Built for Algeria's
Regulatory Landscape
Assurique's on-premise architecture is not merely compatible with Algerian data sovereignty requirements — it is the only architecture that can satisfy them. Compliance is built into the design, not bolted on as a policy.
01
Regulatory Overview
Algeria's financial and data protection landscape requires that sensitive personal data — particularly biometric and identity data — be processed and stored domestically, under the control of the organization that collects it. Assurique's on-premise architecture is the only compliant answer.
| Regulation | What it requires | How Assurique satisfies it |
|---|---|---|
| Law 18-07 June 10, 2018 | Personal data must be collected lawfully, processed with consent, stored securely, and never transferred without authorization. Organizations must designate a Data Protection Officer and maintain processing records. | All data stays on your infrastructure. You are the sole data controller. No transfer to Assurique ever occurs. No DPA required — Assurique is not a data processor. |
| Regulation 24-64 Bank of Algeria | Digital banking platforms and their customer data must be hosted on servers physically located within Algeria. | Fully on-premise deployment on your own infrastructure within Algeria. No cloud hosting, no offshore processing, no external servers. |
| Instruction 06-2025 Bank of Algeria | Payment service providers must host customer data domestically and cannot use foreign cloud services for KYC processing. | Zero internet dependency during operation. No external API calls, no cloud processing, no outbound connections of any kind after deployment. |
| Law 05-01 Feb. 6, 2005 (amended) | Financial institutions and obligated entities must verify customer identity before establishing a business relationship, with documented evidence and audit trails. | Provides the complete KYC pipeline — document verification, biometric matching, liveness detection, risk scoring — with full audit trails stored in your database. |
Why cloud SaaS alternatives cannot comply
Global SaaS identity verification providers (operating from the US, EU, or elsewhere) process biometric and identity data on servers located outside Algeria. This directly violates Law 18-07's data sovereignty provisions, Regulation 24-64's domestic hosting requirement, and Instruction 06-2025's prohibition on foreign cloud processing for PSPs. There is no contractual arrangement that makes a foreign-hosted service compliant — the legal requirement is physical hosting within Algeria under the data controller's own infrastructure.
02
Data Residency
With Assurique, data residency is not a configuration option or a contractual promise — it is a technical impossibility for data to leave your infrastructure, because the software was designed to operate with zero outbound connectivity.
Your infrastructure
Deployed as Docker containers on servers you own and operate. Data never leaves your network perimeter, whether for processing, storage, or telemetry.
Zero outbound connections
After deployment, no network connections are made to Assurique servers, third-party APIs, or any external service. The system is fully air-gappable.
No data processor relationship
Because Assurique never receives, processes, or stores any of your end-user data, we do not act as a data processor. No Data Processing Agreement is required or applicable.
Your retention policies apply
You control how long verification data is stored, who can access it, and when it is deleted — according to your own data protection policies and regulatory obligations.
What data stays on your infrastructure
03
Data Encryption
All sensitive components of the Assurique platform are protected with industry-standard cryptographic standards. Article 40 of Law 18-07 requires appropriate technical security measures — we implement them at every layer.
Encryption standards
API authentication
Server-to-server communication uses API keys. SDK sessions use short-lived JWT Bearer tokens — no long-lived credentials exist on user devices.
Webhook security
All webhook notifications are signed with HMAC-SHA256, allowing your backend to verify that events originate from your own Assurique instance.
04
Audit Logs
Law 05-01 requires financial institutions to maintain documented evidence of every identity verification performed. Assurique generates a complete, immutable audit trail for every verification — stored in your PostgreSQL database, accessible through the operator dashboard and directly via the API.
What every verification record captures
Accessing audit data
Operator dashboard
Web-based interface for reviewing individual verifications, filtering by outcome, date, and operator. Supports manual review and approval workflows.
REST API
Retrieve verification records programmatically via GET /verifications/{'{id}'}/decision and list endpoints with filtering.
Direct database
All data is stored in your PostgreSQL instance. Your DBA or compliance team can query it directly for custom reporting or regulatory audits.
05
KYC & AML Obligations
Law 05-01 (as amended) obligates banks, financial institutions, insurance companies, notaries, and other designated entities to verify the identity of customers before establishing any business relationship. The complete Assurique digital KYC pipeline satisfies every element of this obligation.
Identity verification before business relationship
Assurique verifies the identity of individuals in under 8 seconds using document OCR and/or NFC chip reading, with biometric face matching and liveness detection to confirm physical presence.
Verification of document authenticity
ML-based document authenticity analysis detects photocopies, screen recaptures, and digitally edited documents. NFC verification provides cryptographic proof of document genuineness (Passive + Active Authentication).
Documented evidence with retained records
Every verification generates a comprehensive audit record retained in your database — including extracted identity data, verification method, individual check results, and final decision with timestamp.
Risk-based approach
The multi-factor risk engine assigns weighted scores across document authenticity (30%), biometric match (60%), and behavioral signals (10%). Thresholds are configurable, and borderline cases can be routed to manual review operators.
Tiered KYC for PSPs (Instruction 06-2025)
Instruction 06-2025 introduces tiered KYC requirements for payment service providers with different verification thresholds per wallet tier. Assurique supports configurable verification routes and risk thresholds, making it straightforward to implement Tier 1 (self-declaration), Tier 2 (document OCR), and Tier 3 (full NFC + biometric) verification flows within a single deployment.
06
You as Data Controller
Because Assurique runs entirely on your infrastructure and no data is shared with us, you are the sole data controller under Law 18-07. This means your compliance posture is entirely within your own control.
Your responsibilities
What Assurique provides
07
Certifications
Actively pursuing formal certifications
We are actively pursuing relevant security and regulatory certifications. Contact us for the current status of our certification roadmap and to receive supporting documentation for your own compliance or procurement process.
In the meantime, the on-premise architecture itself provides the strongest possible compliance guarantee: data sovereignty through technical design, not through contractual promises that rely on third-party enforcement.
08
For Your Compliance Team
If you are a compliance officer, legal counsel, or procurement manager evaluating Assurique, here is a summary of what we can provide:
Available on request
Technical architecture documentation
Data flow diagrams, infrastructure topology, and network isolation documentation confirming zero external connections
Regulatory compliance mapping
Detailed mapping of product features to specific articles of Law 18-07, Regulation 24-64, Instruction 06-2025, and Law 05-01
Sample audit log schema
Database schema and sample records for your legal team's review of the audit trail structure
Proof-of-concept deployment
Arrange a PoC deployment on your own infrastructure for qualified organizations — test the full pipeline in your environment
Compliance briefing call
A dedicated call with our team to walk through architecture, answer regulatory questions, and support your internal approval process