CompliantID Book demo

Security and data

Designed for sensitive financial crime evidence.

CompliantID handles identity documents, ownership structures, wallet data, source of funds information and MLRO decisions. Every aspect of the architecture reflects the sensitivity of that data.

Data storage and residency

All client data stored in the EEA. Under your control.

Every piece of client compliance data — onboarding files, documents, screening results, MLRO decisions and audit records — is stored in EU-West infrastructure in Belgium. Data does not leave the EEA during normal operation. You remain the data controller at all times. CompliantID acts as your data processor under a formal Data Processing Agreement.

EEA data residency

All compliance data stored in EU-West (Belgium). Suitable for firms subject to GDPR, UK GDPR and equivalent EEA data protection requirements.

Encryption at rest and in transit

Data encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Applies to all stored files, records and transmitted data.

Role-based access control

Analysts, compliance managers, MLROs, administrators and read-only reviewers each have separate access levels. No user sees more than their role requires.

Full audit logging

Every file access, document upload, decision record, case note and approval is logged with user identity, timestamp and action. The log cannot be edited.

Multi-factor authentication

MFA is required for all MLRO dashboard access. Dashboard sessions expire automatically after inactivity.

10-year retention capability

Data retention configured to 10 years from the end of the client relationship, in line with AMLA, UK MLRs and equivalent provisions. Adjustable to your regulatory requirements.

AI data handling

AI processes your data transiently. It never trains on it.

CompliantID uses AI models via a commercial API under a formal Data Processing Agreement. Client data submitted to AI models for review or analysis is processed transiently — it is not retained beyond the immediate request and is not used to train AI models under any circumstances.

This is categorically different from consumer AI tools. The API operates under commercial terms that explicitly prohibit model training on customer data. This distinction is documented and can be provided to your DPO, legal team or regulator on request.

AI data processing facts

  • Data submitted to AI is processed transiently — not stored post-request
  • No client data is used to train AI models
  • Commercial DPA with EU Standard Contractual Clauses in place
  • Swiss nDSG addendum available for Swiss-regulated firms
  • AI provider acts as sub-processor under CompliantID's instructions only
  • Authoritative compliance record always stored in EEA infrastructure under your control
  • AI data use statement available on request for DPO and regulatory review

What is available for procurement review

  • Data Processing Agreement (GDPR Art. 28 compliant)
  • Sub-processor list
  • Data flow diagram
  • AI data use statement
  • Data retention and deletion policy
  • Access control model
  • Audit log description
  • Incident response summary
  • Security overview document

Request procurement pack

Procurement support

Everything your information security, legal and privacy teams need.

Compliance and financial crime teams purchasing software will typically need to involve information security, privacy, legal and procurement before approving a new system. We provide the documentation those teams need without requiring lengthy back-and-forth.

For firms in regulated sectors, we can also provide documentation suitable for presentation to the FCA, VQF, MAS, VARA or equivalent regulators as part of tool evidence requirements. A complete AML tool evidence pack is available on request.

Data ownership

Your data is yours. Always.

CompliantID does not use client compliance data for any purpose other than delivering the service. Your client files, decision records and audit trails are not shared with third parties, not used for benchmarking, not used for product development and not sold. On termination, data is made available for export for 90 days before deletion in accordance with your DPA.

Book a product walkthrough

See how an AML file becomes an audit ready decision record.

Share the type of firm you support, your current review process and the main evidence problem you want to solve. We will show the workflow around your use case.

KYB and CDD workflow AI review and challenge MLRO decision log Audit pack export

By submitting, you agree to be contacted about CompliantID. No legal or regulatory advice is provided through this form.