What Is Your Approach to Compliance?
Vacalion operates at the intersection of financial services and technology — a space subject to complex, overlapping regulatory requirements across multiple jurisdictions. We treat compliance not as a minimum obligation but as a core element of how we build trust with customers, partners, and regulators.
Our compliance programme is built on three principles:
- Proactive: we monitor regulatory developments in every market we operate in and build new obligations into our systems before they take effect, not after
- Embedded: compliance requirements are incorporated into product design and engineering processes from day one — not added as an afterthought
- Auditable: we maintain comprehensive records, policies, and audit trails that demonstrate compliance to regulators, auditors, and enterprise customers
How Is Compliance Governed Internally?
Our compliance function is structured to provide independent oversight across all regulatory domains:
- A dedicated Compliance Officer is responsible for maintaining and enforcing our compliance programme and reporting directly to the CEO
- A Data Protection Officer (DPO) oversees all data privacy obligations, including GDPR and CCPA compliance, and serves as the designated point of contact for supervisory authorities
- A cross-functional Compliance Committee convenes monthly to review regulatory changes, audit findings, and policy updates
- All compliance policies are reviewed and updated at minimum annually, or sooner when regulatory changes require it
- Staff with access to regulated data or systems receive role-specific compliance training as part of onboarding and on an ongoing basis
How Do You Comply with GDPR?
The General Data Protection Regulation (EU) 2016/679 applies to all personal data we process relating to individuals in the European Economic Area. Our GDPR compliance programme includes:
- A maintained Record of Processing Activities (ROPA) documenting all personal data flows, legal bases, and data retention schedules
- Data Protection Impact Assessments (DPIAs) conducted for all high-risk processing activities, including AI-based financial analysis and automated decision-making
- Data Processing Agreements (DPAs) in place with all third-party processors, incorporating Standard Contractual Clauses (SCCs) for cross-border transfers
- A designated Data Protection Officer reachable at dpo@vacalion.com
- A documented process for handling Data Subject Access Requests (DSARs) with a maximum 30-day response commitment
- Breach notification procedures that meet the 72-hour reporting requirement under Art. 33 GDPR
How Do You Comply with CCPA / CPRA?
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants extended privacy rights to California residents. Our compliance measures include:
- A clear and accessible Privacy Policy disclosing the categories of personal information we collect, use, and share
- A documented process for responding to consumer rights requests (right to know, delete, correct, and opt out) within the statutory 45-day window
- Contracts with all Service Providers that prohibit them from using personal information for any purpose other than providing services to us
- Confirmation that we do not sell personal information and do not share it for cross-context behavioural advertising
- Annual employee training on CCPA obligations for staff handling California resident data
Where Is Personal Data Stored and Processed?
We address data localisation requirements as follows:
| Region | Data Residency Approach |
|---|---|
| United States | Primary data storage in us-east-1 (AWS Virginia); no mandatory localisation requirements currently applicable |
| European Union / EEA | EU user personal data processed within EU-region cloud instances; cross-border transfers governed by SCCs |
| United Kingdom | UK user data processed within UK/EEA region; UK GDPR adequacy framework applied |
We review data localisation requirements in all new markets before launch and update our infrastructure accordingly.
How Do You Handle AML and KYC Requirements?
Vacalion's payment features are subject to anti-money laundering (AML) and know-your-customer (KYC) obligations under applicable law, including the US Bank Secrecy Act (BSA) and EU Anti-Money Laundering Directives (AMLD).
Our AML/KYC programme includes:
- Customer Due Diligence (CDD): identity verification is required for all users accessing regulated payment features, using government-issued ID and address verification
- Enhanced Due Diligence (EDD): applied to higher-risk customers, including Politically Exposed Persons (PEPs) and accounts with elevated transaction volumes
- Transaction monitoring: automated monitoring of transactions for patterns associated with money laundering, structuring, and sanctions evasion
- Sanctions screening: all customers and counterparties are screened against OFAC, EU, and UN sanctions lists on onboarding and on an ongoing basis
- Suspicious Activity Reporting (SAR): suspicious activities are escalated to the Compliance Officer and reported to FinCEN (US) or the relevant FIU where legally required
- Record retention: AML/KYC records are retained for a minimum of 5 years post account closure in accordance with regulatory requirements
How Do You Comply with PCI DSS?
Vacalion processes payments exclusively through Stripe, a PCI DSS Level 1 Service Provider — the highest tier of PCI DSS certification. By using Stripe Elements and Stripe.js for card data capture, payment card information flows directly between the user's browser and Stripe's secure environment, never touching Vacalion's servers.
This architecture means Vacalion operates under the SAQ A (Self-Assessment Questionnaire A) scope of PCI DSS — the most limited scope, applicable to merchants that have fully outsourced card data processing and storage. Our SAQ A is completed annually.
How Do You Handle Open Banking Regulations?
Vacalion's bank account aggregation features are powered by regulated open banking providers (Plaid in the US; compatible providers in the EU/UK). We do not directly acquire or retain user credentials for external bank accounts.
- In the EU/EEA, bank account connectivity complies with the PSD2 (Payment Services Directive 2) framework via licensed Account Information Service Providers (AISPs)
- In the UK, we rely on FCA-authorised open banking providers operating under the Open Banking Implementation Entity (OBIE) standards
- In the US, data access is governed by our agreement with Plaid, which complies with applicable state and federal financial data regulations and the Dodd-Frank Act Section 1033 framework
- Users may revoke bank access consent at any time from within the Vacalion app; revocation is propagated to the open banking provider within 24 hours
What Is Your SOC 2 Status?
Vacalion is in the process of completing its first SOC 2 Type II audit, covering the Trust Service Criteria for Security, Availability, and Confidentiality. A SOC 2 Type II report examines whether controls operate effectively over an audit period (typically 6–12 months), providing stronger assurance than a Type I point-in-time assessment.
In the meantime, we can provide enterprise customers with:
- A SOC 2 bridge letter confirming the current status of our audit engagement
- Our completed security questionnaire (CAIQ or custom)
- The SOC 2 reports of our cloud infrastructure providers (AWS, Google Cloud) which cover the underlying infrastructure layer
Please contact compliance@vacalion.com to request these documents under NDA.
Are You Pursuing ISO 27001 Certification?
ISO/IEC 27001 certification is on our compliance roadmap. We have implemented the majority of controls specified in Annex A of ISO 27001:2022, including:
- Information security policies reviewed by senior leadership annually
- Asset management and classification procedures for all information assets
- Risk assessment and treatment processes run on a quarterly basis
- Supplier security assessments for all critical third-party relationships
- Physical security controls for all office locations and remote-access policies for remote workers
We anticipate completing formal ISO 27001 certification within 12 months. Enterprise customers requiring this certification may contact us to discuss a timeline or alternative assurance documentation.
What Regulations Apply in the United States?
In the United States, Vacalion's operations are subject to a range of federal and state regulations, including:
| Regulation | Description | Our Approach |
|---|---|---|
| Bank Secrecy Act (BSA) | AML reporting obligations for financial service providers | SAR filing, transaction monitoring, record retention |
| Gramm-Leach-Bliley Act (GLBA) | Safeguarding non-public personal financial information | Comprehensive security programme; privacy notices provided to users |
| CCPA / CPRA | California consumer privacy rights | Full CCPA compliance programme (see §4) |
| Electronic Fund Transfer Act (EFTA) | Consumer rights for electronic fund transfers | Error resolution procedures and required disclosures in place |
| OFAC Sanctions | Prohibition on dealings with sanctioned individuals and entities | Real-time sanctions screening on onboarding and transactions |
What Regulations Apply in the EU / EEA?
For European users, Vacalion complies with the following key frameworks:
| Regulation | Description | Our Approach |
|---|---|---|
| GDPR (EU) 2016/679 | General Data Protection Regulation | Full GDPR programme including ROPA, DPIAs, DPAs, and appointed DPO (see §3) |
| PSD2 (EU) 2015/2366 | Payment Services Directive 2 | Open banking connectivity via licensed AISPs; Strong Customer Authentication (SCA) enforced |
| AMLD 5/6 | Anti-Money Laundering Directives | KYC/CDD programme; transaction monitoring; SAR filing to local FIUs |
| ePrivacy Directive | Cookie and electronic communications consent | GDPR-standard cookie consent implemented across all web properties |
What Regulations Apply in the United Kingdom?
Following the UK's departure from the EU, the UK GDPR and Data Protection Act 2018 (DPA 2018) apply to personal data relating to UK residents. These closely mirror the EU GDPR and our GDPR compliance programme satisfies both regimes.
- The UK Information Commissioner's Office (ICO) is the relevant supervisory authority for UK data protection matters
- Open banking connectivity in the UK operates under the FCA's Open Banking framework, with data access governed by our Open Banking provider's FCA authorisation
- UK AML obligations under the Proceeds of Crime Act 2002 (POCA) and the Money Laundering Regulations 2017 are addressed through our existing AML/KYC programme
- Cross-border data transfers from the UK to the US are covered by the UK-US Data Bridge (adequacy arrangement) or, where not applicable, by IDTA (International Data Transfer Agreements)
How Do I Request Compliance Documentation?
Enterprise customers, prospective customers conducting due diligence, and auditors may request the following compliance documentation from Vacalion:
- SOC 2 bridge letter and audit timeline
- Completed security questionnaires (CAIQ, SIG Lite, or custom formats)
- Data Processing Agreement (DPA) and Standard Contractual Clauses
- Sub-processor list
- Penetration test executive summary (for enterprise customers under NDA)
- AML/KYC policy summary
- PCI DSS SAQ A completion attestation
To request any of these documents, email compliance@vacalion.com with your organisation name, the specific documents required, and the purpose of your request. We will respond within 3 business days.
How Do I Reach Your Compliance Team?
For all compliance-related enquiries, including regulatory questions, audit support, data protection requests, and compliance documentation, please contact us:
Compliance Team
Regulatory enquiries, audit support, and documentation requests: compliance@vacalion.com
Data Protection Officer: dpo@vacalion.com
AML / KYC enquiries: compliance@vacalion.com
Vacalion LLC — United States