Contents
Database and Infrastructure in the EU
All client and AML compliance data is stored exclusively on servers within the European Union:
- Primary database (Neon PostgreSQL): region eu-central-1, AWS Frankfurt — no data leaves the EU
- Document storage (Vercel Blob): region FRA1, Frankfurt — private blob store for KYC documents, SoF/SoW reports and EDD records
- Global infrastructure (Vercel, Stripe, Resend): the operational part of the platform uses global cloud providers — data transfers outside the EEA are covered by Standard Contractual Clauses (SCC) under Art. 46(2)(c) GDPR
We process data exclusively to the extent required by Act No. 253/2008 Coll. We do not share any client data with third parties for marketing or any other purposes.
Encryption and Security Audit
The entire AML PROOF platform is built on the principle of data protection at every layer:
- Encryption in transit: HTTPS/TLS for all communication between client and server
- Encryption at rest: data is encrypted directly in the database
- Private blob store: KYC/SoF/SoW/EDD documents are stored in a private repository — with no possibility of public URL access
- Internal security audit (June 2026): 17 security findings were identified and remediated; audit result: 0 critical, 0 high findings
The audit trail of every step — who, when and how performed client identification or client verification — is stored with a timestamp and cannot be retroactively modified.
Sanctions Screening: Which Lists We Cover
Every client screening in AML PROOF is based on official and trusted commercial sources:
Sanctions lists (mandatory under Act No. 253/2008 Coll.):
- Consolidated EU Sanctions List (EU Sanctions Map, sanctionsmap.eu)
- UN Sanctions List (UN Security Council)
- Czech National Sanctions List (Ministry of Foreign Affairs of the Czech Republic)
Extended coverage via the OpenSanctions dataset (~250+ sources):
- OFAC SDN (US Treasury)
- UK OFSI Sanctions
- PEP database (politically exposed persons)
- National sanctions lists of other countries (DE, CH, AU, CA and others)
Adverse media screening:
- Google Gemini 2.5 Flash with Google Search grounding — client verification against current news sources
The result of each screening is recorded with an exact timestamp, the identity of the person who performed the screening, and the source used — precisely in the form that the FAU requires during inspections.





















-1.png&w=256&q=75&dpl=dpl_BitSHMbuGaWqtxW2MGTsdUNcLiXA)













