Sparcle for EU Finance

DORA-aligned. EU-region keys. DPO-verifiable inside the bloc.

EU financial institutions operate inside the bloc and inside DORA. Bolt and Aeira ship as customer-deployed software in EU regions, with customer-held KMS inside the EEA, an audit chain your DPO verifies offline, and a sub-processor topology where customer data does not transit Sparcle infrastructure.

Compliance frameworks

What Sparcle ships against.

EU financial-services compliance is the intersection of DORA, GDPR, NIS2, and the EU AI Act. Each frame below maps to a concrete implementation.

DORA (Digital Operational Resilience Act)

EU regulation applying to financial entities and their ICT third-party providers, effective January 2025. Bolt and Aeira ship as customer-deployed software inside the financial entity's perimeter, positioned as customer-deployed software in the DORA ICT-third-party register.

GDPR Art. 17 / 28 / 35

Right to be Forgotten via cryptographic erasure; Art. 28 data-processor responsibilities; Art. 35 DPIA for high-risk processing. Sparcle's sub-processor disclosure is asymmetric — customer data does not reach Sparcle infrastructure in the shipping topologies.

NIS2 (Network and Information Security Directive 2)

Stricter cybersecurity baseline across EU essential and important entities. The five-phase incident-response framework, the audit chain integrity primitive, and the customer-held KMS posture map to NIS2 risk-management requirements.

EU AI Act (high-risk AI in finance)

Sparcle is the runtime, not the model. The Authority Policy SDK lets the financial entity encode the EU AI Act risk-management and human-oversight provisions; the audit-trail responses are the artifact the supervisor reviews.

Data residency posture

Inside the bloc. Inside your perimeter.

EU-region key residency

Customer-held KMS in an EU region (Vault Transit, AWS KMS Frankfurt/Ireland, Azure Key Vault EU). The crypto-shred construction means Sparcle cannot read tenant data without the customer-held CMK.

No transfer outside the EEA

Bolt and Aeira run inside the customer's EU perimeter. Customer data does not transit Sparcle infrastructure; sub-processor disclosure makes the transfer mechanism (or lack thereof) explicit.

DORA-aligned ICT third-party register

Sparcle is the customer-deployed software vendor under DORA; the customer's ICT-third-party register reflects that role. Sub-processor disclosure, MSA, and DPA template support the customer's register update.

DPO-verifiable artifacts inside the bloc

The standalone audit-chain verifier runs offline inside the EU perimeter. Your DPO does not need to transfer audit material outside the bloc to verify integrity.

1-page brief

Take this to your DPO and your CCO.

The EU finance brief covers DORA posture, GDPR + NIS2 alignment, EU-region key residency, and the trust artifacts a DPO and CCO review.

Workflows the founding team has built for

Four anchor use cases.

The workflows below are scoped with EU-finance design partners. The Authority Policy SDK and connector configuration are the per-customer tuning points.

DORA self-attestation prep

Cross-source synthesis across vendor risk register, control attestations, and incident-response runbook. Authority Policy ranks current attestation versions above superseded ones.

GDPR DSAR response with crypto-shred

Subject erasure requests trigger the cryptographic-disposal construction; the disposal receipt is the artifact the supervisory authority receives. Erasure-with-retention via one primitive.

AML / KYC research with citation hygiene

Multi-source synthesis with provenance. The Authority Policy demotes outdated screening sources; every cited authority resolves to a current source-of-record.

NIS2 incident-notification drafting

Structured incident records pulled from the audit chain feed the 24-hour, 72-hour, and 1-month NIS2 notifications. The audit chain is the source-of-record the regulator reviews.

Trust dossier for EU finance

The four artifacts your DPO and supervisor will ask for.

  • /trust/cryptographic-erasure — The construction designed to satisfy GDPR Art. 17 obligations while preserving regulatory retention duties. The packet your DPO and supervisory authority receive.
  • /trust/subprocessors — Asymmetric topology + cross-border transfer mechanisms (SCCs, UK IDTA addendum). Why customer data does not reach Sparcle infrastructure in EU deployments.
  • /trust/verify — The standalone audit-chain verifier. Your DPO runs it offline inside the EU perimeter; the artifact a supervisory-authority audit relies on.
  • /trust/incident-response — Five-phase response framework aligned with the NIS2 notification timeline. The runbook a CISO at an EU financial institution expects.

Want to walk this against your specific DORA register and DPIA?

A 30-minute EU finance architecture review covers your DORA ICT-third-party posture, your KMS custody inside the EEA, your DPIA needs, and the workflows your team needs. Founder-led; the engineering team is on the call.