EP-MEL-19 — Compliance & Regulatory (Tax, KYC, Audit Logs)
Companion: Backlog README ·
EPICS.md· canonical:07-epics-and-user-stories.md§21
Summary
| Wave | R1 (+ jurisdiction matrix in R3; DSAR in R3) |
| Priority | P0 |
| Primary owner | pricing-service (tax engine) + iam-service (KYC) + audit-service (audit logs) |
| Participating services | billing-service, reporting-service, analytics-service, tenant-service |
| Journeys realised | J-12 (Reporting), J-19 (Compliance check) |
| Workflows | WF-12 |
| Frontend surfaces | Electron Desktop · Control Plane |
| Story count | 5 |
Outcome
Tax computed per jurisdiction with snapshot rules; KYC enforced for tenants in regulated markets; audit log immutable with daily Merkle anchoring for tamper-evidence; data residency enforced at storage and routing; GDPR-style erasure (Phase 2 / R3).
Cross-cutting AC for this epic
- Tax rules versioned; rule changes do not retroactively change historical invoices.
- KYC documents stored in
file-storage-servicewith double-encryption + tenant-prefix isolation. - Audit log Merkle root anchored daily to a tamper-evident store; verification routine exists.
- Residency enforced at infra layer (region pin) and verified at application layer.
Stories
| ID | Title |
|---|---|
| US-MEL-0139 | Tax engine with jurisdiction rules |
| US-MEL-0140 | KYC for tenants in regulated markets |
| US-MEL-0141 | Immutable audit log with daily Merkle anchoring |
| US-MEL-0142 | Data residency enforcement |
| US-MEL-0143 | GDPR-style data subject erasure (Phase 2 — R3) |
Full AC in
../07-epics-and-user-stories.md§21.
Cross-references
- Security & multi-tenancy:
../07-security-compliance-tenancy.md - Reporting epic:
EP-MEL-13.md - Definition of Done (Security section):
../standards/DEFINITION_OF_DONE.md