Compliance
Governance and Roles
Liability and responsibility matrix for Swipelux and sub-merchants
Governance and Roles
Liability Matrix
| Responsibility | Swipelux (VASP) | Sub-Merchant |
|---|---|---|
| Crypto Custody | 100% Responsible | Not-allow |
| Blockchain Execution | 100% Responsible | Not-allow |
| User Verification (KYC) | Responsible (Direct or Reliance) | Responsible for UX Handoff |
| Sanctions Screening | Responsible (All Users) | Responsible for own staff |
| Geoblocking | Enforces via IP/KYC | Must implement at UI level |
| Licensing | VASP License only | Sector License (e.g., Gaming) |
Responsibility Matrix
- Swipelux: custody, blockchain execution, KYC/KYB, monitoring, Travel Rule, sanctions
- Sub-merchant: user journey design, geoblocking, vertical licensing, marketing compliance, prevention of unsolicited US targeting
Swipelux is the only regulated crypto custodian in the flow. Sub-merchants never hold, control, or access user assets or private keys.
Auditability & Retention
Swipelux retains user identity and transactional data for 5 years, as required under EU AML laws and Estonia's MLTFPA.
Data subject deletion requests do not apply to AML-mandated records.
Swipelux stores all data within compliant EU infrastructure aligned with GDPR.