Trust Center

Security and compliance you can verify.

VirtuaBroker operates cross-border payments and crypto-settlement infrastructure for the European market. Protecting client funds and data is the foundation of that service. This page sets out the regulatory frameworks we build to, the controls that protect our platform, and how to request the underlying evidence.

Legal entity: VirtuaBroker S.L. (Spain) Regulatory home: EEA · CNMV Last updated: 27 June 2026

MiCA DORA GDPR AML / CTF · Travel Rule ISO/IEC 27001 SOC 2

Regulatory & assurance frameworks

What we build to — and where each program stands

We report status honestly. A framework marked operational means the controls are implemented and running; in progress means active work toward authorization or certification; planned means mapped and roadmapped but not yet externally assured. We do not claim certifications we have not earned.

Operational In progress Planned / target

MiCA

In progress

Markets in Crypto-Assets Regulation. Operating toward authorization as a Crypto-Asset Service Provider.

Reg. (EU) 2023/1114 · CNMV (Spain)

DORA

In progress

Digital Operational Resilience. ICT risk, incident, resilience-testing and third-party frameworks mapped and largely implemented; the security-controls program is in active remediation.

Reg. (EU) 2022/2554

GDPR

Operational

EU data protection. Data-subject rights, lawful processing, retention and secure-deletion practices in place.

Reg. (EU) 2016/679

AML / CTF

Operational

Anti-money-laundering, counter-terrorist-financing and Travel Rule program with on-chain screening.

Reg. (EU) 2023/1113 · Ley 10/2010

ISO/IEC 27001

In progress

Information security management. Control framework aligned to the 2022 Annex A; certification roadmap underway.

ISO/IEC 27001:2022

SOC 2

Planned

Trust Services Criteria mapped to our controls. A Type II observation period is planned with an independent auditor.

AICPA TSC · Type II

Security controls

How the platform is protected

Controls are organized around a three-layer architecture (interface → logic → data), least privilege, and defense in depth. The summaries below describe controls in operation; detailed policies and evidence are available under NDA.

01 Identity & access

Single sign-on with mandatory multi-factor authentication for all corporate users; hardware-key MFA for custody operations.
Role-based, least-privilege access; production access requires named approval and dual authorization for privileged actions.
Client authentication centralized through a dedicated identity service issuing RS256-signed tokens, validated against published keys.
Quarterly and annual access reviews, with automated alerts on anomalous or off-hours access.

02 Encryption & data protection

TLS 1.2+ for all data in transit; AES-256 (or cloud-equivalent) for confidential and critical data at rest.
Secrets are injected at deploy time via managed cloud infrastructure; migration of the most sensitive key material to a dedicated secret store is in progress.
Four-tier data classification (public / internal / confidential / critical) with controls applied per tier.
PII minimization and redaction at service boundaries; provider and counterparty details abstracted from external responses.

03 Infrastructure & cloud

Hosted on a tier-1 cloud platform with segregated development, staging and production environments.
Configuration hardening aligned to CIS Benchmarks, NIST 800-53 and ENISA guidance; secure-by-default posture.
Infrastructure audit logging enabled; administrative access restricted, monitored and approved.
Production deployments are pipeline-only — no manual hot changes — with secrets injected at deploy time.

04 Application security

Secure development lifecycle with peer code review and a layered architecture enforcing separation of concerns.
Input validation enforced at the primary API boundary via schema validation, with parameterized data access and typed contracts; gaps on secondary surfaces are tracked and remediated.
Dependency management with lockfiles and supply-chain hardening (install-script execution disabled).
Vulnerability management with CVSS-based remediation targets (critical ≤72h, high ≤7 days) and internal security review.

05 Custody & asset protection

Client crypto-assets segregated from proprietary funds, with continuous reconciliation against on-chain state.
Multi-party-computation signing; cold / warm / hot wallet segregation, with the majority of assets in cold storage.
Four-eyes approval, whitelisted destinations and per-wallet limits for high-value operations.
Crypto-loss insurance maintained and reviewed periodically.

06 Resilience & continuity

Business continuity and disaster recovery plans with defined RTO/RPO per critical service (custody RTO ≤2h).
Automated, encrypted backups with at least one isolated copy; periodic restoration testing.
"Security over speed": automation halts on integrity or compliance risk, with controlled, logged manual fallback.
Annual resilience testing and crisis-response drills.

07 Monitoring & incident response

Centralized logging and alerting across critical systems and sensitive operations.
Documented incident lifecycle — detect, contain, recover, post-mortem — with severity-based escalation.
Regulatory notification paths defined for major incidents in line with DORA.
On-chain transaction screening and Travel Rule compliance for crypto transfers.

08 Third-party risk

Critical-provider classification with pre-contract due diligence and security/continuity contract clauses.
Annual review of critical providers, including verification of their certifications and insurance.
Documented exit and contingency plans for every critical dependency.
Audit and supervision rights secured over critical providers and their subcontractors.

Data privacy

Personal data, handled under GDPR

We process personal data lawfully, for defined purposes, and retain it only as long as required by law and operation. Data-subject requests, processing records and cross-border-transfer safeguards are governed by our data-protection program.

Your rights

Access, rectification, erasure, restriction and portability are supported through defined data-subject request handling.

Lawful processing

Processing is purpose-bound and minimized. KYC/compliance data is retained per financial-regulation requirements.

Transfers & processors

Processor agreements and standard contractual clauses govern transfers; subprocessors are categorized below.

Subprocessors

Categories of providers we rely on

We disclose subprocessors by function. Specific provider identities, contracts and certifications are shared with prospective and current partners under NDA as part of vendor due diligence.

Function	Purpose	Primary region	Assurance held by provider
Cloud infrastructure	Compute, storage, database, messaging	EU / EEA	ISO 27001 · SOC 2
Custody technology	Key management & transaction signing	EEA	SOC 2 Type II
Identity & authentication	User authentication & access management	EU / EEA	Aligned to ISO 27001
Liquidity partners	Crypto execution for swap / settlement	EEA	Regulated / MiCA-aligned
Banking & payments	Fiat collection and payout rails	EU / EEA	Licensed / regulated
On-chain analytics	AML screening & Travel Rule	EEA	Specialist compliance vendor
Identity verification	KYC / KYB onboarding	EU / EEA	GDPR-compliant processor

Provider names are withheld from this public page and disclosed under NDA. Regions and assurances are indicative and confirmed in the subprocessor schedule.

Documentation

Request the evidence behind this page

The following are available to prospective and current partners under a non-disclosure agreement.

Information Security PolicyNDA
ICT Risk Management PolicyNDA
Identity & Access Control PolicyNDA
Business Continuity & Disaster Recovery PlanNDA
Incident Management PolicyNDA
Secure Configuration & Vulnerability Management PolicyNDA
Third-Party / Outsourcing Risk PolicyNDA
Custody PolicyNDA
Security Assessment SummaryNDA
Data Processing Agreement & Subprocessor scheduleNDA
AML / CTF Program summaryNDA