Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.getovra.com/llms.txt

Use this file to discover all available pages before exploring further.

Ovra is a German technology platform. The regulated activities — issuing, custody, settlement — are operated by licensed EU partners. We are the orchestration layer; they are the regulated counterparties.

Roles

RoleCounterpartyRegulation
Card issuing (CaaS)Banking partner (Berlin EMI)EU e-money license
Card networkVisaEU + national regulators
Network tokenizationVisa Token Service via banking partner
Fund custodyBanking partnerEU banking regulation
Tokenization (PCI proxy)Tokenization partnerPCI DSS Level 1
OvraSaaS technology platformGerman trade law, GDPR
We avoid naming partners in user-facing copy by design — the architecture is visible, the regulated entities are clearly identified to investors and auditors. Public docs say “banking partner” / “card issuer” / “tokenization partner”.

EU data residency

Every response carries X-Data-Residency: EU. Concretely:
  • Postgres hosted in the EU
  • Banking partner in Berlin (EMI)
  • PostHog product analytics on the EU endpoint
  • All logs and audit events stay in EU infrastructure

GDPR posture

RightEndpointBehavior
AccessGET /gdpr/exportFull data dump, JSON
ConsentPOST /gdpr/consentTrack terms / privacy / marketing flags per customer
ErasurePOST /gdpr/deleteAnonymize, not delete — transactions must be retained per GwG §8 (10 years)
All PII is automatically redacted by the runtime logger (email, firstName, lastName, phone, address, companyName, dateOfBirth).

PCI DSS

Card data (PAN, CVV, expiry) is handled exclusively server-side under AES-256-GCM at rest. The agent never sees PAN/CVV in any code path — requireIntent and the credential boundary enforce this architecturally. You do not need PCI DSS certification to integrate Ovra.

Sacred invariants we enforce

  1. PAN/CVV never leave the server toward agent context.
  2. requireIntent is non-negotiable.
  3. Strict agent-isolation via at_* tokens.
  4. Money-moving POSTs require Idempotency-Key.
  5. Append-only audit and decision logs (PG RULES rewrite UPDATE/DELETE to NOTHING).
  6. All IDs from crypto.randomBytes.
  7. SHA-256-hashed API keys + timingSafeEqual for all secret compares.
  8. Webhooks fail-closed in production; HMAC-signed; SSRF + DNS-rebind block.
  9. EU data residency.

What we do not claim today

  • No SOC2 yet. Compliance posture (SOC2 Type 2, ISO 27001) is on the post-pre-seed roadmap. Investors and enterprise buyers can request our security questionnaire and DPA.
  • No live mode yet. Sandbox-only through pre-seed. Live with real KYC and SEPA opens in v1.3+.
  • No money-services license at the Ovra entity. We are tech-only; the banking partner holds the license.

Public-trust pages

For German market compliance, the marketing site exposes:
  • /impressum
  • /datenschutz
  • /agb
A DPA template is available on request via legal@getovra.com.

Next

Sandbox

What’s simulated vs real today.

Intelligence

Audit log details that satisfy auditors.