Loading…
Loading…
A unified compliance portal centralising regulatory reporting, audit trails, and data encryption management for a financial services firm navigating multi-region regulations.
Finora Financial provides B2B payment processing and treasury management APIs to fintech companies across Europe and North America. Operating at the intersection of multiple regulatory frameworks — GDPR for European customer data, SOC 2 for security controls, and PCI-DSS for payment card data — Finora's compliance team was stretched thin. Audit preparation required weeks of manual evidence gathering across engineering, operations, and legal teams. Encryption key management was decentralised, with different teams using different tools and practices. KumoDevs was engaged to build a unified compliance portal that would centralise compliance operations, automate evidence collection, and provide real-time visibility into control effectiveness across all three regulatory frameworks.
Finora was juggling GDPR, SOC 2, and PCI-DSS compliance across three product lines with fragmented documentation, manual audit prep, and no central encryption key management.
Built a compliance hub with automated evidence collection, real-time compliance dashboards, centralised key management via HashiCorp Vault, and structured audit-ready reporting across all regulatory frameworks.
KumoDevs started by mapping every control across GDPR, SOC 2, and PCI-DSS into a unified control framework, identifying overlaps and gaps. We then built the compliance portal around three pillars: automated evidence collection, centralised key management, and audit-ready reporting. The evidence engine connects to Finora's AWS infrastructure, Datadog monitoring, GitHub repositories, and HR systems to automatically collect and timestamp evidence artifacts. The key management module centralises encryption key lifecycle management through HashiCorp Vault, with automatic rotation policies and access auditing. The reporting engine generates structured compliance reports mapped to each regulatory framework with one click. We implemented role-based access controls so that engineers, compliance officers, and auditors each see only what they need.
Mapped all 180+ controls across GDPR, SOC 2, and PCI-DSS into a unified framework, identifying 65 overlaps and 23 gaps that required new controls.
Built connectors to AWS CloudTrail, Datadog, GitHub Actions, and BambooHR for automated evidence collection with cryptographic timestamping.
Deployed HashiCorp Vault in a multi-datacenter configuration, integrated with AWS KMS for envelope encryption, and built the key rotation scheduling system.
Developed the Next.js compliance portal with real-time dashboards, report generation, and automated evidence package assembly for each framework.
Ran a 4-week pilot with 2 product lines, validated 100% of controls, and refined evidence collection rules based on auditor feedback from a mock audit.
Rolled out to all 3 product lines, supported Finora through their SOC 2 Type II audit with real-time evidence access for auditors, achieving zero findings.
“Compliance used to be our biggest headache — weeks of frantic preparation before every audit, manual evidence gathering across a dozen systems, and constant anxiety about what we might have missed. The KumoDevs platform completely changed that. Our SOC 2 audit was the smoothest process we've ever been through, and our compliance team can finally be proactive instead of reactive.”
Built as a Next.js application with server-side rendering for compliance dashboards and real-time WebSocket updates for monitoring alerts. PostgreSQL stores control mappings, evidence metadata, and audit trails with row-level security isolating data by product line. HashiCorp Vault manages encryption keys with automatic rotation policies, while AWS KMS handles envelope encryption for data at rest. Infrastructure is fully Terraform-managed with immutable deployments and audit-logged access.
Expand support for SOX and ISO 27001 frameworks, add AI-driven control gap analysis that proactively identifies compliance risks, and develop a vendor risk assessment module.