DSS-1200 assessment PDF.

DomainNameStatusNotes
D-01Governance & Risk ManagementSatisfactoryExecutive-led security programme and risk register in place
D-02Identity & Access ManagementSatisfactoryMFA enforced; least-privilege access model
D-03Data Protection & PrivacySatisfactoryAES-256 at rest; TLS 1.2+ in transit; EU residency for stored data; transient AI processing in the US; GDPR Article 28 DPA
D-04Infrastructure & Network SecuritySatisfactoryWAF & DDoS protection via Vercel; no public admin ports
D-05Application & Software SecuritySatisfactoryAutomated audit completed; all high CVEs remediated
D-06Cloud & Container SecuritySatisfactoryServerless architecture; least-privilege IAM roles
D-07AI & Emerging Technology SecuritySatisfactoryAnthropic (KYB extraction), Groq (extension), OpenAI + Pinecone (support assistant via EK Hub); no training data exposure
D-08Supply Chain & Third-Party RiskSatisfactoryContinuous monitoring; GDPR Article 28 DPAs with all sub-processors; intra-group EK Hub arrangement with Squiggly Labs
D-09Incident Response & ResilienceSatisfactoryAutomated DB backups; defined RTO/RPO and response process
D-10Physical & Environmental SecuritySatisfactoryCloud-native; physical security delegated to AWS/Vercel
D-11Compliance & Legal ObligationsSatisfactoryAMLA / AMLD6; GDPR; eIDAS compliance
D-12Continuous Monitoring & Threat IntelligenceSatisfactoryReal-time monitoring via Vercel, PostHog, automated scanners

Management attestation

The following statement accompanies our published DSS-1200 assessment.

I, Simon Giles, Chief Executive Officer of Instant Compliance Pty Ltd (ACN 111 744 668), hereby attest that the security controls, architectural details, and operational practices described in this DSS-1200 assessment report are accurate and reflect the operational state of the Instant Compliance platform as of 28 April 2026. This is a self-assessment conducted by Instant Compliance against our own internal DSS-1200 security framework — not an independent third-party certification. Our independent SOC 2 and ISO 27001 certifications are currently in progress. Instant Compliance Pty Ltd is committed to the continuous improvement of its security posture to protect our customers, their data, and the integrity of the regulated obliged entities across the European Union that rely on our platform.

Simon Giles

Chief Executive Officer, Instant Compliance Pty Ltd

28 April 2026

Download the signed DSS-1200 assessment (PDF) for your records. Contact us for vendor questionnaires, GDPR Article 28 DPA, or supplemental assurance.