Regulatory Compliance

HipoTech is incorporated under the laws of the Dominican Republic and operates within the Dominican regulatory framework as its primary jurisdiction. Our compliance program is designed to protect customer data, maintain the integrity of our technology gateway model, and meet the requirements of each jurisdiction we enter as we expand internationally.

1. Data Protection — Dominican Republic

Law No. 172-13 — Comprehensive Protection of Personal Data

As a Dominican company, our primary data protection obligation is Law No. 172-13. Our compliance includes:

• Explicit consent from data subjects before collection and processing (Article 76)
• International transfer consent under Article 80 — users explicitly consent to data storage in Germany at registration
• Habeas Data rights — access, rectification, cancellation, and opposition (Article 17)
• Purpose limitation — data collected solely for mortgage application processing
• Five-year data retention aligned with financial record-keeping requirements
• Security measures proportionate to the sensitivity of financial and identity data

GDPR-Equivalent Practices

Our infrastructure is operated by Hetzner Online GmbH in Germany, an EU member state subject to GDPR. We voluntarily apply GDPR-equivalent standards, including:

• Lawful basis for all data processing activities
• Data subject rights equivalent to GDPR: access, rectification, erasure, and portability
• Data Protection Impact Assessments for high-risk processing activities
• Privacy by Design principles applied throughout the platform
• Data breach notification procedures aligned with the 72-hour GDPR standard

2. Financial Services Compliance — Dominican Republic

Law No. 183-02 — Monetary and Financial Law

HipoTech operates as a technology gateway and not as a regulated financial intermediary under Law 183-02. Our compliance includes:

• Maintaining the automated, non-advisory nature of the platform — no credit recommendations or lending decisions
• Full transparency in commercial arrangements with partner banks, including finder fee disclosure in Terms of Service
• Applicant data protection consistent with Superintendency of Banks requirements
• AML-awareness measures appropriate for a technology gateway operator

Non-Discriminatory Platform Practices

HipoTech is committed to equal access to mortgage services:

• Applications submitted to all eligible banks simultaneously — no bank is favoured or excluded based on any protected characteristic
• Eligibility assessment is based solely on published bank criteria — no HipoTech discretion is applied
• The automated Document Underwriter applies the same process uniformly to every application
• Pricing is uniform — all applicants in the same tier pay the same fees regardless of background

3. Security Certifications

SOC 2 Type II

We are pursuing SOC 2 Type II certification, which will validate:

• Security: Protection against unauthorized access
• Availability: System reliability and uptime commitments
• Processing Integrity: Accurate and complete application processing
• Confidentiality: Protection of applicant and bank confidential information
• Privacy: Appropriate handling of personal and financial data

Current Status: Audit in progress — contact [email protected] for current status

PCI DSS

We are working toward PCI DSS compliance for payment card processing. Current measures in place:

• All payment processing handled via PCI-certified third-party providers — cardholder data never touches HipoTech servers
• TLS 1.3 encryption for all payment flows
• Strict access control and network segmentation for payment-adjacent systems
• Regular vulnerability scanning of payment-related infrastructure
• PCI DSS formal certification planned as transaction volume grows

ISO 27001

We are working toward ISO 27001 certification for our Information Security Management System:

• Risk assessment and treatment across all information assets
• Documented security policies and procedures
• Incident management and business continuity planning
• Continuous improvement through regular internal and external audits
• Third-party validation by accredited certification body

4. Anti-Money Laundering (AML) & Identity Verification

HipoTech implements AML-awareness measures appropriate for a technology gateway. Formal AML obligations rest with our partner banks, which conduct their own KYC and AML procedures on all applications received. Our platform-level measures include:

• Identity verification at registration — full name, national ID (cédula), and contact details required
• Credit bureau integration for identity cross-referencing
• Automated document consistency checks — name, date of birth, and employer cross-referenced across uploaded documents by the Document Underwriter
• All application and payment records retained for a minimum of five years
• Document consistency flags reported to partner banks via the Conditions Report

5. Internal Controls & Audit

We maintain robust internal controls to ensure platform integrity and data security:

• Automated exception tracking and anomaly detection active at all times
• Comprehensive audit logging — all administrative actions and data access events are recorded and tamper-evident
• Sealed Secrets for credential management — no plaintext secrets in source repositories
• GCP KMS envelope encryption for all documents in the vault
• Incident response planning and scheduled security reviews

6. Operational Integrity

HipoTech maintains strict operational standards that underpin its legal position as a technology gateway:

• The Document Underwriter is 100% automated — no HipoTech employee or contractor reviews applicant documents at any stage
• All bank agreements are signed in HipoTech's name — the licensee model does not transfer bank contracting rights
• Finder fee arrangements with banks are disclosed to applicants in the Terms of Service and do not influence which banks receive applications
• Platform fees are sourced from live configuration — never hardcoded in the interface
• Multi-factor authentication is available for all user accounts

7. Third-Party Risk Management

All infrastructure providers and service partners are selected and reviewed for security and data protection compliance:

• Hetzner Online GmbH (Germany) — ISO 27001 certified data centres; subject to GDPR as data processor under our processing agreement
• Google Cloud KMS — envelope encryption key management; SOC 2 Type II and ISO 27001 certified
• Cloudflare — DDoS mitigation, TLS termination, and email routing; SOC 2 Type II certified
• DeepL — translation API; GDPR compliant; processing confined to EU infrastructure
• Data processing agreements in place with all providers that handle personal data

8. Compliance Roadmap

9. Contact Our Compliance Team

For compliance-related inquiries or to report concerns: