Global Compliance Overview

Overview
- Who we are
- At a glance
How the ChainGuard OAuth Bridge Works
- Our Approach
What We Already Implement (Global, by Default)
Compliance Implementation by Stack Component
Cross-Jurisdiction Pattern: Crypto / Web3 Compliance Convergence
What the OAuth Scopes/Claims Typically Expose to Relying Parties
What We Are NOT
How This Maps to the ChainFi Stack
- How the Flow Works
Flow Legend & Compliance Mapping
Governance
Related Documentation
Contact

Overview

Welcome to the ChainGuard Compliance Center. This area explains how ChainGuard's products fit within current regulatory frameworks and how we handle identity, data, and auditability across jurisdictions.

ChainGuard provides non-custodial Web3 security and identity infrastructure. We give regulated businesses the tools to bind wallets to verified users, enforce policy, and generate audit trails — but we never hold client assets or control user funds.

Who we are

ChainGuard is a product suite developed by Chain-Fi Labs and operated under Chain-Fi Limited, a company registered in England & Wales.

For contractual and regulatory purposes, references to "ChainGuard", "Chain-Fi", "we", or "our" in this Compliance Center mean Chain-Fi Limited (and its Chain-Fi Labs development team) unless stated otherwise.

At a glance

Role: Technology / infrastructure provider, not an exchange, broker, or custodian.
Architecture: Non-custodial by design – users keep control of their keys and assets at all times.
Governance: Compliance is overseen by CEO & Founder Dennis Reckermann and the Board.
Coverage: Jurisdiction-specific sections (EU, US, UK, UAE, Singapore, Hong Kong, etc.) explain how we align with local rules (GDPR, CCPA/CPRA, MiCA, AML/CTF, Travel Rule).
Documentation: Linked policies cover governance, security, data protection, AML/CTF, sanctions, and record-keeping.

How the ChainGuard OAuth Bridge Works

Problem we solve: DApps need proof and attributes (KYC status, device risk, wallet binding, audit trail) — not custody of user assets.

Our Approach

No direct connection between DApps and user assets. DApps never get keys or custody; they only receive permission-scoped claims (e.g., "KYC_verified=true", "wallet=0x… belongs to user X", "device=attested, exp=…") issued by our gateway. App permissions and allowed functions are explicitly registered per AppID.
Device → wallet binding with optional KYC proof. We register device–wallet links and can attach KYC provider evidence (Sumsub) at the "identity folder."
Cryptographic assurance on messages. Mobile responses can be guardian-signed; the server also attaches a second, signed copy. The web client receives both versions (unsigned + signed) and verifies.
Signer + device attestation 2FA. Requests can require a second factor on an attested device; the gateway signs payloads using the app's guardian key (ECDSA) for verification.
Immutable audit trail. Every session message is stored with session_id, device_id, wallet_address, app_id, function_name, and raw payload/response — giving exporters an end-to-end, queryable record.
Compliance center & multilingual structure. All of this is surfaced per-jurisdiction in our Compliance Center, localized, and linked from GEO pages.

What We Already Implement (Global, by Default)

Non-custodial architecture (no private keys, no transmission, no custody). VAT/AML doc explicitly positions us outside MSB/VASP/custody roles while still meeting AML-compatible controls.
Identity, wallet, and device binding with optional KYC tiers; clear data-minimization and legal bases by feature.
Audit logs & governance (roles, retention: AML 5y, tax 6–7y, immutable logs linked to identity+wallet+device).
Sanctions & prohibited use enforcement (OFAC/EU/UK/UN alignment; wallet screening, geo/IP restrictions).
VAT/GST compliant billing (crypto→fiat timestamped FX, invoice lines, OSS/UK VAT/JCT/KR VAT/SG GST coverage).
Server-side cryptographic validation & audit chains (design pattern used across the stack).

Compliance Implementation by Stack Component

Backend (chainfi-backend)

Implemented:

Audit logging infrastructure: Comprehensive logging of user activities, security events, connections, and session activity.
OAuth 2.0 service: Full OAuth flow with authorization codes, access tokens, refresh tokens, scope management, and client registration.
Device-wallet binding: Device ID to wallet address mapping with signature verification capability.
Session management: Session tracking with session_id, device_id, wallet_address, app_id for audit trails.
Security event tracking: Failed auth attempts, suspicious activity detection, rate limiting integration points.
Database schema: Immutable audit trail structure with indexes for compliance queries (5-7 year retention capability).

Needs implementation:

KYC provider integration (Sumsub/other) with evidence storage.
Sanctions screening service (OFAC/EU/UK/UN wallet address checks).
Device attestation verification (Apple/Google attestation API integration).
VAT/GST invoice generation service.
Jurisdiction-specific data retention policies and automated archival.

Database (chainfi-database)

Implemented:

User identity tables: users, user_profiles with GDPR-compatible soft deletes.
2FA binding: user_2fa table linking users to wallet addresses for 2FA.
OAuth tables: Full OAuth 2.0 schema with scopes, permissions, token lifecycle.
Audit tables: connection_logs, session_activity, security_events, user_activity with JSONB for flexible compliance data.
Indexes: Optimized for compliance queries (user_id, created_at, event_type, severity).

Needs implementation:

KYC evidence table (provider_ref, tier, jurisdiction, expiry, verification_status).
Device attestation table (device_id, platform, attestation_proof, expiry, risk_flags).
Sanctions screening results table (wallet_address, screening_date, result, list_name).
Invoice/billing tables (invoice_id, user_id, jurisdiction, VAT/GST amount, timestamped FX rates).

Portal (chainguard.chain-fi.io)

Implemented:

OAuth consent screens: User-facing scope review and approval.
2FA setup/verification flows: Mobile QR code scanning for device-bound 2FA.
Activity history dashboard: User-visible audit trail.
App access management: Permission review and revocation UI.

Needs implementation:

KYC verification flow UI (triggered by scope requests, provider integration).
Jurisdiction-specific consent language and data rights notices (GDPR, PDPA, etc.).
Device attestation status display.
Invoice/billing history UI.

Mobile App (ChainGuard 2FA)

Implemented:

QR code scanning: Device-bound signature verification for 2FA.
Wallet management: Local wallet storage and signing capability.
Privacy policy: User-facing compliance documentation.

Needs implementation:

Device attestation API calls (Apple App Attest / Google Play Integrity).
Guardian signature generation for compliance proofs.
KYC verification prompts when required by scopes.
Transaction-specific approval flows with audit trail generation.

Cross-Jurisdiction Pattern: Crypto / Web3 Compliance Convergence

Across all jurisdictions, authorities are converging on a similar pattern for virtual-asset compliance:

Clear KYC of the user
Strong authentication and device binding
Wallet / account attribution (who controls which address)
Travel Rule-style data sharing between VASPs
Tamper-resistant audit trails

ChainGuard is purposely designed as the technical bridge between those regulatory expectations and the practical reality of wallets, smart contracts and dApps:

Device attestation (Apple/Google) – Needs implementation
Bound to KYC-verified identities (via providers like Sumsub) – Needs implementation
Mapped to specific wallets / vaults – Implemented
Governed by policies and logged cryptographically – Implemented

The story: Different jurisdictions, different rules – but the same primitives: identity, devices, wallets, and logs. ChainGuard doesn't try to be the regulator or the national ID – it gives regulated entities and dApps the building blocks to meet these rules in a consistent, verifiable way.

What the OAuth Scopes/Claims Typically Expose to Relying Parties

Identity status: kyc_verified, jurisdiction, tier, provider_ref (no raw PII unless contractually required).
Wallet ownership: address, binding_method=device_attestation, bound_device_id, attestation_exp.
Device assurance: platform=ios/android, attested=true, signature=guardian, last_seen, risk_flags.
Event/audit views: filtered message_history slices (session, operation, timestamp, result, tx refs) for regulated audits.

These are delivered permission-based, time-limited, and are verifiable via guardian signatures/server signatures as needed.

What We Are NOT

We are not a custodian, MSB/VASP, exchange, payment processor, or qualified eID/QTSP. We integrate with those roles and provide the security, attribution, and audit layer they rely on.

How This Maps to the ChainFi Stack

See our Project Layout documentation for detailed architecture information.

How the Flow Works

Initial Authentication (Steps 1-5)

When a user wants to connect their wallet to a dApp, here's what happens:

The user's browser (Client Frontend) redirects them to the ChainGuard Portal (chainguard.chain-fi.io). The browser never sees any tokens or secrets, which eliminates frontend security risks.
The ChainGuard Portal is where users log in, review what permissions the dApp is requesting, and complete their identity verification. This portal captures all consent decisions and stores AML/KYC acknowledgments with timestamps, creating a clear audit trail of what users agreed to.
For additional security, the portal connects to the ChainGuard 2FA App on the user's mobile device. This app provides device-bound authentication and generates cryptographic proofs that the device is legitimate and hasn't been tampered with. This satisfies regulatory requirements for strong authentication (like MAS TRM and NIST AAL standards).
The ChainFi Backend is the central system that issues authorization codes, access tokens, and refresh tokens. It tracks all API usage and maintains the official record of what scopes users consented to, what audit IDs were generated, and when everything happened. This backend operates under ISO 27001 controls, ensuring proper access management, encryption, and comprehensive logging.
Once authenticated, the backend sends permission-scoped tokens to the Client Backend (the dApp's server). Importantly, the dApp's server only receives tokens with specific permissions—never user secrets or private keys. This ensures ChainGuard maintains its non-custodial posture, as we never have custody of user assets.

Post-Authentication Requests (Steps 6-10)

After OAuth authentication is complete, the dApp can make specific requests for actions like transaction signing or approvals:

Request initiation: The Client Frontend can make requests directly to the ChainFi Backend, OR the Client Backend can make requests on behalf of the frontend. Both paths are supported depending on the client's architecture. These requests are for specific actions like transaction approvals, vault operations, or other wallet-bound operations.
Portal approval flow: When an action is requested, the ChainFi Backend routes the approval request to the ChainGuard Portal, where the user can review what action is being requested.
User signing: The user reviews the request in the portal and uses the ChainGuard 2FA App to sign or approve the specific transaction. This requires fresh 2FA/3FA authentication for each action, ensuring every operation is explicitly authorized.
Signature verification: Once the user signs the transaction in the mobile app, the signature is sent back to the ChainFi Backend for verification and execution.
Notification: After execution, the ChainFi Backend notifies either the Client Frontend (if the client uses direct frontend-to-backend communication) or the Client Backend (if the client uses a backend-mediated architecture). The notification includes transaction hashes, execution status, and proof of completion.

Data Storage & Compliance (Steps 11-12)

Public Database: All non-private, compliance-relevant data is stored in a Public Database. This includes:
- Transaction hashes (on-chain, publicly verifiable)
- Approved attestation logs (device verification records)
- Connectivity logs (session activity, pseudonymized)
- Pseudonymized audit trails (suitable for regulatory review without exposing PII)
Private Data Server: All sensitive user data is stored separately in a Private Data Server, including:
- Personal Identifiable Information (PII)
- User account details
- Private keys (never stored - users maintain custody)
- KYC verification data (if applicable)
- Session tokens and authentication credentials

This separation ensures that compliance audits can access necessary transaction and attestation evidence without exposing private user data, while maintaining strict data protection for sensitive information.

Flow Legend & Compliance Mapping

Flow Legend

The following table maps each step in the architecture diagram to its corresponding route and description:

Step	Route	Description
1	Client Frontend → ChainGuard Portal	User redirects to authentication portal
2	ChainGuard Portal → ChainFi Backend	OAuth authorization request
3	ChainGuard Portal → ChainGuard 2FA App	2FA authentication request
4	ChainGuard 2FA App → ChainFi Backend	Device attestation verification
5	ChainFi Backend → Client Backend	OAuth tokens delivery
6a	Client Frontend → ChainFi Backend	Direct action request (frontend path)
6b	Client Backend → ChainFi Backend	Action request via backend (backend path)
7	ChainFi Backend → ChainGuard Portal	Approval request routing
8	ChainGuard Portal → ChainGuard 2FA App	Transaction signing request
9	ChainGuard 2FA App → ChainFi Backend	Signed transaction submission
10a	ChainFi Backend → Client Frontend	Execution notification (frontend)
10b	ChainFi Backend → Client Backend	Execution notification (backend)
11	ChainFi Backend → Public Database	Public compliance data storage
12	ChainFi Backend → Private Data Server	Private user data storage

Data Processing & Compliance by Step

Step 1: Redirect

Data Processed: Redirect URL, client_id, state parameter, requested scopes

Data Protection: Minimal data collection (URL parameters only). No personal data processed at this stage.

Compliance Relevance: OAuth consent initiation, scope tracking for audit purposes.