Certifications, Security and Regulatory Readiness – FAQ

Q: Is sanctions.io SOC 2 compliant?

A: Yes. Sanctions.io is SOC 2 Type 2 compliant, meaning our security controls have been independently audited and verified over an extended period to meet the highest standards for security, availability, confidentiality, and processing integrity.

Q: What does SOC 2 Type 2 mean for me as a customer?

A: It means your data is handled using industry-leading security and privacy controls, and our systems are continuously monitored to ensure reliability and compliance.

Q: Can I access the SOC 2 Type 2 report?

A: Yes. We provide the report to customers upon request, under a non-disclosure agreement (NDA).

Q: How can I request the report?

A: Request sanctions.io's SOC 2 Type 2 Report by:

• Accessing our Trust Center page and then navigating to 'Resources'.
• Or emailing our support team at help@sanctions.io.

Q: Is sanctions.io officially recognized by regulatory bodies?

A: No. sanctions.io is not a government regulatory body and does not hold an "official certification" or "endorsement" from regulators such as OFAC, the EU, UN, or OFSI.

sanctions.io is a third-party compliance technology provider that provides organizations with up-to-date, regulator-published sanctions, PEP, and watchlist data, helping them fulfill their Anti-Money Laundering (AML) and sanctions compliance obligations. The responsibility for regulatory compliance remains with the organization using the app.

Q: Do regulatory bodies provide official certification for sanctions screening vendors?

A: To our knowledge, no, they do not. Regulatory bodies such as OFAC (U.S.), the EU, the UN, and OFSI (UK) do not issue any form of "official certification" or "seal of approval" for third-party sanctions screening solutions. Their role is to publish and maintain the official sanctions lists.

While some screening providers may hold independent security or compliance attestations (e.g., SOC 2, ISO 27001) to demonstrate operational and data protection standards, these are not regulator-issued certifications.

Q: In the absence of formal regulatory certification, what mechanisms does sanctions.io employ to ensure data integrity and audit readiness for compliance reviews?

A: While sanctions.io does not currently hold formal certification from any regulatory body, the platform is built with stringent compliance standards, proven data reliability, and complete audit readiness to meet the expectations of regulators.

Here's why you can rely on sanctions.io for compliance purposes:

1. Hourly Watchlist Updates

All sanctions, PEP, and watchlist data are refreshed every 60 minutes, ensuring that your screenings are always against the most current available information.

2. Authoritative Data Sources

Data is sourced directly from official and trusted bodies, including OFAC, the UN, the EU, and HM Treasury. This aligns with what regulators expect organizations to screen against.

3. Full Auditability

Every response contains search parameters and timestamps. These can be archived to maintain a complete audit trail, which is crucial for passing regulatory reviews or OFAC audits.

4. SOC 2 Type II Compliance

sanctions.io has completed a SOC 2 Type II audit, a recognized standard for data security and integrity. The report is available upon request for due diligence or vendor risk management.

5. Match Resolution Workflows and Audit Trails

Matches can be marked as "False Positive" or "Real Positive" directly in the Monitoring Portal or via the Monitoring API. All actions are logged, supporting a defensible position in the event of regulator questions.