Compliance & Regulatory
Regulatory Classification
Carabaas operates as an ICT infrastructure provider — not a custodian. The merchant remains the regulated entity and retains exclusive control over signing authority, governance policies, and approval workflows.
| Aspect | Carabaas Role |
|---|---|
| Signing role | Infrastructure provider; participates with one mathematical share |
| Signing authority | Cannot sign unilaterally; merchant's cosigner required |
| Transaction authorization | Cannot authorize or block transactions independently |
| Governance | Merchant defines policies, approvers, and quorums |
| Asset control | Merchant retains full control via self-custody model |
Regulatory Framework Alignment
EU MiCA (Markets in Crypto-Assets)
Article 75 — Custody and Safeguarding
The self-custody model supports MiCA compliance through:
- Merchant-controlled signing authority with documented key ownership
- Segregated vault structure for client asset isolation
- Complete audit trail of all custody operations
- Independent key recovery mechanisms (no vendor lock-in)
DORA (Digital Operational Resilience Act)
Articles 28–30 — ICT Third-Party Risk Management
| DORA Requirement | How Carabaas Addresses It |
|---|---|
| Exit strategy | Per-vault key ejection + full seed backup via escrow |
| Concentration risk | Merchant operates their own cosigner independently |
| Sub-outsourcing transparency | Clear infrastructure dependency chain |
| Business continuity | Recovery mechanisms independent of Carabaas cooperation |
| Testing | Annual exit drills supported for enterprise merchants |
EBA Outsourcing Guidelines
- Proportionality — the outsourcing scope is limited to cryptographic infrastructure, not asset control
- Due diligence — clear delineation of provider vs. merchant responsibilities
- Exit strategies — two independent recovery paths documented and testable
- Audit rights — structured audit logs with 5-year minimum retention
U.S. State Regulations
| Requirement Area | How the Platform Addresses It |
|---|---|
| State MSB/MTL licensing | Entity-controlled custody; entity is the regulated custodian |
| FinCEN — BSA/AML | Complete transaction audit trail for SAR/CTR reporting |
| NYDFS BitLicense | No unilateral provider control; exit mechanisms prevent lock-in |
| California DFAL — Safeguarding | Entity maintains control at all times; per-vault key derivation |
Canada (FINTRAC)
| Requirement Area | How the Platform Addresses It |
|---|---|
| PCMLTFA — MSB registration | Entity-controlled custody; entity is the registered MSB |
| Record-keeping | Complete transaction records with configurable retention |
| CSA — Crypto asset custody | MPC architecture prevents unilateral provider access |
Dubai (VARA)
| Requirement Area | How the Platform Addresses It |
|---|---|
| Custody safeguarding | Entity operates its own cosigner with its own MPC share; 2-of-2 threshold |
| Segregation | Per-vault derivation with independent governance |
| MPC lifecycle management | Documented lifecycle: generation, storage, rotation, recovery |
| Exit and portability | Two independent recovery mechanisms without provider cooperation |
Data Protection
Data Residency
In the production deployment model, the merchant's cosigner runs on their own infrastructure — in their own cloud account, in their chosen jurisdiction. No plaintext key material leaves the merchant's enclave.
Data Classification
| Data Category | Location | Protection |
|---|---|---|
| Private key shares | Merchant's enclave only | Hardware isolation + AES-256-GCM |
| Mnemonic / seed | Enclave memory only | Never written to disk |
| Encrypted backups | Merchant's disk / S3 | Multi-layer encryption |
| Transaction data | Platform database | TLS in transit, encrypted at rest |
| Audit logs | Platform + merchant infra | Structured JSON, no secrets |
Data Retention
| Data Type | Retention |
|---|---|
| Audit logs | 5 years minimum |
| Transaction records | Indefinite |
| Encrypted key material | Lifetime of vault |
Audit & Compliance Support
Audit Trail
All key lifecycle events, signing operations, access control changes, and API calls are recorded as structured JSON logs:
- Transaction lifecycle events (creation, approval, signing, broadcast, confirmation)
- Access control changes (role assignments, client additions, suspensions)
- Cosigner operations (seal, unseal, vault setup, signing)
- API calls (authentication, resource access)
Sensitive data (keys, passwords, mnemonics) is never included in log output.
Compliance Reporting
- Balance statements — historical snapshots via the Accounting API
- Transaction history — full lifecycle with balance changes for reconciliation
- Access audit — who accessed what, when, from where
Service Levels
| Metric | Target |
|---|---|
| Platform availability (API) | 99.9% monthly |
| MPC signing availability | 99.95% monthly |
| Transaction signing latency | < 2 s (p99) |
| Recovery Time Objective | 4 hours |
| Recovery Point Objective | Zero key material loss |
| Critical incident response | 30 minutes |
Detailed SLA terms — including service credits, maintenance windows, and escalation procedures — are defined in your service agreement. Contact your account manager for the complete document.