Skip to main content
This page is the developer-facing summary. The canonical compliance hub is algovoi.co.uk/AlgoVoi/compliance.html, which carries the full status-badge dashboard, document binder, and DD-pack request CTA.

At a glance

No custody

Settlement is direct on-chain customer-wallet to merchant-wallet. AlgoVoi never holds, controls, or transmits funds.

KYC at-rest encryption

KYC/KYB documents are encrypted at the application layer with a versioned Fernet scheme using a key separate from the general database key.

UK-only operating perimeter

Enforced as a contractual control. Out-of-perimeter onboarding is declined unless escalated.

Sanctions + PEP screening

UK / EU / US / UN list coverage at onboarding and on material updates.

Regulatory position

AlgoVoi has self-assessed against FCA Policy Statement PS19/22 (“Guidance on Cryptoassets”) and concludes that its core business proposition — payment-message infrastructure between self-custodial wallets — falls outside MLR Schedule 6A registration as a cryptoasset exchange provider or custodian wallet provider. A formal external legal opinion is in preparation.
FrameworkStatus
UK MLRs 2017 (voluntary alignment)Active
FCA MLR Sch 6A registrationOut of scope per PS19/22 self-assessment; legal opinion in preparation
UK GDPR / DPA 2018Aligned
HMT Cryptoasset Travel RuleNot in scope under current architecture
FSMA 2023 SI regimeMonitoring (~2027)
HMRC CARFAssessment in progress
ICO data-controller registrationIn preparation
Cyber EssentialsPlanned Q3 2026
SOC 2 Type ITargeted Q3 2026

Public policy library

All policies live in chopmob-cloud/AlgoVoi-Platform-Adapters/compliance/. Tier B documents have a public summary in the same directory; full documents are available under NDA.

Tier A — fully public

Information Security Policy

Defence in depth, classification, encryption, vulnerability management.

Access Control

Least privilege, MFA, SSH key management, quarterly access reviews.

Change Management

Git-based workflow, code review, rollback, emergency-change discipline.

Incident Response Plan

Severity levels, containment playbook, blameless post-mortems.

Business Continuity & DR

RTO/RPO, backup strategy, disaster scenarios, annual DR drill.

Vendor Management

Subprocessor register, onboarding criteria, breach notification.

Acceptable Use

Confidentiality, device hygiene, AI tooling rules, reporting.

AML / CTF Policy

Three-line-of-defence model, MLRO, regulatory position, BWRA approach.

DPA Template

Article 28 DPA template aligned to UK GDPR, DPA 2018, UK IDTA / SCCs.

Data Breach Procedure

Detect, contain, assess, notify (72-hour ICO), remediate, review.

Complaints Procedure

Channels, timelines, escalation routes (ICO, FCA, OFSI, Action Fraud).

Retention Procedure

Per-category retention, erasure handling, backup ageing.

Tier B — public summary; full document under NDA

Business-Wide Risk Assessment (BWRA)

UK MLR Reg 18 — risk dimensions, headline conclusions, residual risk.

CDD / EDD Procedure

Standard CDD, EDD triggers, KYC-unlocks-mainnet gate, ongoing monitoring.

Transaction Monitoring Procedure

Rule families, alert handling, segregation of duties, tuning cadence.

Record of Processing Activities (RoPA)

Article 30 RoPA — controller / processor split, lawful bases, retention.

Customer Risk Scoring Matrix

Risk dimensions, banding, decision overrides, re-scoring cadence.

Sanctions Screening Procedure

UK / EU / US / UN coverage, match handling, OFSI reporting trigger.

PEP Screening Procedure

PEP definitions, FCA FG17/6 risk-based handling, EDD checklist.

Travel Rule and A2A

The UK HMT Cryptoasset Travel Rule applies to FCA-registered cryptoasset businesses making cryptoasset transfers above £1,000. AlgoVoi is not an FCA-registered cryptoasset business and does not initiate or receive transfers on its own account; settlement is direct wallet-to-wallet on public blockchains. AlgoVoi is consequently not a Travel Rule originator or beneficiary institution. For agent-to-agent (A2A) flows, the same KYC-unlocks-mainnet gate, sanctions and PEP screening, and transaction monitoring apply to AI-initiated payments as to human-initiated ones. AI agents inherit their tenant’s risk tier; an agent cannot transact on behalf of a tenant whose mainnet access is not active. See Concepts → KYC and mainnet.

Subprocessors

VendorPurpose
CloudflareCDN, WAF, DDoS, TLS termination
VultrProduction compute and database hosting
GitHubSource code and CI
MintlifyPublic docs hosting (this site)
Let’s EncryptTLS certificate issuance
Sanctions list providersUK / EU / US / UN data
Public RPC providersOn-chain verification

Reporting a vulnerability

Email security@algovoi.co.uk or consult /.well-known/security.txt. Acknowledgement target: 1 business day. Triage outcome: 3 business days.

Request the full DD pack under NDA

Email security@algovoi.co.uk with your organisation, contact, and the documents you need. The pack covers every Tier B document in full, sample-tested cases, the BWRA with residual risk scores, the executed legal opinion when delivered, and the SOC 2 evidence package as it builds.