Skip to main content

Compliance Framework

Compliance Framework Document

Project: {{PROJECT_NAME}}Drop — PSD2 Pass-Through Payment App Version: {{VERSION}}1.0 Date: {{DATE}}2026-02-23 Author: {{AUTHOR}}Security Architect Status: Draft | In Review | Approved Reviewers: {{REVIEWERS}}DPO, Legal Counsel, CEO Classification: Confidential

Document History

Version Date Author Changes
0.1 {{DATE}}2026-02-23 {{AUTHOR}}Security Architect Initial draft — multi-jurisdiction compliance mapping

1. Applicable Regulations

Compliance Owner: CISO / Compliance Officer ([email protected]) External Auditor: To be engaged (Phase 2) Last Audit: 2026-02-12 (internal security audit) | Next Audit: 2026-Q3 (external pentest)

Regulation Applicability Effective Date Certification TargetStatus
GDPRPSD2 — Betalingstjenesteloven (LOV-2018-11-23-85) YesYES — core: AISP/PISP paymentsIn force8% ready (BankID Phase 2)
GDPR — Personopplysningsloven (LOV-2018-06-15-38)YES — processes EU personal data of all Norwegian users May 25, 2018 Compliance15% ready (notDPIA certified)done, processing register pending)
PCI-DSSAML v4.0— Hvitvaskingsloven (LOV-2018-06-01-23) {{YES/NO}}YES{{REASON}}payment service provider, remittance {{DATE}}In force SAQ-{{LEVEL}}5% /ready ROC(procedures done, real KYC Phase 2)
SOCIKT-forskriften 2 Type II(FOR-2003-05-21-630) {{YES/NO}}YES — financial enterprise IT security {{DATE}}In force Annual25% reportready
ISODORA 27001:2022(EU) 2022/2554 {{YES/NO}}YES — payment institutions (Norway EEA incorporation expected 2026 H2) {{DATE}}Jan 17, 2025 (EU); ~2026 H2 (NO) Certification by {{DATE}}Preparing
HIPAAFinansforetaksloven (LOV-2015-04-10-17) {{YES/NO}}YES{{REASON}}governance, licensing In force 0% licensed
NIS2Valutaregisterloven (LOV-2004-12-17-109) {{YES/NO}}YESEUall criticalcross-border infrastructureremittance OctIn 17, 2024force Not yet registered
{{LOCAL_REGULATION}}Betalingssystemloven (LOV-1999-12-17-95) {{YES/NO}}YES — payment systems In force Monitoring
Finansavtaleloven (LOV-2020-12-18-146)YES — consumer protection2023Draft vilkår exists

Compliance Owner:Source: {{NAME}} ({{ROLE}}legal/drop-regulatory-map-v2.md, {{EMAIL}}) External Auditor: {{AUDITOR_FIRM}} Last Audit: {{DATE}} | Next Audit: {{DATE}}legal/drop-gap-analysis-v2.md

2. GDPRNorway — Finanstilsynet & Core Regulatory Compliance

2.1 Finanstilsynet Licensing

Applicable law: Betalingstjenesteloven (LOV-2018-11-23-85)

License OptionRequirementStatus
Begrenset betalingsforetak (§ 2-10c)Max 6M NOK/month, simplified applicationTarget for Phase 1 launch
Ordinært betalingsforetak (§ 2-3)125,000 EUR capital, EEA passportTarget for Scandinavia scaling
Agent model (§ 2-12)Operate under licensed PSP — fastest routeActively exploring partners

Current status: Not licensed. No live transactions until license or agent arrangement secured.

2.2 PSD2 / Betalingstjenesteloven Requirements

Summary
RequirementArticle/SectionOur Implementation
Strong Customer Authentication (SCA)§ 4-28, Del. Reg. (EU) 2018/389Phase 2: BankID OIDC (possession + knowledge)
Dynamic linking (amount + payee)Del. Reg. Art. 5Phase 2: Shown in BankID signing dialog
AISP — account information§ 4-41Phase 2: Open Banking AISP integration
PISP — payment initiation§ 4-44Phase 2: Open Banking PISP integration
No storing user bank credentials§ 4-44(3)✓ — Drop never stores bank login credentials
Pre-transaction fee disclosure§ 3-23Partial: fee shown in API, not pre-auth
Transaction receipt§ 3-22 to § 3-26Phase 1 prerequisite
Framework agreement (rammeavtale)§ 3-1 to § 3-8Draft exists: legal/brukervilkar.md
Execution time D+1 (EEA) / D+4 (non-EEA)§ 4-15Dependent on PISP partner SLA

2.3 AML — Hvitvaskingsloven

Full procedures: legal/hvitvaskingsrutiner.md

RequirementSectionOur Implementation
Enterprise risk assessment§ 6Document: legal/risikovurdering-hvitvasking.md
Written AML procedures§ 8Document: legal/hvitvaskingsrutiner.md
Customer identification (KYC)§ 12BankID: name + fødselsnummer (Phase 2)
Electronic verification§ 12(3)BankID qualifies as electronic verification
PEP screening§ 18Integration: ComplyAdvantage / Refinitiv (Phase 2)
Sanctions screeningSanksjonsforskrifterIntegration: EU/UN/Norwegian/OFAC lists (Phase 2)
Transaction monitoring§ 24Rules defined in hvitvaskingsrutiner.md
STR filing to EFE (Økokrim)§ 26Process documented; system Phase 2
No tipping off§ 28Policy: never inform customer of STR
Record keeping — 5 years§ 30Policy defined; technical implementation Phase 2
AML officer appointment§ 8(4)Required before licensing

Corridor risk classification:

RisikonivåLand/korridorerTiltak
LavEU/EØS-land, StorbritanniaStandard CDD
MiddelsSerbia (RSD), Bosnia-Hercegovina (BAM), Tyrkia (TRY)Utvidet overvåking
HøyPakistan (PKR)EDD obligatorisk
SperretFATF/EU sanksjonslisterBlokkert i system

2.4 GDPR — Personopplysningsloven

See dedicated DPIA: data-protection-impact-assessment.md. Full privacy notice: legal/personvernerklaering.md.

Article Requirement Our Implementation
Art. 5 Data minimization, purpose limitation Collect only necessary fields; documenteddefined purposes
Art. 66(1)(b) LawfulContract basis for processingcore service delivery SeeRemittance, §2.2QR payments, account management
Art. 76(1)(c) ConsentLegal mustobligation bebasis specific, informed, unambiguousAML/KYC Consent management system — seeHvitvaskingsloven §3§ 4, 10-18
Art. 13/146(1)(a) PrivacyConsent noticebasis at pointAISP ofbalance collectionaccess PrivacyUser policygrants linkedPSD2 atconsent registrationfor +Open data collectionBanking
Art. 1713 RightPrivacy to erasurenotice /api/users/melegal/personvernerklaering.md DELETE → anonymization jobNorwegian
Art. 20Right to data portability28 Data exportprocessor featureagreements DPAs JSON/CSVrequired formatwith BankID, cloud provider, Sumsub
Art. 2530 PrivacyRegister byof designprocessing andactivities default(behandlingsprotokoll) PbD review required for new featuresPending
Art. 32 Appropriate securitytechnical/organisational measures See security-architecture.md
Art. 33 72-hour breach notification to supervisory authorityDatatilsynet BreachSee response plan — see data-breach-response-plan.md
Art. 34Communication to data subjectsTemplates in breach response plan
Art. 35 DPIA for high-risk processing DPIADocument: required — see data-protection-impact-assessment.legal/dpia-vurdering.md
Art. 37 DPO designation {{DPO_NAME}}DPO contact: {{DPO_EMAIL}}
Art. 44Cross-border transfersSCCs in place — see §2.4[email protected]

2.25 Lawful Basis InventoryValutaregisterloven

completedto
Processing ActivityRequirement Lawful BasisSection LegalOur Basis DocumentRetentionImplementation
AccountRegister creationwith andSSB managementas reporting entity Contract§ (Art. 6.1.b)3 TermsTo ofbe Service Durationbefore +first 2cross-border yearstransaction
ServiceReport deliveryall cross-border payments Contract§ (Art. 6.1.b)4 TermsMonthly ofreporting Service Duration + 2 yearsSSB
MarketingTransaction emailsdata: amount, currency, country, purpose code Consent§ (Art. 6.1.a)5 Consent recordrecipients.country in DB Until consent withdrawnschema
SecurityRetention logging Legitimate interest (Art. 6.1.f)LIA documented1 year
AnalyticsLegitimate interest (Art. 6.1.f)LIA documented, anonymized25 years
§
Legal obligations6 LegalPolicy obligation (Art. 6.1.c){{REGULATION}}{{PERIOD}}

2.3 Controls Mapping

ControlRequirementEvidence
Privacy policyArt. 13/14Published at {{URL}}, version-controlled
Cookie consentePrivacy + Art. 7Consent management tool: {{TOOL}}
Right to erasure endpointArt. 17DELETE /api/users/me → anonymize job
Data export endpointArt. 20GET /api/users/me/export → JSON/CSV
DPIA processArt. 35Process doc + DPIA template
Breach response planArt. 33data-breach-response-plan.md
DPO contactArt. 37dpo@{{DOMAIN}} — {{DPO_NAME}}
Data processing recordsArt. 30This document + DPIA register
Processor agreementsArt. 28DPAs with all processors

2.4 Data Subject Rights — Implementation

RightEndpoint / ProcessSLAAutomated?
Access (Subject Access Request)GET /api/users/me/data-export30 daysPartial
RectificationPATCH /api/users/meImmediateYes
ErasureDELETE /api/users/me → anonymize30 daysYes
PortabilityGET /api/users/me/export?format=jsonImmediateYes
Restriction of processingPOST /api/users/me/restrict → flag30 daysPartial
Objection to processingSupport request → manual review30 daysNo
Automated decision makingN/A — no automated decisions with legal effectN/AN/Adefined

3. PCI-DSSSerbia — Multi-Jurisdiction Compliance (if applicable)

3.1 Cardholder Data Environment (CDE) ScopeProtection

Approach:Applicable law: {{FULL_CDEZakon /o OUTSOURCE_TO_PROVIDER}}

zaštiti podataka

Paymento provider:ličnosti {{PAYMENT_PROVIDER}}(ZZPL, Sl. glasnik RS br. 87/2018) (Law on Personal Data ProtectiontokenizesSerbia's cardGDPR-aligned data before transmission CDE systemslegislation, in scope:force {{NONENovember /21, LIST_SYSTEMS}} SAQ level: SAQ-A (no direct card data) | SAQ-D (full scope)2018)

3.2 PCI-DSS Requirements Matrix

obligationatinnotification
Requirement DescriptionLaw Article Our ControlStatusImplementation
1Lawful basis for processing NetworkZZPL securityArt. controls12 VPCContract +performance securityfor groupsremittance; +legal WAF for AML
2Data subject rights (access, erasure, portability) SecureZZPL configurationsArt. 26-41 HardenedVia AMIsDPO +process IaC [email protected]
3Data transfer outside Serbia ProtectZZPL storedArt. account data64-65 TokenizationDrop's (providerservers handles) Norway/EEA — transfer covered by adequacy assessment
4Notification to Poverenik ProtectZZPL cardholderArt. data in transit56 TLS72-hour 1.3breach everywhere to Commissioner for Information of Public Importance and Personal Data Protection
5Register of processing activities ProtectZZPL againstArt. malware50 Endpoint protection + container scanning
6Secure systems and softwareSAST + SCA + patch management
7Restrict access by business needRBAC + least privilege
8User identification and authenticationMFA required for CDE access
9Restrict physical accessCloud provider responsibilityN/A
10Log and monitor accessSIEM + audit logs
11Security testingQuarterly ASV scans + annual pen test
12Organizational policiesThis document + security policiesPending

Transfer

4.mechanism SOC Norway → Serbia:

  • Norway is EEA but not EU; Serbia has no EU adequacy decision
  • Transfer basis: Standard Contractual Clauses (SCCs) per ZZPL Art. 65 + GDPR Art. 46(2)(c)
  • Transfer Impact Assessment (TIA): Required — assess Serbian law on government data access
  • Minimal data transferred: Only avsender's name (lawpålagt) + mottaker's name/IBAN + amount

3.2 TypeAML

II

Applicable Compliancelaw: Zakon

4.1o Trustsprečavanju Servicepranja Criterianovca Coverage

i finansiranja terorizma (ZoPNFT, Sl. glasnik RS br. 113/2017, 91/2019, 153/2020) (Law on Prevention of Money Laundering and Terrorism Financing)

TSCCriteriaRequirement Our ControlsEvidenceRole
CC1:Correspondent Controlbank Environmentin Serbia performs CDD on recipients OrganizationalCorrespondent structure,bank accountabilityPolicies + training records{{EVIDENCE_LOCATION}}responsibility
CC2:Drop Communicationprovides complete sender information per FATF Recommendation 16 Internal/external communication Policyname, docsaccount, + security awareness{{EVIDENCE_LOCATION}}reference
CC3:Serbian RiskNBS Assessment(Narodna banka Srbije) oversight of payment systems RiskVia identificationcorrespondent and analysisRisk register + quarterly review{{EVIDENCE_LOCATION}}
CC4: MonitoringMonitoring controlsSIEM + dashboards + alerting{{EVIDENCE_LOCATION}}
CC5: Control ActivitiesSecurity controls implementedSee security-architecture.md{{EVIDENCE_LOCATION}}
CC6: Logical AccessAccess controlRBAC + MFA + access reviews{{EVIDENCE_LOCATION}}
CC7: System OperationsSystem monitoring and incident mgmtRunbooks + incident process{{EVIDENCE_LOCATION}}
CC8: Change ManagementChange control processPR review + deployment pipeline{{EVIDENCE_LOCATION}}
CC9: Risk MitigationRisk mitigationVendor review + insurance{{EVIDENCE_LOCATION}}
A1: AvailabilitySystem availabilitySLA + redundancy{{EVIDENCE_LOCATION}}
C1: ConfidentialityData confidentialityEncryption + access control{{EVIDENCE_LOCATION}}
P1-P8: PrivacyPrivacy practices (if in scope)GDPR controls + privacy policy{{EVIDENCE_LOCATION}}bank

3.3 Payment Services

Applicable law: Zakon o platnim uslugama (Sl. glasnik RS br. 139/2014, 44/2018) (Law on Payment Services — Serbia's PSD2-equivalent)

Drop operates as a foreign PSP transferring funds to Serbia via correspondent banking. Direct license from NBS not required for outbound remittance from Norway. Correspondent bank in Serbia holds required NBS license.

4. Bosnia and Herzegovina — Multi-Jurisdiction Compliance

4.1 Data Protection — Entity-Level Regulation

Bosnia and Herzegovina has two entities with separate data protection legislation:

Federation of BiH (FBiH):

  • Applicable law: Zakon o zaštiti ličnih podataka (ZZLP BiH, Sl. glasnik BiH br. 49/2006, 76/2011, 89/2011) (Personal Data Protection Law — state-level, administered by Agencija za zaštitu ličnih podataka — AZLP)

Republika Srpska:

  • Same state-level law applies across both entities for personal data protection
  • AZLP (Agency for Personal Data Protection of BiH) is the supervisory authority for the entire country
RequirementLaw ArticleOur Implementation
Lawful basisZZLP Art. 4Contract + legal obligation
Security measuresZZLP Art. 14TLS 1.3, AES-256, bcrypt
Data transfer to third countriesZZLP Art. 18Norway is not in EU — adequacy assessment per ZZLP + SCCs
Breach notification to AZLPZZLP + GDPR practice72-hour notification

Transfer mechanism — Norway → BiH:

  • No adequacy decision for BiH from EU/Norway
  • Transfer basis: SCCs + TIA
  • Minimal data: sender name + recipient name/IBAN/BAM amount

4.2 AML

Applicable law: Zakon o sprečavanju pranja novca i finansiranja terorističkih aktivnosti (ZSPNFiTA BiH, Sl. glasnik BiH br. 47/2014, 46/2017) (Law on Prevention of Money Laundering and Financing of Terrorist Activities — BiH)

Supervisory authority: Ured za sprečavanje pranja novca (USPN) — FATF/MONEYVAL member

RequirementOur Role
Complete sender information on transfers✓ — FATF Rec. 16 compliant
Correspondent bank performs beneficiary CDDCorrespondent bank responsibility
BAM corridor classified as "Middels" riskHigher monitoring thresholds apply

4.3 Payment Services

Applicable law: Zakon o platnom prometu (FBiH); Zakon o platnim transakcijama (RS) Regulator: Centralna banka Bosne i Hercegovine (CBBH)

Drop transfers to BiH via correspondent banking; no direct CBBH license required for Norwegian outbound remittance.

5. Croatia — Multi-Jurisdiction Compliance

5.1 Data Protection

Croatia is an EU member state — GDPR applies directly.

RequirementOur Implementation
GDPR (Regulation (EU) 2016/679) directly applicableFull GDPR compliance required — see §2.4
AZOP (Agencija za zaštitu osobnih podataka) as supervisory authorityBreach notification within 72h to AZOP
Zakon o provedbi Opće uredbe o zaštiti podataka (NN 42/2018)Croatian implementing legislation — aligns with GDPR

Transfer mechanism — Norway → Croatia:

  • Croatia is EU — no restriction on EEA→EU data transfer
  • Drop (Norway/EEA) → Croatia (EU): Free flow under GDPR Chapter V + EEA Agreement
  • No SCCs required; no TIA required

5.2 AML

Applicable law: Zakon o sprečavanju pranja novca i financiranja terorizma (ZSPMFT, NN 108/2017, 39/2019, 151/2022) (Law on Prevention of Money Laundering and Terrorist Financing — Croatia)

Supervisory authority: Ured za sprječavanje pranja novca (USPM) — FATF member as EU state

RequirementOur Role
Complete sender information — EU Wire Transfer Regulation (2015/847) applies✓ — name, IBAN, reference
Croatian bank performs beneficiary CDDCorrespondent bank (Croatian HNB-licensed institution)
Croatia corridor: EUR — EU/EEA — Low riskStandard CDD thresholds

5.3 Payment Services

Applicable law: Zakon o platnom prometu (NN 66/2018 — Croatian PSD2 implementation) Regulator: Hrvatska narodna banka (HNB)

EU Wire Transfer Regulation (2015/847) applies directly. Drop must include complete originator information on all transfers to Croatia. No direct HNB license required for Norwegian outbound remittance via correspondent banking.

6. Cross-Border Data Transfer Summary

FromToMechanismTIA RequiredDPA RequiredNotes
Norway (EEA)SerbiaSCCs (2021) + TIAYesYesNo adequacy decision
Norway (EEA)BiHSCCs (2021) + TIAYesYesNo adequacy decision
Norway (EEA)CroatiaEEA→EU free flowNoN/AEU member state
Norway (EEA)TurkeySCCs (2021) + TIAYesYesNo adequacy decision; higher risk
Norway (EEA)PakistanSCCs (2021) + TIA + supplementary measuresYesYesHigh-risk jurisdiction
Norway (EEA)PolandEEA→EU free flowNoN/AEU member state

Data minimization for all transfers:

  • Sender: Full name only (lawfully required per FATF/EU 2015/847)
  • Recipient: Name + account/IBAN only
  • Never transferred: fødselsnummer, IP address, device ID, transaction history

7. Data Classification Scheme

Level Label Description Examples Controls Required
L1 Public Intended for public access MarketingExchange content,rates, publicfee docsschedule, privacy policy None
L2 Internal Internal use only, low sensitivityonly Internal wikis, non-PII analyticsanalytics, logs (masked) Access control
L3 Confidential Sensitive businesspersonal or personalbusiness data User PII,names, contracts,phone, financialemail, datatransaction history, KYC status Encryption + access control + logging
L4 Restricted Highest sensitivity, regulatory implications PaymentFødselsnummer, data,bank healthaccount data,numbers, credentials,KYC secretsdocuments, JWT_SECRET, BankID certificates Field-level encryption + MFA + strict access + audit + 5-year retention

Data labeling: All API responses include X-Data-Classification header when returning L3/L4 data.

-- EveryImmutable consent decision is immutablerecordsnew record per changeappend-only
CREATE TABLE user_consents (
    id UUIDTEXT PRIMARY KEYKEY,  DEFAULT-- gen_random_uuid(),cons_<hex16>
    user_id UUIDTEXT NOT NULL REFERENCES users(id),
    consent_type VARCHAR(100) NOT NULL,  -- 'aisp_balance', 'marketing', 'analytics'
    granted BOOLEAN NOT NULL,
    version VARCHAR(20) NOT NULL,  -- Policy version consented to
    ip_address INET,TEXT,
    user_agent TEXT,
    created_at TIMESTAMPTZTEXT NOT NULL DEFAULT NOW((datetime('now')
    -- No updated_at: immutable record)
);

7. Cross-Border9. Data TransferSubject ComplianceRights — Implementation

TransferRight FromEndpoint / Process ToSLA Legal MechanismDPA SignedReferenceAutomated?
{{TRANSFER_1}}Access (SAR) EEA[email protected] → data export US30 days SCCs (2021 EU-US)Yes — {{DATE}}{{DOC_REF}}Partial
{{TRANSFER_2}}Rectification EEAApp Settings → Edit Profile UKImmediate Adequacy decisionN/AICO guidanceYes
{{TRANSFER_3}}Erasure EEA[email protected] → anonymize job {{COUNTRY}}30 days {{MECHANISM}}Partial (AML retention exceptions)
Portability {{YES/NO}}Data export (JSON/CSV) {{DOC_REF}}30 daysPlanned
RestrictionSupport request → compliance flag30 daysNo (manual)
Objection[email protected]30 daysNo (manual)
Automated decision opt-outFraud detection manual review request30 daysPartial

Third-partyIdentity processorverification agreements:for rights requests: AllBankID processors handling EU personal data have executed a Data Processing Agreementverification (DPA)same compliantas with GDPR Art. 28. Registry: {{DPA_REGISTRY_LOCATION}}login).

8.10. Audit Schedule & Methodology

Audit Type Frequency Scope Owner Last Done Next Due
Internal access review Quarterly All user accounts + permissions Security team {{DATE}}2026-02-13 {{DATE}}2026-05-13
Vulnerability assessment Quarterly External attack surface Security team / external {{DATE}}2026-02-12 {{DATE}}2026-05-12
Penetration test Annual Full scope External firm (TBD) {{DATE}}Not yet done {{DATE}}2026-Q3
Third-partyAML riskprogram review Annual AllFull criticalAML vendorsprogram Compliance team+ external {{DATE}}Draft only {{DATE}}
Business continuity drillAnnualDR/BCP scenariosOperations{{DATE}}{{DATE}}
SOC 2 auditAnnualFull TSCExternal auditor{{DATE}}{{DATE}}Pre-launch
GDPR compliance review Annual All processing activities DPO {{DATE}}2026-02-12 (DPIA) {{DATE}}2027-02-12
DORA readiness reviewAnnualICT resilienceCISO + externalNot yet2026-Q4
Third-party risk reviewAnnualBankID, cloud provider, SumsubComplianceNot yetPre-launch

9.11. Compliance Training Requirements

+
Training Audience Frequency Format Completion Tracking
Security awareness + phishing All staff Annual + onboarding Online ({{PLATFORM}}) {{TRACKING_TOOL}}simulation
GDPR / personopplysningsloven fundamentals All staff handling personal data Annual Online
{{TRACKING_TOOL}}AML / hvitvaskingsloven — GrunnkursAll staffAt employment + annualOnline
AML / hvitvaskingsloven — AvansertCompliance, operationsAnnualWorkshop
PEP og sanksjonerCompliance, operationsAnnualOnline
Secure coding Engineering Annual Workshop + online{{TRACKING_TOOL}}
Incident response tabletop Engineering + Management Annual Tabletop exercise Manual log
PCI-DSS (if applicable)CDE teamAnnualOnline{{TRACKING_TOOL}}

10. Third-Party Compliance Requirements

10.1 Vendor Risk Tiers

TierDefinitionReview FrequencyRequirements
CriticalAccess to production data or systemsAnnualSOC 2 Type II + DPA + pen test report
HighProcess personal data, no production accessAnnualSOC 2 Type II or ISO 27001 + DPA
MediumBusiness tools, no personal dataBiennialSecurity questionnaire
LowNon-sensitive toolsRisk-basedSelf-assessment

10.212. Critical Vendor Compliance Register

Application StandardAWS
Vendor Service Tier Last ReviewCertificationsRequirements DPA SignedStatus
{{VENDOR_1}}BankID Norge AS {{SERVICE}}Norwegian eID authentication Critical {{DATE}}SOC 2 Type II,2, ISO 27001 YesRequired — databehandleravtale
{{VENDOR_2}}AWS App Runner {{SERVICE}} High{{DATE}}SOC 2 Type IIYes
{{CLOUD_PROVIDER}}Infrastructurehosting Critical{{DATE}} SOC 2 Type II, ISO 27001, PCI-DSS Yes

11. Compliance Monitoring Dashboard

Dashboard location: {{DASHBOARD_URL}} Refresh frequency: Daily

95% 90% 0
MetricTargetAlert Threshold
Open Critical compliance issues0> 0DPA
Access review completion (quarterly)Cloudflare 100%WAF + DDoS + CDN <Critical SOC 2 Type II, ISO 27001Cloudflare DPA
Training completion rateSumsub >KYC/AML 95%identity verification <Critical SOC 2, ISO 27001, GDPRRequired — DPA
Vendor with expired certificationsSentry 0Error monitoring >High SOC 2Sentry DPA
Overdue DPIA reviewsBetterStack 0Uptime + log monitoring > 0
Unresolved data subject requests (> 25 days)High 0SOC 2 >BetterStack 0
Incidents without post-mortem (> 5 days)0> 0DPA

Approval

Role Name Date Signature
Author Security Architect 2026-02-23
DPO
CISO
Legal Counsel
CEO / Management
Back to top