Qonto

Qonto relies on the infrastructure hosting provider Amazon Web Services (AWS) for hosting services. AWS’ services are certified ISO 27001 annually.

Proof of their certification is available via this <a href="https://aws.amazon.com/en/compliance/iso-certified/" rel="nofollow noopener noreferrer" target="_blank">link</a>.

The ISO 27001 certification allows companies to demonstrate their security level. However, as a payment institution regulated by the ACPR, Qonto is already subject to various equally strict security requirements which are regularly monitored by the ACPR:

<a href="https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32015L2366&amp;from=EN#d1e1059-35-1" rel="nofollow noopener noreferrer" target="_blank">EU Directive 2015/2366 on Payment Services</a> (DSP2),

<a href="https://eba.europa.eu/sites/default/documents/files/documents/10180/2522896/32a28233-12f5-49c8-9bb5-f8744ccb4e92/Final%20Guidelines%20on%20ICT%20and%20security%20risk%20management.pdf" rel="nofollow noopener noreferrer" target="_blank">EBA Guidelines on ICT and Security Risk Management</a>,

<a href="https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000043224871" rel="nofollow noopener noreferrer" target="_blank">Decree of 3 November 2014</a> and <a href="https://acpr.banque-france.fr/sites/default/files/media/2021/07/08/20210707_notice_risque_it.pdf" rel="nofollow noopener noreferrer" target="_blank">notice on IT risk management</a> of 7 July 2021 published by the ACPR,

<a href="https://eur-lex.europa.eu/legal-content/en/TXT/PDF/?uri=CELEX:32022R2554" rel="nofollow noopener noreferrer" target="_blank">Digital Operational Resilience Act (DORA)</a> Regulation 2022/2554, which will enter into force in 2025.

- <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32015L2366&amp;from=EN#d1e1059-35-1" rel="nofollow noopener noreferrer" target="_blank">EU Directive 2015/2366 on Payment Services</a> (DSP2),
- <a href="https://eba.europa.eu/sites/default/documents/files/documents/10180/2522896/32a28233-12f5-49c8-9bb5-f8744ccb4e92/Final%20Guidelines%20on%20ICT%20and%20security%20risk%20management.pdf" rel="nofollow noopener noreferrer" target="_blank">EBA Guidelines on ICT and Security Risk Management</a>,
- <a href="https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000043224871" rel="nofollow noopener noreferrer" target="_blank">Decree of 3 November 2014</a> and <a href="https://acpr.banque-france.fr/sites/default/files/media/2021/07/08/20210707_notice_risque_it.pdf" rel="nofollow noopener noreferrer" target="_blank">notice on IT risk management</a> of 7 July 2021 published by the ACPR,
- Compliance with PCI DSS security rules
- <a href="https://eur-lex.europa.eu/legal-content/en/TXT/PDF/?uri=CELEX:32022R2554" rel="nofollow noopener noreferrer" target="_blank">Digital Operational Resilience Act (DORA)</a> Regulation 2022/2554, which will enter into force in 2025.