Skip to main content

Compliance Overview

Last Verified: 2026-02-17 | Owner: John

Drop — Compliance Overview

Regulatory Framework

PSD2 Compliance

  • AISP (Account Information Service Provider) — Read bank account balances via Open Banking
  • PISP (Payment Initiation Service Provider) — Initiate payments from user's bank account
  • No e-money licence required — Pass-through model avoids holding funds

AML/KYC Requirements

  • BankID verification — Mandatory before any transaction (satisfies Strong Customer Authentication)
  • Transaction monitoring — screening.ts service for suspicious activity
  • STR reporting — str.ts service for Suspicious Transaction Reports
  • 7-year retention — data-retention.ts service for compliance

GDPR Compliance

  • Data minimization — Only collect necessary data
  • User rights — Rectification, restriction, objection, erasure APIs implemented
  • Consent management — BankID consent for Open Banking access
  • Data retention — Automatic deletion after retention period
  • Privacy page — /personvern page with full transparency

Incident Response

Beredskapsplan (Contingency Plan)

Location: /Users/makinja/ALAI/products/Drop/legal/beredskapsplan.md

Key Elements:

  1. Incident classification — P1 (critical) to P4 (minor)
  2. Response team — Roles and responsibilities
  3. Communication protocol — Internal and external notifications
  4. Recovery procedures — System restoration steps
  5. Post-incident review — Root cause analysis, lessons learned

Hendelseshaandtering (Event Handling)

Location: /Users/makinja/ALAI/products/Drop/legal/hendelseshaandtering.md

Covers:

  • Security incidents (data breach, unauthorized access)
  • Operational incidents (system outage, payment failures)
  • Compliance incidents (regulatory violations)
  • Escalation procedures
  • Documentation requirements

Data Processing

Behandlingsprotokoll (Processing Protocol)

Location: /Users/makinja/ALAI/products/Drop/legal/behandlingsprotokoll.md

Defines:

  • Data categories collected
  • Processing purposes
  • Legal basis (consent, contract, legal obligation)
  • Data retention periods
  • Security measures
  • Third-party processors

Data Processing Agreements

Location: /Users/makinja/ALAI/products/Drop/legal/

Four DPA templates for different processor categories:

  1. Banking partners (Wise, Swan)
  2. Infrastructure providers (Vercel)
  3. Analytics services
  4. Support tools

Fees & Pricing

Gebyrskjema (Fee Schedule)

Location: /Users/makinja/ALAI/products/Drop/legal/gebyrskjema.md

Pricing:

  • Remittance: 0.5% of transfer amount
  • QR payments: 1% merchant fee, free for consumers
  • Currency conversion: Mid-market rate + 0.3% markup
  • Account linking: Free
  • Failed payments: No charge

Rammeavtale (Framework Agreement)

Location: /Users/makinja/ALAI/products/Drop/legal/rammeavtale.md

Standard terms and conditions for Drop users.

Security Measures

Application Security

  • JWT RS256 — Asymmetric key authentication
  • httpOnly cookies — XSS protection
  • CSP nonce — Content Security Policy with nonces
  • Rate limiting — API throttling
  • Input validation — Parameterized SQL, schema validation

Infrastructure Security

  • CI/CD scanning — Trivy vulnerability scanning
  • Secrets management — Environment-based secret rotation
  • TLS everywhere — HTTPS enforced
  • Database encryption — At-rest encryption

Operational Security

  • Access control — Role-based permissions
  • Audit logging — All sensitive actions logged
  • Disaster recovery — Backup and restore procedures (DR test plan)
  • Monitoring — Real-time alerts for anomalies

No comments to display

Back to top