Compliance Overview

Last Verified: 2026-02-17 | Owner: John

Drop — Compliance Overview

Regulatory Framework

PSD2 Compliance

• AISP (Account Information Service Provider) — Read bank account balances via Open Banking
• PISP (Payment Initiation Service Provider) — Initiate payments from user's bank account
• No e-money licence required — Pass-through model avoids holding funds

AML/KYC Requirements

• BankID verification — Mandatory before any transaction (satisfies Strong Customer Authentication)
• Transaction monitoring — screening.ts service for suspicious activity
• STR reporting — str.ts service for Suspicious Transaction Reports
• 7-year retention — data-retention.ts service for compliance

GDPR Compliance

• Data minimization — Only collect necessary data
• User rights — Rectification, restriction, objection, erasure APIs implemented
• Consent management — BankID consent for Open Banking access
• Data retention — Automatic deletion after retention period
• Privacy page — /personvern page with full transparency

Incident Response

Beredskapsplan (Contingency Plan)

Location: /Users/makinja/ALAI/products/Drop/legal/beredskapsplan.md

Key Elements:

1. Incident classification — P1 (critical) to P4 (minor)
2. Response team — Roles and responsibilities
3. Communication protocol — Internal and external notifications
4. Recovery procedures — System restoration steps
5. Post-incident review — Root cause analysis, lessons learned

Hendelseshaandtering (Event Handling)

Location: /Users/makinja/ALAI/products/Drop/legal/hendelseshaandtering.md

Covers:

• Security incidents (data breach, unauthorized access)
• Operational incidents (system outage, payment failures)
• Compliance incidents (regulatory violations)
• Escalation procedures
• Documentation requirements

Data Processing

Behandlingsprotokoll (Processing Protocol)

Location: /Users/makinja/ALAI/products/Drop/legal/behandlingsprotokoll.md

Defines:

• Data categories collected
• Processing purposes
• Legal basis (consent, contract, legal obligation)
• Data retention periods
• Security measures
• Third-party processors

Data Processing Agreements

Location: /Users/makinja/ALAI/products/Drop/legal/

Four DPA templates for different processor categories:

1. Banking partners (Wise, Swan)
2. Infrastructure providers (Vercel)
3. Analytics services
4. Support tools

Fees & Pricing

Gebyrskjema (Fee Schedule)

Location: /Users/makinja/ALAI/products/Drop/legal/gebyrskjema.md

Pricing:

• Remittance: 0.5% of transfer amount
• QR payments: 1% merchant fee, free for consumers
• Currency conversion: Mid-market rate + 0.3% markup
• Account linking: Free
• Failed payments: No charge

Rammeavtale (Framework Agreement)

Location: /Users/makinja/ALAI/products/Drop/legal/rammeavtale.md

Standard terms and conditions for Drop users.

Security Measures

Application Security

• JWT RS256 — Asymmetric key authentication
• httpOnly cookies — XSS protection
• CSP nonce — Content Security Policy with nonces
• Rate limiting — API throttling
• Input validation — Parameterized SQL, schema validation

Infrastructure Security

• CI/CD scanning — Trivy vulnerability scanning
• Secrets management — Environment-based secret rotation
• TLS everywhere — HTTPS enforced
• Database encryption — At-rest encryption

Operational Security

• Access control — Role-based permissions
• Audit logging — All sensitive actions logged
• Disaster recovery — Backup and restore procedures (DR test plan)
• Monitoring — Real-time alerts for anomalies