Compliance

Compliance, partner-ready.

OVAAL is infrastructure. You hold the regulatory authorization. We supply the compliance plumbing: Travel Rule messaging, AML screening, audit-log export, sub-processor list, and a DPA template. All documented and exportable for your compliance team and regulators.

Legal entity

BT4 INVEST OÜ (operating as "OVAAL")

  • Jurisdiction: Republic of Estonia
  • e-Business Register number: 12443056
  • Public corporate record: ariregister.rik.ee (BT4 Invest OÜ). Registered office, VAT status, and directors are verifiable there.

External counsel

Regulatory opinions are drafted and reviewed by specialist EU fintech counsel. MENA coverage (UAE VARA, Bahrain CBB) is scoped via regional counsel engaged on a per-partner basis. Firm names are shared with signed partners under NDA.

Partner compliance pack

On signed paperwork (or on NDA pre-signing on request), you receive:

  1. Data Processing Agreement (DPA) template. GDPR Art. 28 and EU TFR aware. Counsel-drafted.
  2. Sub-processor list. Current plus intended. 30-day change notice.
  3. Legal opinions on file. MiCA, EU TFR, and GDPR posture, drafted by EU fintech counsel.
  4. Security posture pack. See /security/.
  5. Audit-log export sample. JSON and CSV format.
  6. Joint incident playbook template.
  7. MSA template. Commercial agreement frame.

Sub-processor list (intent)

Core infrastructure

Sub-processorPurpose
AWS (eu-central-1, eu-west-1)Compute, storage, and KMS for the OVAAL stack
CloudflareCDN, WAF, DDoS protection
EU-based managed hostingMarketing site infrastructure

Compliance sub-processors (partner-chosen per integration)

Sub-processorPurposePartner choice
Circle Internet Financial EuropeUSDC and EURC EMT issuerFixed. MiCA-licensed EMT integrator.
Notabene or 21 AnalyticsEU TFR Travel Rule exchangeSelect one
Chainalysis or TRM LabsAML and KYT screeningSelect one
Modulr, Banking Circle, Clear Junction, PayneticsEU SEPA Instant railsPartner-brokered

GDPR posture

  • BT4 INVEST OÜ acts as data processor for partner data. You are the controller for your end-users.
  • Legal bases: contract (the partner relationship), legitimate interest (security and fraud prevention).
  • DPO: [email protected]. Formal appointment letter and credentials available to partners under NDA.
  • Supervisory authority: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), Tallinn. BT4 INVEST OÜ's main establishment is Estonia under GDPR Art. 56.
  • GDPR Article 28 DPA is signed with every partner pre-production.

Request the compliance pack.

Get the integration brief + compliance packSecurity posture →