Compliance & Security
How CryptoGate ensures regulatory compliance and protects your data
Regulatory Compliance Overview
CryptoGate operates as a non-custodial payment processor. We do not hold, store, or control customer funds. This operational model allows us to:
- Operate without money transmitter licenses in most jurisdictions
- Avoid classification as a financial institution
- Provide services globally with minimal regulatory burden
Important: While we're non-custodial, merchants using CryptoGate are responsible for compliance with regulations in their jurisdiction.
Supported Jurisdictions
Supported Countries
CryptoGate is available in most countries worldwide, including:
- United States (all 50 states)
- Canada
- European Union (all 27 member states)
- United Kingdom
- Australia, New Zealand
- Japan, Singapore, South Korea
- Most South American and African countries
Restricted Jurisdictions
We do not provide services in:
- Countries under OFAC sanctions (Iran, North Korea, Syria, Cuba, Crimea)
- Regions with cryptocurrency bans
- High-risk jurisdictions as designated by FATF
AML/KYC Requirements
For Merchants
No KYC required for most merchants. We don't require identity verification because:
- We're non-custodial (don't hold funds)
- Payments go directly to merchant wallets
- Merchants control their own compliance
Enhanced Due Diligence (EDD)
We may request additional information for:
- Merchants processing >$100,000/month
- High-risk business categories
- Suspicious transaction patterns
Merchant Responsibilities
Merchants must:
- Comply with AML/KYC laws in their jurisdiction
- Implement customer verification if required by local law
- Report suspicious activity to authorities
- Maintain transaction records (typically 5-7 years)
Data Protection Compliance
GDPR (General Data Protection Regulation)
For EU users, we comply with GDPR by:
- Obtaining explicit consent for data collection
- Providing data access, portability, and deletion rights
- Appointing a Data Protection Officer (DPO)
- Implementing data protection by design
- Maintaining data processing records
- Reporting data breaches within 72 hours
CCPA (California Consumer Privacy Act)
For California residents:
- Right to know what data we collect
- Right to delete personal information
- Right to opt-out of data sales (we don't sell data)
- Non-discrimination for exercising privacy rights
Other Regional Laws
We also comply with:
- UK GDPR (United Kingdom)
- PIPEDA (Canada)
- Privacy Act 1988 (Australia)
- LGPD (Brazil)
Security Infrastructure
Infrastructure Security
- Hosting: Self-hosted on dedicated private servers
- Network: Private LAN with encrypted mesh networking
- Firewalls: Hardware and software firewalls on all servers
- DDoS Protection: Multi-layer DDoS mitigation
- Intrusion Detection: 24/7 IDS/IPS monitoring
Application Security
- Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
- Authentication: Bcrypt password hashing, 2FA support (TOTP)
- API Security: Rate limiting, request signing, API key rotation
- Input Validation: Sanitization of all user inputs
- WAF: Web Application Firewall (WAF)
Access Controls
- Role-based access control (RBAC)
- Principle of least privilege
- Multi-factor authentication for team members
- Audit logs for all privileged actions
Blockchain Security
- Full Nodes: We run full nodes for all supported cryptocurrencies
- Address Generation: HD wallet derivation with secure key storage
- Private Keys: Never stored on our servers (non-custodial)
- Transaction Verification: Multiple confirmations before marking payments complete
Audits & Certifications
Security Audits
- Penetration Testing: Annual third-party penetration tests
- Code Audits: Regular security code reviews
- Vulnerability Scans: Automated weekly scanning
Compliance Certifications
CryptoGate maintains:
- SOC 2 Type II: (In progress - expected Q2 2026)
- PCI DSS: Not required (no card data handling)
- ISO 27001: Information security management (planned)
Incident Response
Data Breach Protocol
In the event of a data breach, we will:
- Contain: Immediately isolate affected systems
- Investigate: Determine scope and impact within 24 hours
- Notify: Inform affected users within 72 hours (GDPR requirement)
- Report: File reports with relevant authorities
- Remediate: Fix vulnerabilities and enhance security
Reporting Security Issues
Found a security vulnerability? Please report responsibly:
Email: [email protected]
PGP Key: Available on request
We offer a bug bounty program for significant security discoveries.
Tax Reporting
Merchant Responsibilities
Merchants are responsible for:
- Reporting cryptocurrency income to tax authorities
- Calculating capital gains/losses on crypto holdings
- Maintaining transaction records for tax purposes
- Issuing tax forms to customers if required
CryptoGate's Role
We provide:
- Transaction export tools (CSV, JSON)
- Historical data for accounting
- Integration with tax software (TaxBit, CoinTracker)
We do NOT:
- Automatically report to tax authorities (we're non-custodial)
- Issue 1099 forms (not required for non-custodial services)
- Provide tax advice (consult a tax professional)
Sanctions & Screening
We screen transactions against:
- OFAC SDN List: Specially Designated Nationals
- EU Sanctions Lists: European Union sanctions
- UN Sanctions: United Nations sanctions
- Blockchain Analysis: Known malicious addresses
Transactions flagged by screening are:
- Automatically blocked
- Subject to manual review
- Reported to authorities if required
Transparency & Reports
CryptoGate publishes:
- Transparency Report: Annual report on government requests (published each January)
- Security Incidents: Public disclosure of major incidents
- Compliance Updates: Changes to compliance practices
Questions About Compliance?
Contact our compliance team for specific questions: