Compliance & Security

How CryptoGate ensures regulatory compliance and protects your data

Regulatory Compliance Overview

CryptoGate operates as a non-custodial payment processor. We do not hold, store, or control customer funds. This operational model allows us to:

  • Operate without money transmitter licenses in most jurisdictions
  • Avoid classification as a financial institution
  • Provide services globally with minimal regulatory burden

Important: While we're non-custodial, merchants using CryptoGate are responsible for compliance with regulations in their jurisdiction.

Supported Jurisdictions

Supported Countries

CryptoGate is available in most countries worldwide, including:

  • United States (all 50 states)
  • Canada
  • European Union (all 27 member states)
  • United Kingdom
  • Australia, New Zealand
  • Japan, Singapore, South Korea
  • Most South American and African countries

Restricted Jurisdictions

We do not provide services in:

  • Countries under OFAC sanctions (Iran, North Korea, Syria, Cuba, Crimea)
  • Regions with cryptocurrency bans
  • High-risk jurisdictions as designated by FATF

AML/KYC Requirements

For Merchants

No KYC required for most merchants. We don't require identity verification because:

  • We're non-custodial (don't hold funds)
  • Payments go directly to merchant wallets
  • Merchants control their own compliance

Enhanced Due Diligence (EDD)

We may request additional information for:

  • Merchants processing >$100,000/month
  • High-risk business categories
  • Suspicious transaction patterns

Merchant Responsibilities

Merchants must:

  • Comply with AML/KYC laws in their jurisdiction
  • Implement customer verification if required by local law
  • Report suspicious activity to authorities
  • Maintain transaction records (typically 5-7 years)

Data Protection Compliance

GDPR (General Data Protection Regulation)

For EU users, we comply with GDPR by:

  • Obtaining explicit consent for data collection
  • Providing data access, portability, and deletion rights
  • Appointing a Data Protection Officer (DPO)
  • Implementing data protection by design
  • Maintaining data processing records
  • Reporting data breaches within 72 hours

CCPA (California Consumer Privacy Act)

For California residents:

  • Right to know what data we collect
  • Right to delete personal information
  • Right to opt-out of data sales (we don't sell data)
  • Non-discrimination for exercising privacy rights

Other Regional Laws

We also comply with:

  • UK GDPR (United Kingdom)
  • PIPEDA (Canada)
  • Privacy Act 1988 (Australia)
  • LGPD (Brazil)

Security Infrastructure

Infrastructure Security

  • Hosting: Self-hosted on dedicated private servers
  • Network: Private LAN with encrypted mesh networking
  • Firewalls: Hardware and software firewalls on all servers
  • DDoS Protection: Multi-layer DDoS mitigation
  • Intrusion Detection: 24/7 IDS/IPS monitoring

Application Security

  • Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
  • Authentication: Bcrypt password hashing, 2FA support (TOTP)
  • API Security: Rate limiting, request signing, API key rotation
  • Input Validation: Sanitization of all user inputs
  • WAF: Web Application Firewall (WAF)

Access Controls

  • Role-based access control (RBAC)
  • Principle of least privilege
  • Multi-factor authentication for team members
  • Audit logs for all privileged actions

Blockchain Security

  • Full Nodes: We run full nodes for all supported cryptocurrencies
  • Address Generation: HD wallet derivation with secure key storage
  • Private Keys: Never stored on our servers (non-custodial)
  • Transaction Verification: Multiple confirmations before marking payments complete

Audits & Certifications

Security Audits

  • Penetration Testing: Annual third-party penetration tests
  • Code Audits: Regular security code reviews
  • Vulnerability Scans: Automated weekly scanning

Compliance Certifications

CryptoGate maintains:

  • SOC 2 Type II: (In progress - expected Q2 2026)
  • PCI DSS: Not required (no card data handling)
  • ISO 27001: Information security management (planned)

Incident Response

Data Breach Protocol

In the event of a data breach, we will:

  1. Contain: Immediately isolate affected systems
  2. Investigate: Determine scope and impact within 24 hours
  3. Notify: Inform affected users within 72 hours (GDPR requirement)
  4. Report: File reports with relevant authorities
  5. Remediate: Fix vulnerabilities and enhance security

Reporting Security Issues

Found a security vulnerability? Please report responsibly:

Email: [email protected]
PGP Key: Available on request

We offer a bug bounty program for significant security discoveries.

Tax Reporting

Merchant Responsibilities

Merchants are responsible for:

  • Reporting cryptocurrency income to tax authorities
  • Calculating capital gains/losses on crypto holdings
  • Maintaining transaction records for tax purposes
  • Issuing tax forms to customers if required

CryptoGate's Role

We provide:

  • Transaction export tools (CSV, JSON)
  • Historical data for accounting
  • Integration with tax software (TaxBit, CoinTracker)

We do NOT:

  • Automatically report to tax authorities (we're non-custodial)
  • Issue 1099 forms (not required for non-custodial services)
  • Provide tax advice (consult a tax professional)

Sanctions & Screening

We screen transactions against:

  • OFAC SDN List: Specially Designated Nationals
  • EU Sanctions Lists: European Union sanctions
  • UN Sanctions: United Nations sanctions
  • Blockchain Analysis: Known malicious addresses

Transactions flagged by screening are:

  • Automatically blocked
  • Subject to manual review
  • Reported to authorities if required

Transparency & Reports

CryptoGate publishes:

  • Transparency Report: Annual report on government requests (published each January)
  • Security Incidents: Public disclosure of major incidents
  • Compliance Updates: Changes to compliance practices

Questions About Compliance?

Contact our compliance team for specific questions:

Related Documents