Regulatory Compliance
⚖️ Banking-Grade Compliance
BlueUP designs its platforms with regulatory compliance as a foundational requirement. It is not an afterthought: every architectural decision responds to a specific regulatory requirement.
Covered Regulations
🇪🇺 DORA — Regulation (EU) 2022/2554
Digital Operational Resilience Act for the EU financial sector. Mandatory since January 2025.
| DORA Requirement | How we comply |
|---|---|
| ICT incident management (Art. 17) | Automatic classification (Minor/Significant/Major) per DR (EU) 2024/1772 Art. 8 |
| Supervisor notification | ITS 2025/302 chain: Initial Report (≤4h), Intermediate (≤72h), Final (≤1 month) |
| Operational resilience | Local spooling during network outages with autonomous reconnection and backpressure |
| Resilience testing | Circuit breaker with controlled degradation (CLOSED → OPEN → HALF_OPEN) |
| ICT risk management | Two-level alerts: WARNING (5 min) and CRITICAL (2h) with CSIRT escalation |
🇪🇸 SEPBLAC — Law 10/2010
Prevention of Money Laundering and Terrorist Financing. Supervised by Spain's Executive Service (SEPBLAC).
| SEPBLAC Requirement | How we comply |
|---|---|
| Special Examination (Art. 18) | 10-state workflow with immutable cryptographic audit trail |
| SEPBLAC Communication | Automatic F19/CXI form generation |
| Due diligence | 360° KYC profiles with 8-factor risk analysis |
| Sanctions screening | Verification against EU, OFAC and UN lists with fuzzy matching (Dice coefficient) |
| Segregation of duties | Four-Eyes principle — high-risk approvals require two distinct persons |
🇪🇺 GDPR — Regulation (EU) 2016/679
| GDPR Requirement | How we comply |
|---|---|
| Data minimization | Ontological pre-validation at the Edge — only structured, necessary data leaves |
| Privacy by design (Art. 25) | End-to-end mTLS encryption, configurable PII masking |
| Data residency | Google Cloud Europe infrastructure. Data never leaves authorized jurisdiction |
| Right of access | Immutable audit trail with full traceability |
🇪🇺 AI Act — Regulation (EU) 2024/1689
| AI Act Requirement | How we comply |
|---|---|
| Transparency | Auditable LLM reasoning logs (Langfuse/Arize Phoenix) |
| Human oversight | Human-in-the-Loop for decisions affecting PII or financial data |
| Data governance | Sovereign processing with vLLM/Ollama — data never leaves controlled infrastructure |
Need a compliance assessment?
We analyze your current situation and show you how BlueUPALM can cover your regulatory obligations.