What We Are

Sanctuary provides blockchain analytics software (AML Intelligence). We operate as a technology provider — we do not custody, transmit, or exchange digital assets on behalf of users and therefore do not qualify as a Money Services Business (MSB) or Virtual Asset Service Provider (VASP) under applicable regulations.

Our position is analogous to credit rating agencies: Moody's does not need a banking license to issue credit ratings. Similarly, Sanctuary does not need a VASP license to provide blockchain risk scores.

Legal basis: FATF Updated Guidance (2021) para. 55–58, MiCA Recital 22, CIMA VASP Guidance (2024).

European Union — MiCA

Regulation (EU) 2023/1114 (Markets in Crypto-Assets) requires CASP authorization for providing crypto-asset services in the EU. The transitional period for existing providers ends July 1, 2026.

Sanctuary provides analytics software — not crypto-asset services as defined in MiCA Article 3(1)(16). Analytics and compliance tool providers are not classified as CASPs and do not require CASP authorization.

ESMA interprets reverse solicitation strictly: promotional campaigns, affiliate marketing, disclaimers, or pre-completed templates do not override the factual nature of client initiation.

FATF Compliance

The FATF Targeted Update (June 2025) reports that 29% of 138 assessed jurisdictions are largely compliant with Recommendation 15 (Virtual Assets/VASPs). Sanctuary aligns with FATF standards through:

AML Intelligence — Screening against multiple sources including OFAC SDN, EU Consolidated Sanctions, UN lists
Conditional KYC — Right to request identity verification at any time per FATF R.10
Record-keeping — 5-year retention of AML records per FATF R.11; 7-year retention of financial/transaction data per applicable tax law

Jurisdiction & Governing Law

Our Terms of Service are governed by English law (Laws of England and Wales) with dispute resolution via LCIA arbitration. This is standard for international B2B technology companies operating in a neutral jurisdiction.

Data Protection

Sanctuary implements privacy by design:

Blind Reputation Protocol (AML) — wallet addresses are cryptographically hashed before storage. Raw addresses never persist in the intelligence database. This constitutes pseudonymisation under GDPR Article 4(5).
Minimal data collection — we collect only what is necessary for service operation.
No tracking — zero third-party analytics, advertising pixels, or tracking cookies.
Self-hosted infrastructure — all blockchain nodes, databases, and search engines run on our own servers within the EU. We minimize third-party cloud dependencies.

Restricted Jurisdictions

Sanctuary services are not available to users located in jurisdictions subject to comprehensive sanctions programs. Currently restricted:

Iran

North Korea

Cuba

Syria

Crimea Region

Russian Federation

Republic of Belarus

EU and UK users: see Terms of Service §7 for reverse solicitation and registration provisions.

What We Do Not Do

We do not provide legal advice or regulatory guidance
We do not make compliance decisions on behalf of our customers
We do not automatically report data to law enforcement agencies
We do not custody or hold cryptocurrency on behalf of users
We do not operate as a licensed financial institution in any jurisdiction
We do not exchange fiat currency for cryptocurrency

Our customers — compliance officers, exchanges, and merchants — use Sanctuary data as one input into their own compliance decisions. The final determination is always made by the qualified professional, not our software.

Cooperation with Authorities

When presented with valid legal requests (court orders, subpoenas) from competent authorities, Sanctuary cooperates within applicable law. We notify affected users unless prohibited by the legal instrument. Due to the Blind Protocol, the data available for disclosure (from AML Intelligence) is limited to hashed identifiers, not raw wallet addresses.

Security Architecture

Current security measures include:

Cryptographic wallet address pseudonymization (AML module)
Password hashing using industry-standard cryptographic algorithms
Cryptographic score snapshots for tamper-evident audit trails
TLS 1.3 encryption for all data in transit
Full-disk encryption for data at rest
Role-based access control and perimeter security
Rate limiting and request validation on all API endpoints

SOC 2 Type II certification is on the roadmap as the platform scales. For vendor security assessments, we provide completed security questionnaires and architecture documentation upon request for Enterprise tier customers.

Contact

For compliance inquiries: [email protected]

What We Are

Legal basis: FATF Updated Guidance (2021) para. 55–58, MiCA Recital 22, CIMA VASP Guidance (2024).

European Union — MiCA

Regulation (EU) 2023/1114 (Markets in Crypto-Assets) requires CASP authorization for providing crypto-asset services in the EU. The transitional period for existing providers ends July 1, 2026.

ESMA interprets reverse solicitation strictly: promotional campaigns, affiliate marketing, disclaimers, or pre-completed templates do not override the factual nature of client initiation.

FATF Compliance

The FATF Targeted Update (June 2025) reports that 29% of 138 assessed jurisdictions are largely compliant with Recommendation 15 (Virtual Assets/VASPs). Sanctuary aligns with FATF standards through:

AML Intelligence — Screening against multiple sources including OFAC SDN, EU Consolidated Sanctions, UN lists
Conditional KYC — Right to request identity verification at any time per FATF R.10
Record-keeping — 5-year retention of AML records per FATF R.11; 7-year retention of financial/transaction data per applicable tax law

Jurisdiction & Governing Law

Data Protection

Sanctuary implements privacy by design:

Blind Reputation Protocol (AML) — wallet addresses are cryptographically hashed before storage. Raw addresses never persist in the intelligence database. This constitutes pseudonymisation under GDPR Article 4(5).
Minimal data collection — we collect only what is necessary for service operation.
No tracking — zero third-party analytics, advertising pixels, or tracking cookies.
Self-hosted infrastructure — all blockchain nodes, databases, and search engines run on our own servers within the EU. We minimize third-party cloud dependencies.

Restricted Jurisdictions

Sanctuary services are not available to users located in jurisdictions subject to comprehensive sanctions programs. Currently restricted:

Iran

North Korea

Cuba

Syria

Crimea Region

Russian Federation

Republic of Belarus

EU and UK users: see Terms of Service §7 for reverse solicitation and registration provisions.

What We Do Not Do

We do not provide legal advice or regulatory guidance
We do not make compliance decisions on behalf of our customers
We do not automatically report data to law enforcement agencies
We do not custody or hold cryptocurrency on behalf of users
We do not operate as a licensed financial institution in any jurisdiction
We do not exchange fiat currency for cryptocurrency

Cooperation with Authorities

Security Architecture

Current security measures include:

Cryptographic wallet address pseudonymization (AML module)
Password hashing using industry-standard cryptographic algorithms
Cryptographic score snapshots for tamper-evident audit trails
TLS 1.3 encryption for all data in transit
Full-disk encryption for data at rest
Role-based access control and perimeter security
Rate limiting and request validation on all API endpoints

Contact

For compliance inquiries: [email protected]

Регуляторна відповідність

What We Are

European Union — MiCA

FATF Compliance

Jurisdiction & Governing Law

Data Protection

Restricted Jurisdictions

What We Do Not Do

Cooperation with Authorities

Security Architecture

Contact

Регуляторна відповідність

What We Are

European Union — MiCA

FATF Compliance

Jurisdiction & Governing Law

Data Protection

Restricted Jurisdictions

What We Do Not Do

Cooperation with Authorities

Security Architecture

Contact