Compliance

Cloud Wallet is medium-assurance. Server-side keys, AES-256-GCM at rest, strong audit — but not hardware-backed. That's a real compliance positioning, not a limitation-in-disguise.

Medium-assurance positioning

ARF distinguishes between hardware-backed (high-assurance) and software-protected (medium-assurance) wallets. Cloud Wallet is the latter — and most use cases are fine with medium-assurance. For qualified PID presentations and top-regulated flows, use the Native Wallet SDK.

GDPR

Cloud Wallet is a data processor when your app stores credentials on behalf of your users. Lawful basis: contract performance (user asked for the service). Data minimisation via selective disclosure at presentation time. Storage limitation: credentials are retained per user-facing settings; users can delete individual credentials or their whole wallet.

• Right of access: user can inspect every credential + audit log
• Right to erasure: delete credential, delete wallet, delete audit log
• International transfers: Hetzner Germany; no third-country transfers from the wallet

NIS2

Encryption at rest (AES-256-GCM); TLS 1.3 in transit; self-hosted dependencies (Postgres, Redis, Vault). Incident detection via unusual presentation patterns, failed-receipt spikes, signing anomalies.

DORA

For financial-services customers, Cloud Wallet is a documented third-party ICT service component (Art. 28–30). Right-to-audit clauses apply. Incident-response flows into your Art. 17–23 reporting.

Cross-sell to Native Wallet SDK

When a compliance requirement demands hardware-backed keys — qualified PID, ARF-high-assurance scenarios, member-state wallets — use the Native Wallet SDK. Cloud Wallet can coexist for users who prefer a browser flow.