> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getovra.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Compliance

> EU-regulated payment infrastructure via licensed partners. GDPR by design.

Ovra is a German technology platform. The regulated activities — issuing, custody, settlement — are operated by licensed EU partners. We are the orchestration layer; they are the regulated counterparties.

## Roles

| Role                     | Counterparty                           | Regulation               |
| ------------------------ | -------------------------------------- | ------------------------ |
| Card issuing (CaaS)      | Banking partner (Berlin EMI)           | EU e-money license       |
| Card network             | Visa                                   | EU + national regulators |
| Network tokenization     | Visa Token Service via banking partner | –                        |
| Fund custody             | Banking partner                        | EU banking regulation    |
| Tokenization (PCI proxy) | Tokenization partner                   | PCI DSS Level 1          |
| Ovra                     | SaaS technology platform               | German trade law, GDPR   |

We avoid naming partners in user-facing copy by design — the architecture is visible, the regulated entities are clearly identified to investors and auditors. Public docs say "banking partner" / "card issuer" / "tokenization partner".

## EU data residency

Every response carries `X-Data-Residency: EU`. Concretely:

* Postgres hosted in the EU
* Banking partner in Berlin (EMI)
* PostHog product analytics on the EU endpoint
* All logs and audit events stay in EU infrastructure

## GDPR posture

| Right   | Endpoint             | Behavior                                                                        |
| ------- | -------------------- | ------------------------------------------------------------------------------- |
| Access  | `GET /gdpr/export`   | Full data dump, JSON                                                            |
| Consent | `POST /gdpr/consent` | Track terms / privacy / marketing flags per customer                            |
| Erasure | `POST /gdpr/delete`  | **Anonymize, not delete** — transactions must be retained per GwG §8 (10 years) |

All PII is automatically redacted by the runtime logger (`email`, `firstName`, `lastName`, `phone`, address, `companyName`, `dateOfBirth`).

## PCI DSS

Card data (PAN, CVV, expiry) is handled exclusively server-side under AES-256-GCM at rest. The agent never sees PAN/CVV in any code path — `requireIntent` and the credential boundary enforce this architecturally. **You do not need PCI DSS certification to integrate Ovra.**

## Sacred invariants we enforce

1. PAN/CVV never leave the server toward agent context.
2. `requireIntent` is non-negotiable.
3. Strict agent-isolation via `at_*` tokens.
4. Money-moving POSTs require `Idempotency-Key`.
5. Append-only audit and decision logs (PG RULES rewrite UPDATE/DELETE to NOTHING).
6. All IDs from `crypto.randomBytes`.
7. SHA-256-hashed API keys + `timingSafeEqual` for all secret compares.
8. Webhooks fail-closed in production; HMAC-signed; SSRF + DNS-rebind block.
9. EU data residency.

## What we do *not* claim today

* **No SOC2 yet.** Compliance posture (SOC2 Type 2, ISO 27001) is on the post-pre-seed roadmap. Investors and enterprise buyers can request our security questionnaire and DPA.
* **No live mode yet.** Sandbox-only through pre-seed. Live with real KYC and SEPA opens in v1.3+.
* **No money-services license at the Ovra entity.** We are tech-only; the banking partner holds the license.

## Public-trust pages

For German market compliance, the marketing site exposes:

* `/impressum`
* `/datenschutz`
* `/agb`

A DPA template is available on request via [legal@getovra.com](mailto:legal@getovra.com).

## Next

<CardGroup cols={2}>
  <Card title="Sandbox" icon="flask" href="/concepts/sandbox">
    What's simulated vs real today.
  </Card>

  <Card title="Intelligence" icon="chart-line" href="/concepts/intelligence">
    Audit log details that satisfy auditors.
  </Card>
</CardGroup>
