European Union Compliance
Introduction
ChainGuard operates within the European Union as a security + identity layer that provides non-custodial Web3 security infrastructure. This page explains how ChainGuard complies with EU regulatory requirements.
What ChainGuard Is NOT
ChainGuard does NOT:
- Custody funds
- Store private keys
- Transmit virtual assets
- Execute transactions
- Mediate payments
- Act as an exchange
- Act as a broker
- Fall under custodial wallet rules
- Qualify as a money transmitter
- Process fiat payments
- Take control of user funds
This protects ChainGuard from being misclassified under EU regulatory regimes.
Applicable Regulations
| Regulation | Applies? | Explanation | Details |
|---|---|---|---|
| GDPR | ✔ | Data governance, deletion rights, minimization | See Data Protection & Privacy. We process personal data for identity verification, device binding, and audit trails. Full compliance with data subject rights, legal bases, and data minimization principles. |
| MiCA | ⚠ Partial | Does NOT apply as CASP (custodial services) | We do NOT custody funds, store private keys, or operate as a trading platform (see "What ChainGuard Is NOT" above). Our non-custodial vaults and identity services fall outside MiCA CASP definitions. However, we may assist VASPs with compliance tools. |
| eIDAS2 | ⚠ Partial | Device binding is NOT a qualified eID | We do NOT provide qualified electronic identification or trust services. Our device binding provides cryptographic proof of device ownership but is not a qualified eID under eIDAS2. We integrate with eIDAS-aligned KYC providers. |
| Travel Rule | ⚠ Integration Only | Does NOT apply directly (non-custodial) | We do NOT transmit virtual assets or act as a VASP (see "What ChainGuard Is NOT" above). However, we provide wallet binding, audit logging, and policy tools that help VASPs and financial institutions implement Travel Rule requirements when they connect to KYC/on/off-ramp services. |
ChainGuard's Compliance Position (EU)
GDPR Compliance
ChainGuard fully complies with GDPR requirements:
- Data minimization: Only collects data necessary for service operation
- User rights: Access, rectification, erasure, portability, and objection rights
- Legal basis: Clear legal bases for all data processing (contract, legitimate interest, legal obligation)
- Data transfers: Standard Contractual Clauses (SCCs) for international transfers
- Privacy by design: Built-in privacy protections at the architectural level
See our Data Protection & Privacy page for detailed information.
MiCA (Markets in Crypto-Assets Regulation)
ChainGuard does not qualify as a CASP (Crypto-Asset Service Provider) under MiCA because:
- We do not provide custody services
- We do not operate as a trading platform
- We do not provide exchange services
- Our vaults are non-custodial smart contracts
Our role is limited to security automation and identity verification, not crypto-asset services as defined under MiCA.
eIDAS2
ChainGuard's device binding is not a qualified eID or trust service under eIDAS2, and we are not a Qualified Trust Service Provider (QTSP).
We integrate with eIDAS-aligned KYC / QES providers (e.g. Sumsub-style services) and bind the verified identity to an Apple/Google-attested device with configurable expiry.
This allows regulated entities to use ChainGuard as a high-assurance authentication + device-binding layer inside an eIDAS-compliant flow, without us claiming eID or QTSP status.
Travel Rule
For MiCA / AMLD / Travel Rule scenarios, ChainGuard's wallet/vault binding, audit logging and policy engine help VASPs and financial institutions implement:
- Strong customer authentication
- Linkages between KYC'd users and on-chain addresses
- Verifiable activity logs for their own regulatory reporting
What We Already Implement
- Non-custodial architecture (no MSB/VASP/custody roles) – documented in VAT/AML positioning
- Identity/wallet/device binding –
user_2fatable,deviceWallet.jsservice, OAuth scope-based permissions - AML-compatible logging –
connection_logs,session_activity,security_eventstables with 5-7 year retention capability - GDPR legal bases & rights – Soft deletes (
deleted_at), user profile management, consent screens in portal - Sanctions screening infrastructure – Database structure ready; service integration needed
What Needs to Be Addressed
- eIDAS2 integration: KYC provider integration (Sumsub/other) with eIDAS-aligned evidence storage and expiry management
- VAT OSS: Invoice generation service with One-Stop Shop (OSS) VAT calculation and reporting
- GDPR data export/deletion: Automated data export and deletion workflows triggered by user requests
- Device attestation: Apple App Attest / Google Play Integrity API integration for attested device proofs
Official Regulatory References
- GDPR — https://eur-lex.europa.eu/eli/reg/2016/679
- MiCA — https://eur-lex.europa.eu/eli/reg/2023/1114
- eIDAS2 — https://digital-strategy.ec.europa.eu
- Travel Rule — https://www.fatf-gafi.org
Related Documentation
- Data Protection - Detailed GDPR compliance
- VAT & AML - Tax and billing compliance
- Global Compliance - Overall compliance framework
- Project Architecture - Technical documentation
Contact
For EU-specific compliance inquiries:
- Data Protection Officer (DPO): privacy@chain-fi.io
Next: Explore other jurisdictions or review compliance topics.
