Skip to main content

EBA Outsourcing Guidelines (EBA/GL/2019/02)

Compliance status: The controls described below are implemented in the production codebase. SOC 2 Type I audit engagement is underway — report expected Q3 2026. For NDA-gated security documentation, contact hello@creatorlayer.eu.

The EBA Guidelines on Outsourcing Arrangements (EBA/GL/2019/02) apply to credit institutions, investment firms, and payment institutions supervised under EU law. Where lender customers are subject to these guidelines, Creatorlayer — as an ICT service provider handling material outsourcing functions — is designed to support compliance under Section 4 (Governance of outsourcing arrangements).

Applicability

These guidelines apply to outsourcing arrangements where Creatorlayer provides material functions to regulated financial entities. "Material" outsourcing requires enhanced due diligence and contractual protections as set out below.

Governance Requirements

Written Agreement (Guideline 74)

Creatorlayer is designed to provide a standard Data Processing Agreement (DPA) and API Terms of Service covering:

  • Clear description of the outsourced service (creator income verification, health scoring, risk tape generation)
  • Start date, notice periods, and termination conditions
  • Data location: EU (France) — Scalingo SAS infrastructure
  • Sub-processor disclosure and change notification (30 days' notice)
  • Security incident notification (within 24 hours of detection)
  • Audit rights for the regulated entity and their supervisory authority

Contact hello@satoshiframework.com to obtain the full DPA for your records.

Sub-outsourcing (Guideline 80)

Creatorlayer's current critical sub-processors are:

Sub-processorFunctionLocationChange Notice
Scalingo SASHosting, database, RedisFrance (EU)30 days
ResendTransactional emailUSA (SCCs)30 days
GitHub (Microsoft)Source code, CI/CDUSA (SCCs)30 days

Lender customers are notified of any material sub-processor change 30 days in advance.

Access and Audit Rights (Guideline 76)

Lender customers and their competent authority have the right to:

  • Audit Creatorlayer's controls relevant to the outsourced function
  • Request documentation of security controls, incident history, and business continuity arrangements
  • On-site inspections with 10 business days' notice (remote inspections available)

To exercise audit rights, contact hello@satoshiframework.com.

Business Continuity (Guideline 77)

MetricCommitment
Recovery Time Objective (RTO)4 hours
Recovery Point Objective (RPO)1 hour (WAL-based PITR)
Backup frequencyDaily snapshots + continuous WAL archiving
Backup locationSeparate availability zone within France (Scalingo)
Exit planData export in standard formats (JSON/CSV); 90-day transition support

Full Business Continuity Plan available on request.

Data Security (Guideline 78)

  • All data processed in the EU (France) on Scalingo infrastructure
  • TLS 1.2+ enforced on all connections; HSTS enabled
  • PostgreSQL with role-based access; read-only reporting role available
  • Encryption at rest managed by Scalingo SAS
  • GDPR-compliant data handling: consent management, erasure within 30 days, audit logging
  • Immutable audit trail retained for 7 years

Exit Strategy (Guideline 79)

Creatorlayer is designed to support smooth exit from the outsourcing arrangement:

  • Data export: Full data export in JSON or CSV on request, within 15 business days
  • Transition period: Up to 90 days of continued service access at current terms to support migration
  • Documentation: API specification, data schema documentation, and integration guides provided
  • No vendor lock-in: Standard REST API with an open-source Node.js SDK

Competent Authority Notification

If your supervisory authority (ECB, national NCA, or other EBA-supervised body) requires notification of this outsourcing arrangement, Creatorlayer is designed to provide supporting documentation including:

  • Service description and scope
  • Risk assessment summary
  • Security and BCP documentation
  • DPA template

Contact hello@satoshiframework.com with the subject: EBA Outsourcing Documentation — [Your Company Name].