How We Process and Protect Your Data
Learn how AML PROOF processes, stores, and protects your data, our trusted sub‑processors, international transfer safeguards, and the GDPR/AMLR controls we apply across the platform.
Data Processing Overview
What Data We Process
- Customer identification and verification data (KYC/KYB)
- Transaction records and monitoring data
- Risk assessment and compliance scoring
- Regulatory reporting and audit trails
- User account and authentication information
Processing Purposes
- AML/CFT compliance and regulatory obligations
- Risk assessment and fraud prevention
- Customer due diligence and enhanced monitoring
- Suspicious activity detection and reporting
- Service provision and platform functionality
Legal Basis for Processing
Legal Obligation
Processing required to comply with AML/CFT laws and regulatory requirements across jurisdictions.
Legitimate Interest
Processing necessary for fraud prevention, security, and providing effective compliance services.
Contractual Necessity
Processing required to perform our contractual obligations and deliver agreed services.
Trusted Sub-processors
We work with carefully selected sub-processors to deliver our services. All sub-processors are bound by strict data protection agreements and undergo regular security assessments.
| Sub-processor | Service | Location | Data Processed |
|---|---|---|---|
| Neon | Database Services | US, EU | User data, compliance records |
| Vercel Inc. | Hosting, Storage & Analytics | Global CDN | Application data, logs, files |
| Stripe Inc. | Payment processing and invoicing | US, EU | Payment information |
| Fio banka | Remote micro-transfer (identity verification) | Czech Republic | Bank account for 1 CZK / 0.10 EUR micro-transfer; transaction data for matching and refunds |
| QR Server | Payment QR code generation | EU (Germany) | Payment payload (account, amount, variable symbol, message) in URL for QR image generation |
| Resend | Email Services | US | Email addresses, communications |
| OAuth Authentication | US, EU | Authentication data, profile information | |
| MV ČR (Ministerstvo vnitra) | Document Validity Check (Invalid Documents Registry) | Czech Republic | Document type and number for validity check (CZ ID card, passport) |
| OpenSanctions | PEP and Sanctions Screening | EU | Names, dates of birth, countries for screening |
| European Commission / EU Council | EU Consolidated Sanctions List (data source) | EU | We download the list; screening is performed locally; no client data is sent |
| MZV ČR (Ministerstvo zahraničních věcí) | Czech National Sanctions List (data source) | Czech Republic | We use the list for screening; data is imported and searched locally; no client data is sent |
| Google (Gemini AI) | KYB Verification and Adverse Media Screening | US, EU | Company information, adverse media queries |
| ARES | KYB Verification and Data Auto-fill | Czech Republic | Czech company information, registration numbers, registration data |
| Apertus | New products | Switzerland | Innovation Lab |
International Data Transfers
Transfer Safeguards
- Standard Contractual Clauses (SCCs) for EU transfers
- Adequacy decisions where applicable
- Data Processing Agreements with all processors
- Regular compliance audits and assessments
Data Localization
EU customer data is primarily processed and stored within the European Economic Area.
We utilize global cloud infrastructure with appropriate safeguards for cross-border transfers.
Data Retention & Deletion
Compliance Records
5-10 Years
AML records are retained for a minimum of 5 and a maximum of 10 years, in line with Art. 53 EU AMLR 2024.
Transaction Data
5-10 Years
Transaction monitoring and analysis data retained for regulatory reporting and audit purposes.
Account Data
30 Days
User account data deleted within 30 days of account closure, except where legally required to retain.
Your Data Rights
Individual Rights
- Right of Access
Request copies of your personal data
- Right to Rectification
Correct inaccurate personal data
- Right to Erasure
Request deletion where legally permissible
- Right to Portability
Receive your data in a structured format
Limitations
Regulatory Compliance Requirements
Some data rights may be limited by AML/CFT legal obligations. We are required to retain certain compliance records for regulatory periods, even after account closure.
Contact for Data Rights
To exercise your data rights, contact our Data Protection Officer:
Email: hello@amlproof.ai
Questions About Data Processing?
If you have questions about how we process your data, our sub-processors, or want to exercise your data rights, please don't hesitate to contact us.