Coreal.
Book a working session →
01Security & Compliance

Built so a regulator
can read it.

Three lines of defense as code. DORA-aligned ICT controls. Tenant isolation at four layers. An immutable journal for every flow, every decision, every provider call — replayable seven years later.

DORAPSD2MiCAMiFID IIGDPRISO 27001PCI DSS scope
EVIDENCE ON DEMAND
Any posting, last 7 yearsreplayable from event log
Any KYC decisionwith input hash + reviewer identity
Any KYT resultwith provider trace + sanctions sources
Any policy changewith approver + commit + diff
Any AI suggestionwith prompt hash + override flag
Any incidentwith timeline + RCA + remediation
REQUEST AN EVIDENCE PACK →
02Three lines of defense

Three teams. Three jurisdictions. Same git history.

The three-lines model only works if the lines are independent. We make that independence verifiable: each line's policy and configuration lives in the repository, with separate IAM, separate approvers, and a diffable history.

1LOWNS THE RISK

Product, payments, BPM

The team that ships the flow owns the risk. Velocity caps, exposure limits, idempotency-keys — declared as policy in the BPM engine, enforced at the gateway. No flow ships without an owner named in the policy.

EXAMPLES
Velocity policydeclared per tenant
Exposure limitsenforced at gateway
Idempotency keysmandatory at boundary
Tier limitswired to KYC tier
2LSETS THE STANDARDS

Compliance, risk, fraud ops

Independent of the product line. Owns sanctions list refresh, AML rule curation, KYT thresholds, SAR register. Their decisions land as configuration in the same git repo as the code; second-line policy and first-line policy diff is reviewable.

EXAMPLES
Sanctions list refresh< 24h after publication
KYT thresholdsreviewed quarterly
SAR registerqueryable, not exported
Tier policyversion-controlled
3LASSURES THE OTHER TWO

Internal audit

Reads the journal, not the dashboard. Replays cases, checks the evidence pack, confirms second-line policy was actually applied. Findings land in the issue tracker, with named owner and SLA. The auditor does not write code; they read it.

EXAMPLES
Journal accessread-only, write-locked
Sample sizerisk-weighted, not quotad
Findingstracked in same issue system
SLA on remediationtied to severity
03Frameworks

Every framework, with the actual control.

Not a logo wall. For each framework that bites in our scope, the named control we implement and where it lives in the system.

FRAMEWORK
SCOPE
WHERE IT LIVES IN COREAL
DORA
EU ICT risk + operational resilience
ICT-risk register · 4-layer tenant isolation · DR/BCP RPO < 5 min · third-party register with concentration analysis
PSD2 / SCA
EU payment services + strong customer auth
Step-up flow in BPM · 3DS-2 enrolment surface · audit-grade exemption ledger
MiCA
EU crypto-asset service providers
CASP perimeter ring-fence · KYT on every on-chain move · whitepaper + safeguarding evidence pack
MiFID II
EU investment services
Best-execution journal per order · suitability gate at portfolio service · transaction reporting RTS-22 ready
GDPR
EU data protection
DPIA per high-risk flow · purpose-bound storage · RoPA generated from BPM · subject-rights API on the journal
AML5 / AML6
EU anti-money-laundering
Tiered KYC · transaction monitoring · case management · SAR register on the operator workspace
ISO 27001
Information security mgmt
Statement of Applicability mapped 1:1 to controls in repo · annual external audit
PCI DSS
Card data security
Scope-reduction via tokenisation · no PAN in our perimeter · attested SAQ-A or SAQ-D-SP per program
NIS2
Network & info security (essential entities)
Incident reporting hooks · supply-chain register · CSIRT contact ready
04Tenant isolation contract

One incident stays in one box.

Tenant isolation is enforced at four layers. A breach at one layer cannot escalate across tenants without a breach at every layer. Each layer is testable independently.

IAM
OAuth2 client per tenant

Separate signing keys, scope claims and audience. No cross-tenant token reuse possible by design.

NETWORK
Tenant-namespace VPC slices

Service-mesh policies enforce intra-tenant traffic only. Egress allow-lists managed per tenant.

DATA
Postgres RLS per row

Every table carries a tenant_id; row-level security predicates are enforced in the database, not the application.

AUDIT
Per-tenant journal partitions

Decision journals partitioned by tenant. Read-access requires per-tenant role, never granted across.

05Data lifecycle

Data has a lifecycle. So does the law.

Each stage carries a specific lawful basis, retention rule, access control and sub-processor disclosure. The configuration is in the repo; the journal proves it was applied.

INGRESS
Tier-1: telco-verified identity. Tier-2: OCR + liveness. Tier-3: enhanced due diligence.
GDPR Art. 6 lawful basis declared per stage
STORAGE
Encrypted at rest (AES-256). Per-tenant keys via KMS. PII separated from posting fields.
Purpose-bound retention; no cross-purpose joins
USE
Read access role-gated. Every read journaled. AI prompts run on hashed/tokenised features only.
No raw PII flows into model context
SHARING
Provider gateway tokenises customer fields per provider. No raw IDs sent downstream.
Vendor sub-processor list maintained in repo
RETENTION
Live: minimum required by regulation. Cold: 7 years. Erasure: subject-rights API on the journal.
Right-to-erasure operates on identifiers only; postings tombstoned, not deleted
06Incident playbook

Six phases. Every one journaled.

Operational resilience is not a slide deck — it is the muscle memory of an on-call team, with named owners, target SLAs and a written RCA every time. Below is the actual cadence we run.

T = 0
Detect
< 60s
Health-check failure or alert routes to on-call. Page service catalogue auto-paged.
T < 5 min
Contain
< 5 min
On-call acknowledges, scopes blast radius via tenant filter, applies pre-canned containment if available.
T < 30 min
Communicate
< 30 min
Customer-facing status page + sponsor-bank risk team notified. Internal incident channel up.
T < 4 h
Mitigate
< 4 h
Workaround in production. Per-incident severity dictates whether mitigation is enough.
T + 1 wk
Resolve + RCA
< 1 week
Permanent fix shipped. Written RCA: timeline, controls that worked, controls that did not, remediation list.
T + 2 wks
Cross-org review
< 2 weeks
2L compliance + 3L audit review the RCA. Findings tracked in issue system with named owner + SLA.
07Assurance cadence

Six exercises. On a calendar.

Independent assurance happens on a published calendar — not whenever a breach forces it. Each exercise has a named external party (where applicable), a named internal owner, and a written report that lands in the audit register.

External pentestQUARTERLY

Independent CREST-accredited firm. Web + mobile + API surface.

Internal red-teamANNUAL

Cross-tenant escalation paths, IAM lateral movement, KYT bypass attempts.

Sponsor-bank reviewPER WAVE

Bank risk team reviews postings, controls, and operator workspace before any launch.

Regulator dry-runPRE WAVE-1

Mock evidence-pack pull against random sample. Lessons fed back into BPM and journal.

DR / BCP exerciseQUARTERLY

Failover to secondary region. RPO < 5 min, RTO < 1 h target verified live.

Supply-chain reviewCONTINUOUS

Every dependency change triggers SBOM diff + license + CVE check at PR time.

·Working session

Bring your regulator letter.
We will read it together.

Four hours, one whiteboard, one shared screen. We map the perimeter, list the controls, identify the evidence gaps, and write a remediation plan you can hand to the second-line risk team on Monday.

Reserve a 4-hour working session →