Wam
§··Trust
REGULATORY · CERTIFICATIONS · DISCLOSURE
What we stand on

The full list. No asterisks.

The licences we hold, the licences we don't, the safeguards on your money, and the vendors that touch your data. One page, no marketing prose.

Regulatory perimeter

Wam is a participant in the Trinidad and Tobago Securities and Exchange Commission (TTSEC) Virtual Asset Service Provider (VASP) Regulatory Sandbox. Sandbox admission is a conditional and time-limited supervisory authorisation. It is not a full VASP licence, not a registration, and not an endorsement by the TTSEC of any Wam product or service. The activities Wam is authorised to perform — exchange between crypto and fiat, exchange between crypto assets, and transfer of crypto assets — are listed in our Certificate of Acceptance and may change. We update this page whenever our authorisation changes.

  • EMI + PSP: licensed by the Central Bank of Trinidad & Tobago (WamNow Technologies Limited).
  • VASP: sandbox participant only — not a full VASP licence.
  • No Bureau de Change licence. Wam does not act as an FX principal; FX execution runs through our regulated banking partners.
  • No custody, safekeeping, staking, lending, yield, or interest-bearing services — you self-custody your crypto.

Custody & self-custody

Wam does not provide custody, safekeeping, staking, lending, yield, or interest-bearing services. You self-custody your crypto. Where Wam holds virtual assets, it is only on a transient basis strictly to execute a specific exchange or transfer you have authorised.

Segregation & deposit-insurance status

Customer funds and customer virtual assets are segregated from Wam's own assets and operating funds. They are not pledged, lent, rehypothecated, or used for Wam's account. Wam balances and crypto holdings are not bank deposits and are not insured or guaranteed by the Deposit Insurance Corporation (DIC), the Central Bank of Trinidad and Tobago (CBTT), the TTSEC, or any other government agency or insurance scheme in any jurisdiction.

Fee transparency

All fees, spreads, FX margins, and network (gas) costs are published in our Fee Schedule and are disclosed before you confirm a transaction. Every charge you pay is reconcilable to the published schedule. Cryptocurrency network fees fluctuate with on-chain conditions.

Crypto rate methodology

Exchange rates for crypto buy/sell are quoted live and include a published spread over a reference rate. Rates are time-limited — quotes typically expire within 60 seconds for sells and 15 minutes for buys. The all-in rate you receive is shown before you confirm and is reconcilable to the published spread in our Fee Schedule.

Vendor certifications

Wam itself is not SOC 2 or ISO 27001 certified — those certifications belong to our identity vendor. We list each vendor's audit scope here so you can see exactly what is and isn't covered.

  • Identity (Auth0/Okta): SOC 2 Type II, ISO 27001 certified.
  • Card data (Cybersource): PCI DSS Level 1 service provider. Wam's PCI scope is SAQ A — card data is tokenised at Cybersource; no PANs on Wam systems.
  • Sanctions / AML screening: Chainalysis and TRM Labs.
  • Wam SOC 2 attestation: in progress.

Sub-processors

Every vendor that sees customer data, in alphabetical order. This list is public and versioned. If it changes, the page updates.

  • Alchemy: blockchain RPC and webhook delivery for crypto deposits
  • Auth0 (Okta): authentication, MFA, session management
  • Chainalysis: on-chain address screening
  • Cybersource (Visa): card acquiring and tokenization
  • Google Cloud Platform: compute, storage, secrets, monitoring (us-west1)
  • Hasura Cloud: GraphQL gateway
  • Sentry: error tracking (PII scrubbed in beforeSend hook)
  • SendGrid: transactional email
  • SumSub: KYB for business accounts
  • Temporal Cloud: async workflow orchestration
  • TRM Labs: on-chain risk screening
  • Veriff: KYC for consumer accounts

Data residency & retention

Primary data lives in Google Cloud us-west1. Customer records are retained for the period required by our regulated partners (typically 5 years for financial records) and deleted on request where no legal obligation requires retention. PII is scrubbed from logs at the logging boundary.

Incident response

Named on-call per service. Documented runbooks in our internal wiki. Post-incident reviews within 3 business days. We will notify you directly, by email or in-app, of any incident that materially affected your account.

Responsible disclosure

Think you found a vulnerability? Please report it to security@zed.io (PGP key on request). We operate a safe-harbor policy for good-faith research: we will not pursue legal action against researchers who follow the standard responsible-disclosure timeline (90 days) and who do not access accounts they do not own.