Security & Compliance 

At AML Buddy, powered by Zenoo, we take security, data protection, and regulatory compliance  extremely seriously. 

Our platform is designed for regulated organisations that depend on trusted, secure identity  verification and AML workflows. 

This page outlines our security controls, infrastructure standards, and compliance practices. 1. Security Overview 

AML Buddy is built on Zenoo’s enterprise-grade security framework, combining: 

  • Strong access control 
  • Encrypted data storage and transfer 
  • Hardened cloud infrastructure 
  • Continuous monitoring and threat detection 
  • Strict operational security policies 

Our internal IT Security Policy governs all controls and behaviours across the business 2. Infrastructure & Data Hosting 

  • All AML Buddy data is hosted in AWS EU-West (Ireland)
  • Infrastructure is deployed using Infrastructure-as-Code (Terraform) to ensure consistent,  secure provisioning. 
  • AWS services are configured following industry best practices and regularly reviewed for cost  and security performance 

Physical security is provided by AWS data centres (ISO 27001, SOC2, PCI-DSS certified). 

3. Encryption & Data Protection 

We protect Customer Data using strong encryption: 

Encryption 

  • AES-256 encryption at rest 
  • TLS 1.2+ encryption in transit 

API Security 

  • API communication between services is restricted and authorised using secure web tokens 

Backups 

  • Automated encrypted backups 
  • Strict no-local-storage rules: staff must store data only in secure Google Workspace/Confluence environments 
  •  Rolling deletion policy aligned with our DPA

4. Access Control & Authentication 

We enforce strict access and identity controls: 

Principles 

  • Least privilege and need-to-know access 
  • Role-based permissions 
  • Restricted administrator rights 

Authentication 

  • Individual accounts only (no shared credentials) 
  • Secure key-based SSH access for server administration 

User Responsibilities 

  • Passwords must comply with our Password Management Policy 
  • Users may not bypass, disable, or interfere with security controls 

5. Network & Infrastructure Security 

Key protections include: 

  • Hardened cloud instances 
  • IP-restricted access to production resources 
  • Firewall and network segmentation 
  • Monitoring of AWS Cost Explorer and Trusted Advisor for anomaly detection 

6. Monitoring, Logging & Threat Detection 

We maintain: 

  • Continuous system monitoring 
  • Logging and auditing of user account activity 
  • Alerts for suspicious events 
  • Controls to prevent unauthorised software installation or execution 

Zenoo employees must report any system weakness, incident, or potential security vulnerability  immediately 

7. Incident Response 

Zenoo operates a documented Security & Privacy Incident Response Policy (referenced in the IT  Security Policy). 

All incidents relating to security or customer data privacy must be reported immediately to the Privacy  Officer and Head of Technology 

We follow: 

  • Fast internal escalation 
  • Customer notification per GDPR
  • Full forensic review 
  • Remediation tracking 

8. Employee Policies & Training 

Employees must: 

  • Complete regular security training 
  • Follow clean desk & screen practices 
  • Keep all sensitive or restricted information secured 

Additional controls: 

  • Background checks 
  • Device security (antivirus, disk encryption) 
  • VPN usage when on public networks 

9. Remote Access & Mobile Security 

Remote access follows strict rules: 

  • Only authorised individuals may use Zenoo equipment 
  • Devices must be locked when unattended 
  • VPN required for public network access 
  • Personal device access permitted only with up-to-date OS & antivirus 

10. Acceptable Use Restrictions 

To protect overall security, users may NOT: 

  • Bypass or disable security controls 
  • Install unapproved software 
  • Connect unauthorised external storage media 
  • Conduct penetration testing without approval 
  • Visit inappropriate or harmful internet sites 

11. Compliance & Data Protection 

AML Buddy supports: 

  • UK GDPR / EU GDPR 
  • AML/KYC and financial crime regulations 
  • Secure data residency in the EU 
  • Customer-as-Controller, Zenoo-as-Processor model (per our DPA) 
  • Sub-processor transparency 
  • Standard Contractual Clauses for international transfers (UK & EU) Our compliance documentation includes: 
  • Terms & Conditions
  • Privacy Policy 
  • Cookie Policy 
  • Billing Policy 
  • Data Processing Addendum (DPA) 
  • Sub-processor List 
  • This Security & Compliance Page 

12. Review & Continuous Improvement 

The IT Security Policy underpinning these controls is formally reviewed annually or upon significant  changes 

We continuously improve our posture with: 

  • Penetration tests 
  • Security audits 
  • Regular patching and updates 
  • Vendor risk assessments 

Contact 

For security concerns or to request compliance documentation: 

Security Team: security@amlbuddy.com 

Privacy & Regulation Officer (DPO): privacy@amlbuddy.com