Regulatory posture.
Sub-processors, data residency, state-by-state money-transmitter matrix, and the FinCEN MSB filing state. Every claim on this page is dated. Items marked in progress are not yet active — they're listed so reviewers can see what is and isn't in motion.
Short version (the plain-English summary).
We use Cloudflare to run the website and store records, Coinbase's Base network to settle stablecoin and crypto payments, Stripe to handle card payments, and a banking partner (announced when ACH and wire go live) to handle bank transfers. We don't hold your money — it moves directly between you and your customer. The rest of this page is the long version for compliance reviewers; it spells out exactly what data each of those partners sees and what license framework each operates under.
Sub-processors.
Every third party in the receipt path. Updates announced via the public verifier chain so any change is provable.
- CloudflareWorkers, D1, R2, KV, Queues — edge compute, primary database, intent envelope archive, durable state, webhook delivery. US-region default (IAD / ENAM).
- Coinbase (Base L2)Public-blockchain settlement rail and chain-anchor target for the receipt WORM seal. Public ledger; merchant identifiers never leak — only hashes are anchored.
- StripeFiat on-ramp for USD-denominated SKUs (developer pricing only). Stripe is merchant-of-record for those subscription payments; not on the payment-rail intent path.
- Banking partner (ACH / Wire)Pending disclosure — banking partner for ACH / Wire rails is in contracting. Name will appear here on go-live for those rails. Merchants currently in pilot for ACH / Wire are notified directly.
- ResendTransactional email for merchant enrollment confirmations and alert notifications. No payment-payload data sent.
- Cloudflare Browser RenderingNightly capture of every public page on epochpay.today, sealed in the same WORM chain as receipts. See /snapshots.
Data residency.
Intent envelopes, receipts, and merchant records are stored in US-region Cloudflare D1 + R2 (IAD / ENAM). Chain anchors are published to Base L2 (public, global). Per-region pinning available on enterprise tier on request.
FinCEN MSB registration.
If your procurement review requires a registered MSB upstream of you, contact trust@epochpay.today before integration.
State money-transmitter matrix.
Per-state status. In progress = filing initiated but not active. Exempt or not required = no MTL needed for the operating model in that state. Active = license active and number published.
| State | Status | Notes |
|---|---|---|
| North Carolina (operating state) | In progress | Home state of EpochCore LLC. Filing scoped against NC Money Transmitters Act. |
| Delaware (formation state) | Not required | No money-transmission activity in DE. |
| All other US states | In progress / scoping | Per-state matrix being assembled. Updates published here as filings post. |
| EU / UK / APAC | Out of scope (2026) | Not authorized for non-US merchant onboarding. Roadmap: 2027. |
Compliance roadmap (no claims of current attestation).
| Standard | State | Target / notes |
|---|---|---|
| SOC 2 Type II | In progress | Assessor selection in progress · Q3 2026 engagement target. Evidence collection underway. Type I draft report available on request from trust@epochpay.today. Bridge letter for in-flight Type II on request. |
| ISO 27001 | Scoping | Boundary scoping. No current claim of certification. |
| FedRAMP | Scoping | Boundary scoping for a Low-impact authorization. No current claim of ATO or "in process" status with FedRAMP PMO. |
| SEC 17a-4(f) — WORM electronic storage | Aligned, third-party attestation pending | Triple-hash WORM chain + immutable R2 retention satisfies the structural requirements of 17a-4(f). Independent third-party attestation (DSV) is the next step. |
| FINRA Rule 4370 — business continuity | Documented, attestation pending | BCP documented internally; third-party attestation pending. |
| GDPR / CCPA | Operational | Right-to-access, right-to-erasure (cryptographic blinding for retention-required hashes). Contact privacy@epochpay.today. |
| HIPAA | Out of scope | EpochPay is not designed to receive PHI. If you need a covered-entity configuration, contact us before integration. |
Sub-processor change notice.
Material sub-processor changes are announced 30 days in advance via the changelog and sealed in the public WORM chain so the change is provable. Merchants with the enterprise tier receive direct email notice. Subscribe to the RSS feed to be notified automatically.
Contact.
Procurement / compliance: trust@epochpay.today · Privacy: privacy@epochpay.today · Security: security@epochpay.today · Postal: EpochCore LLC, Huntersville NC USA.