The EU Single Rulebook (AMLAR) becomes law in 400 days. Is your compliance program ready?

Customer & auditor disclosure — Security and assurance materials. Treat downloaded artefacts per your policy.

Security · Data protection · European Union

Twelve control domains — current posture satisfactory

Security & trust centre

How we protect customer and end-user data while running Instant Compliance: architecture, access, vendors, resilience, and ongoing monitoring — EU data residency, GDPR-first, eIDAS-compliant.

Security programme overview

Instant Compliance is a Software-as-a-Service platform for EU AML/CFT compliance under AMLAR, AMLD6, and the emerging EU Single Rulebook. We process sensitive financial and identity data for regulated European obliged entities, so confidentiality, integrity, and availability are central to how we design and operate the product.

Our security programme covers governance, access, data protection, infrastructure, application security, cloud operations, AI use, third parties, incident readiness, physical reliance on cloud providers, legal obligations, and continuous monitoring. We organise and review those areas on an ongoing basis — not only when an assessment is published. All customer data is hosted exclusively within the European Union.

We also use structured assurance approaches so customers and auditors can work from comparable evidence. Downloadable assurance materials are listed under Certificates we hold below.

Certificates we hold

Assurance documents for procurement or audit. We'll add more here as we obtain them.

DSS-1200 — Detailed Security Standard assessment

Instant Compliance Pty Ltd · issued 28 April 2026

Download

System overview & architecture

Instant Compliance operates a modern, cloud-native architecture designed for high availability, strict EU data residency compliance, and defence-in-depth security. All production infrastructure is hosted exclusively within the European Union (AWS Frankfurt) to ensure compliance with GDPR data localisation requirements and to support your own GDPR Article 28 obligations as a data controller.

Infrastructure & hosting

ComponentTechnologyLocationPurpose
Application hostingVercel (Edge Network)Frankfurt, EU (primary)Frontend & API layer with built-in DDoS mitigation
Primary databasePostgreSQL via Prisma 6.4AWS eu-central-1 (Frankfurt)Primary data store for all application records
File storageAWS S3AWS eu-central-1 (Frankfurt)Secure storage for PDFs, KYC documents, and compliance artefacts
Background processingAWS LambdaAWS eu-central-1 (Frankfurt)Asynchronous and scheduled background jobs

Identity & authentication

ComponentTechnologyNotes
Session managementNextAuth.js v5 + @auth/prisma-adapterSessions stored securely in PostgreSQL
OAuth providersGoogle OAuth, Microsoft OAuthLeverages provider-managed MFA
Email/password authNextAuth.js credential providerPasswords hashed using bcrypt
KYC/KYB verificationSumsub WebSDKeIDAS-compliant identity verification for end-customer onboarding

Third-party sub-processors

Each sub-processor has been selected based on demonstrated security posture, GDPR compliance, and contractual data protection commitments. GDPR Article 28 DPAs are in place with all sub-processors that handle personal data.

Sub-processorPurposeData processed
StripeBilling & subscription managementPayment card data (PCI DSS compliant)
Anthropic (Claude API)AI-driven compliance analysisCompliance document content
HubSpotCustomer relationship managementContact and account information
AblyReal-time pub/sub notificationsApplication event data
PostHogProduct analyticsAnonymised usage events
Google Calendar APIScheduling integrationsCalendar event metadata
Nodemailer / ResendTransactional email deliveryEmail addresses and notification content
SumsubKYC/KYB identity verification (eIDAS LoA High)Identity documents and biometric data

Infrastructure security pedigree

ProviderSecurity tierVerified certifications
AWSTier 1: Enterprise GradeSOC 2 Type 2, ISO 27001, PCI DSS, FedRAMP, GDPR, HIPAA
VercelTier 1: Enterprise GradeSOC 2 Type 2, ISO 27001, PCI DSS v4.0, GDPR, HIPAA
StripeTier 1: Enterprise GradeSOC 2 Type 2, PCI DSS Level 1
AnthropicTier 1: Enterprise GradeSOC 2 Type 2, ISO 27001, FedRAMP, HIPAA, CSA STAR
SumsubTier 1: Enterprise GradeSOC 2 Type 2, ISO 27001, PCI DSS, GDPR, eIDAS
HubSpotTier 1: Enterprise GradeSOC 2 Type 2, HIPAA, GDPR
PostHogTier 1: Enterprise GradeSOC 2 Type 2, GDPR, HIPAA (EU-hosted)
AblyTier 1: Enterprise GradeSOC 2 Type 2, HIPAA, GDPR
ResendTier 1: Enterprise GradeSOC 2 Type 2, GDPR

Risk management & treatment plan

Instant Compliance maintains a formal risk management programme to identify, assess, and mitigate risks to the confidentiality, integrity, and availability of customer data. Risks are evaluated based on their likelihood of occurrence and potential impact, resulting in a risk score that dictates the required treatment strategy.

Risk IDDescriptionInherentTreatment & controlsResidual
RSK-01Unauthorised access to production database containing sensitive KYC data.HighMitigate: Database is isolated within a private VPC. Access requires VPN and MFA. Strict RBAC enforced. No public endpoints exposed.Low
RSK-02Data loss due to infrastructure failure or ransomware attack.HighMitigate: Automated daily backups of PostgreSQL database. Backups stored in geographically redundant S3 buckets with versioning enabled to prevent malicious deletion.Low
RSK-03Vulnerabilities introduced via third-party open-source dependencies.MediumMitigate: Automated dependency scanning integrated into CI/CD pipeline. Build fails if high/critical CVEs are detected. Regular dependency updates scheduled.Low
RSK-04Exposure of sensitive data via AI analysis API (Anthropic).MediumMitigate: Enterprise API agreement in place ensuring zero data retention for model training. Data payloads strictly scoped to minimum required context.Low
RSK-05DDoS attack causing platform unavailability.MediumTransfer/Mitigate: Leveraged Vercel's edge network infrastructure which provides inherent, globally distributed DDoS mitigation and WAF capabilities.Low

Business continuity & disaster recovery

Instant Compliance has established a Business Continuity and Disaster Recovery (BCP/DR) plan designed to ensure the rapid restoration of services in the event of a catastrophic failure, natural disaster, or significant security incident.

Our cloud-native architecture is inherently resilient. The frontend is deployed across Vercel's globally distributed edge network. Primary AWS infrastructure (PostgreSQL and S3) is deployed across multiple Availability Zones within eu-central-1 (Frankfurt), providing redundancy against single-datacenter failures while keeping data within the EU.

  • Recovery Time Objective (RTO): 4 hours — maximum acceptable downtime after a declared disaster before services must be restored.
  • Recovery Point Objective (RPO): 1 hour — maximum acceptable data loss; automated backup schedule supports restore to within one hour prior to an incident.

The PostgreSQL database undergoes automated, continuous backups. Transaction logs are archived every 5 minutes, and full snapshots are taken daily. Backups are stored in a separate, secured AWS S3 bucket (eu-central-1) with versioning enabled. Restoration procedures are documented in engineering runbooks and tested annually via simulated disaster recovery tabletop exercises.

Human resources security controls

Security begins with personnel. Strict HR security controls ensure employees and contractors understand their responsibilities and are vetted before access to company systems or customer data.

Background screening

  • Verification of identity and right to work in the relevant jurisdiction.
  • Verification of employment history and professional references.
  • Criminal history screening for all personnel with access to production systems or sensitive customer data.

Security awareness training

Formal security awareness training upon hire and annually thereafter, covering phishing and social engineering, secure passwords and MFA, data privacy (including GDPR obligations and sensitive KYC/AML data handling), and incident reporting. Completion is tracked by HR; failure to complete mandatory training results in suspension of system access.

Onboarding & offboarding

Onboarding: Access granted on a role-based, least-privilege basis; MFA required before initial login; acknowledgement of Acceptable Use and Information Security policies.

Offboarding: Documented checklist executed on termination; access to email, Slack, AWS, and GitHub revoked within 24 hours; company hardware remotely wiped and recovered.

Vulnerability management programme

Continuous vulnerability management identifies, assesses, and remediates weaknesses in application code, third-party dependencies, and cloud infrastructure.

  • Dependency scanning (SCA): Automated scanning against known vulnerability databases; high or critical CVEs halt the build until patched or updated.
  • Static application security testing (SAST): Pull request scanning for hardcoded secrets, injection flaws, XSS, and related issues.

In our most recent full-stack security audit, high-severity issues were found in outdated NPM packages; engineering triaged, updated packages, deployed patches, and a re-scan confirmed remediation of all high and critical findings.

Remediation SLAs (by CVSS / exploitability)

  • Critical: remediated within 48 hours of discovery.
  • High: remediated within 14 days of discovery.
  • Medium: remediated within 30 days of discovery.

Security control domains

We group controls into twelve domains (D-01–D-12) for clarity and external review — the same structure used in our latest structured assessment. Each area below is operating at satisfactory posture as of 28 April 2026. Expand a row for detail; the signed DSS-1200 PDF has the full narrative if you need it for audit or procurement.

D-01Satisfactory

Governance & Risk Management

Executive-led security programme and risk register in place

Expand for control details

Instant Compliance maintains a formal security programme overseen by the Chief Executive Officer (Simon Giles) and Chief Technology Officer (Mike Giles). Security responsibilities are clearly delineated between executive leadership and engineering. A formal risk register is maintained and reviewed regularly to identify, evaluate, and mitigate threats to the platform. Security considerations are embedded into product planning and engineering decisions at the outset of each development cycle.
D-02Satisfactory

Identity & Access Management

MFA enforced; least-privilege access model

Expand for control details

Access to production infrastructure — including AWS, Vercel, and the PostgreSQL database — is strictly limited to authorised engineering personnel operating under the principle of least privilege. All production access requires multi-factor authentication (MFA). Customer authentication is secured via NextAuth.js with session data stored in the database. OAuth integrations with Google and Microsoft delegate authentication to those providers' enterprise-grade identity platforms, which enforce MFA at the provider level. Access rights are reviewed periodically and revoked promptly upon personnel changes.
D-03Satisfactory

Data Protection & Privacy

AES-256 at rest; TLS 1.2+ in transit; EU data residency; GDPR Article 28 DPA

Expand for control details

All customer data, including database records and S3-stored documents, is encrypted at rest using AES-256 encryption. All data in transit between the client, the Vercel edge network, and AWS infrastructure is encrypted using TLS 1.2 or higher. Data residency is strictly maintained within the European Union (AWS eu-central-1 Frankfurt and Vercel EU deployment region), ensuring compliance with GDPR data localisation requirements. AWS S3 buckets are configured to block all public access; file retrieval requires authenticated, time-bound presigned URLs generated by the application backend, ensuring that no document is ever directly accessible without authorisation. A GDPR Article 28 Data Processing Agreement (DPA) is available on request for all sub-processors.
D-04Satisfactory

Infrastructure & Network Security

WAF & DDoS protection via Vercel; no public admin ports

Expand for control details

The Vercel deployment platform provides inherent DDoS protection and Web Application Firewall (WAF) capabilities at the edge network layer, protecting the application from volumetric attacks and common web exploits. AWS security group configurations are maintained to restrict inbound traffic to only the ports and protocols required for application operation. Administrative access to infrastructure is never exposed to the public internet. Environment separation is enforced, with development, staging, and production environments maintained as distinct, isolated configurations.
D-05Satisfactory

Application & Software Security

Automated audit completed; all high CVEs remediated

Expand for control details

Security is integrated directly into the software development lifecycle at Instant Compliance. All code changes require peer review and approval before being merged into the production branch. The codebase and its full dependency tree are subjected to automated security scanning. A comprehensive vulnerability audit was conducted before our latest published assessment; all identified high-severity vulnerabilities were successfully remediated, resulting in a clean scan result. Secrets and API keys are managed via environment variables and are never committed to source control.
D-06Satisfactory

Cloud & Container Security

Serverless architecture; least-privilege IAM roles

Expand for control details

Instant Compliance utilises managed, serverless infrastructure via Vercel and AWS Lambda, which abstracts underlying operating system management and patching responsibilities to the respective cloud providers. This architecture significantly reduces the attack surface compared to traditional virtual machine deployments, as there are no persistent servers requiring manual patching or hardening. AWS Lambda functions are assigned IAM roles with the minimum permissions required to execute their specific tasks, adhering strictly to the principle of least privilege at the compute layer.
D-07Satisfactory

AI & Emerging Technology Security

Anthropic API; no training data exposure

Expand for control details

Instant Compliance utilises the Anthropic Claude API for AI-driven compliance analysis. Data submitted to the API is strictly scoped to the minimum context required for the analysis task. We rely on Anthropic's enterprise data privacy commitments, under which customer data submitted via the API is not used to train or improve their foundational models. AI-generated outputs are treated as advisory and are subject to human review within the compliance workflow, ensuring that no automated AI decision is presented to a customer as a definitive legal determination without appropriate context.
D-08Satisfactory

Supply Chain & Third-Party Risk

Continuous monitoring; GDPR Article 28 DPAs with all sub-processors

Expand for control details

Third-party software dependencies are continuously monitored for known vulnerabilities via automated SCA tools. Sub-processors are selected based on their ability to demonstrate robust security postures and GDPR compliance; key sub-processors including Stripe (PCI DSS Level 1), Anthropic, and Vercel maintain their own rigorous security certifications. Data Processing Agreements (DPAs) under GDPR Article 28 are in place with all sub-processors that handle personal data on behalf of Instant Compliance customers. A complete sub-processor list is available on request.
D-09Satisfactory

Incident Response & Resilience

Automated DB backups; defined RTO/RPO and response process

Expand for control details

The distributed, serverless architecture of the Instant Compliance platform provides inherent high availability and resilience against localised infrastructure failures. The PostgreSQL database is configured with automated backups, enabling data recovery in the event of an incident, with a defined RTO of 4 hours and RPO of 1 hour. An incident response process is maintained by the engineering team, with defined escalation paths to executive leadership. Application errors and anomalies are monitored in real-time, enabling rapid detection and response to potential security events. Personal data breaches are handled per GDPR Article 33/34 notification obligations.
D-10Satisfactory

Physical & Environmental Security

Cloud-native; physical security delegated to AWS/Vercel

Expand for control details

Instant Compliance operates as a cloud-native company and does not maintain physical data centres or server rooms. Physical and environmental security for all production infrastructure is managed entirely by our cloud providers (AWS Frankfurt and Vercel EU), both of whom maintain rigorous physical security controls that are independently audited under SOC 2 and ISO 27001. For endpoint security, company devices used to access production systems are required to have full-disk encryption enabled and strong authentication configured.
D-11Satisfactory

Compliance & Legal Obligations

AMLA / AMLD6; GDPR; eIDAS compliance

Expand for control details

Instant Compliance is designed specifically to assist EU obliged entities with their obligations under the EU Anti-Money Laundering Regulation (AMLAR), the Sixth Anti-Money Laundering Directive (AMLD6), and the requirements administered by the new EU Anti-Money Laundering Authority (AMLA). The platform is built with GDPR as a first-class design constraint — data minimisation, purpose limitation, and retention schedules are built into the product rather than bolted on. Identity verification flows are compliant with eIDAS Level of Assurance "High" standards. Legal and regulatory obligations are reviewed by executive leadership on an ongoing basis as the EU Single Rulebook is published.
D-12Satisfactory

Continuous Monitoring & Threat Intelligence

Real-time monitoring via Vercel, PostHog, automated scanners

Expand for control details

Application performance, errors, and security-relevant events are monitored continuously. PostHog (EU-hosted instance) provides visibility into application usage patterns, enabling the detection of anomalous behaviour. Vercel's platform provides real-time logging and alerting for edge network events. Automated scanning tools provide continuous monitoring of the dependency tree for newly disclosed vulnerabilities, ensuring that the engineering team is promptly notified of any emerging supply chain risks that require remediation.

Domain status overview

Snapshot from our latest structured review: all twelve control domains satisfactory. Nothing was rated as failing or requiring immediate remediation as of 28 April 2026. The formal outcome is recorded in the signed DSS-1200 assessment PDF.

DomainNameStatusNotes
D-01Governance & Risk ManagementSatisfactoryExecutive-led security programme and risk register in place
D-02Identity & Access ManagementSatisfactoryMFA enforced; least-privilege access model
D-03Data Protection & PrivacySatisfactoryAES-256 at rest; TLS 1.2+ in transit; EU data residency; GDPR Article 28 DPA
D-04Infrastructure & Network SecuritySatisfactoryWAF & DDoS protection via Vercel; no public admin ports
D-05Application & Software SecuritySatisfactoryAutomated audit completed; all high CVEs remediated
D-06Cloud & Container SecuritySatisfactoryServerless architecture; least-privilege IAM roles
D-07AI & Emerging Technology SecuritySatisfactoryAnthropic API; no training data exposure
D-08Supply Chain & Third-Party RiskSatisfactoryContinuous monitoring; GDPR Article 28 DPAs with all sub-processors
D-09Incident Response & ResilienceSatisfactoryAutomated DB backups; defined RTO/RPO and response process
D-10Physical & Environmental SecuritySatisfactoryCloud-native; physical security delegated to AWS/Vercel
D-11Compliance & Legal ObligationsSatisfactoryAMLA / AMLD6; GDPR; eIDAS compliance
D-12Continuous Monitoring & Threat IntelligenceSatisfactoryReal-time monitoring via Vercel, PostHog, automated scanners

Management attestation

The following statement accompanies our published DSS-1200 assessment.

I, Simon Giles, Chief Executive Officer of Instant Compliance Pty Ltd (ACN 111 744 668), hereby attest that the security controls, architectural details, and operational practices described in this DSS-1200 assessment report are accurate and reflect the operational state of the Instant Compliance platform as of 28 April 2026. This assessment has been conducted in good faith against the Detailed Security Standard (DSS-1200) framework. Instant Compliance Pty Ltd is committed to the continuous improvement of its security posture to protect our customers, their data, and the integrity of the regulated obliged entities across the European Union that rely on our platform.

Simon Giles

Chief Executive Officer, Instant Compliance Pty Ltd

28 April 2026

Download the signed DSS-1200 assessment (PDF) for your records. Contact us for vendor questionnaires, GDPR Article 28 DPA, or supplemental assurance.