Regulatory Compliance Framework
Every architectural decision in tPay365 maps to a specific regulatory requirement. This page documents our compliance posture across FCA, GDPR, and PCI-DSS.
FCA Safeguarding
Customer Fund Protection
Customer funds are held by an FCA-regulated banking partner and are 100% safeguarded in segregated Tier-1 accounts. There is zero commingling with tPay365's operational funds at any point.
Daily reconciliation runs automatically between the tPay365 ledger and the banking partner to ensure balances are byte-accurate. In the event tPay365 ceases trading, all customer funds remain recoverable through the regulated banking partner.
Safeguarding Checklist
| Requirement | Status | Implementation |
|---|---|---|
| Client money segregation | Implemented | Separate Tier-1 accounts with banking partner |
| Daily reconciliation | Implemented | Automated daily balance check |
| Client money report | Planned | Monthly CASS report generation |
| Adequate records | Implemented | Append-only audit log |
| Notification to FCA | Planned | Automated breach notification pipeline |
UK GDPR
Data Subject Rights
| Right | Implementation |
|---|---|
| Access (Art. 15) | Full data export via API within 30 days |
| Rectification (Art. 16) | In-app profile editing, vault update |
| Erasure (Art. 17) | Crypto-shredding: encryption key destruction |
| Portability (Art. 20) | Structured JSON export of all personal data |
| Restriction (Art. 18) | Vault freeze: data retained but inaccessible |
| Objection (Art. 21) | Marketing opt-out, processing restriction |
Crypto-Shredding
When an account is deleted, we don't just mark records as deleted. We destroy the encryption key. All associated ciphertext becomes permanently unrecoverable — even by us.
This approach satisfies the GDPR right to erasure without requiring row-level deletion across distributed systems. The ciphertext can remain in place; without the key, it is mathematically indistinguishable from random noise.
Data Processing Agreement
All third-party processors operate under signed DPAs that mandate equivalent encryption standards, breach notification obligations, and sub-processor restrictions. No PII is shared without a valid legal basis documented in the processing register.
Breach Notification
tPay365 commits to a 72-hour ICO breach notification window. The automated pipeline detects anomalies, classifies severity, and generates pre-formatted ICO notification drafts. Affected data subjects are notified without undue delay.
PCI-DSS Alignment
tPay365 does not directly store, process, or transmit cardholder data. All payment processing is handled by PCI-certified partners. Our internal controls align with PCI-DSS principles as a defence in depth measure.
Key Controls
- Network segmentation between all services
- TLS 1.3 minimum for all data in transit
- Regular penetration testing schedule
- Vulnerability management program
- Access control and authentication (mTLS + API keys)