Marseille UPG
Marseille UPG
PlatformWhy MarseilleDevelopersProvidersPricing
Sign inStart integration
Trust · Compliance

Compliance, attestations and global frameworks

Marseille UPG operates regulated, audited payment infrastructure. We maintain certifications and attestations that allow regulated customers to rely on our platform without compromising their own posture.

Last audit
Q1 2026
Auditor
BDO UK
Coverage
All production regions
Certifications & attestations
AoC v4.0
PCI DSS Level 1

Highest tier service-provider attestation. AoC refreshed annually by a Qualified Security Assessor.

Refreshed annually
SOC 2 Type II

Continuous reporting on Security, Availability and Confidentiality trust principles.

Certificate IS 819204
ISO/IEC 27001:2022

Certified Information Security Management System covering all production environments.

Certified
ISO/IEC 27701:2019

Privacy Information Management System extension built on top of ISO 27001.

UK registered
GDPR · UK GDPR · Swiss FADP

Standard Contractual Clauses, UK IDTA, transfer impact assessments and a registered DPO.

EBA RTS
PSD2 / SCA aligned

Strong Customer Authentication routing, exemption strategy and 3DS2 orchestration.

01

The compliance programme

Compliance at Marseille UPG is a continuous engineering programme, not a yearly checkbox. Controls are codified, monitored and tested in production. Evidence is collected automatically and reviewed by an independent internal audit function that reports directly to the Audit Committee.

  • Control library mapped against PCI DSS v4.0, SOC 2, ISO 27001/27701 and CSA CCM.
  • Continuous control monitoring with automated evidence capture and exception management.
  • Quarterly internal audits; annual external assessments; surprise sampling on critical controls.
  • Risk register reviewed monthly by the CISO and quarterly by the board.
02

Regulatory frameworks

We support customers operating across the following frameworks. Where you act as the regulated entity, we act as a sub-contracted service provider with appropriate flow-down obligations.

European Union
  • GDPR (2016/679)
  • PSD2 (2015/2366)
  • EBA RTS on SCA
  • DORA readiness
United Kingdom
  • UK GDPR + DPA 2018
  • FCA expectations for outsourced services
  • PSR 2017
United States
  • CCPA / CPRA
  • GLBA Safeguards Rule
  • State money-transmission framework alignment
APAC
  • Singapore PDPA
  • Australia Privacy Act
  • Japan APPI
  • Hong Kong PDPO
Latin America
  • Brazil LGPD
  • Mexico LFPDPPP
  • Argentina PDPA
Cards & schemes
  • PCI DSS v4.0
  • PCI 3DS Core SDK
  • Visa, Mastercard, Amex compliance programs
03

AML, sanctions and merchant due diligence

Marseille UPG is not a money services business and does not hold customer funds. We nonetheless operate a risk-based programme to ensure that the platform is not used to facilitate financial crime, including:

  • Know-Your-Business onboarding for every customer organisation, refreshed at least annually.
  • Sanctions screening (OFAC, EU, UK, UN) on customers, beneficial owners and configured providers.
  • Transaction-level rules engine for typology detection, with case management and SAR support.
  • Direct cooperation with law enforcement subject to lawful, valid requests.