Home/Compliance
compliance · mica · eu

Compliant by design.

tools402 is built on three structural choices that, in our reading, place us outside MiCA's licensing perimeter: wallet-only identity (no KYC), sub-24h custodial, and 3 % paywall · 4 % proxy take rate. This is not legal advice — verify with your own counsel for your specific jurisdiction.

Legal notice · Security page

mica stance

Our reading of MiCA and CASP licensing.

Based on our reading of MiCA (Regulation EU 2023/1114, in force since 30 December 2024), these structural choices place tools402 outside the CASP licensing perimeter. This is not legal advice. MiCA applies to issuers of crypto-assets and to crypto-asset service providers (CASPs). Marketplaces that custody funds or operate exchange services generally need to register as a CASP. tools402 deliberately avoids both perimeters.

Wallet-only identity — no PII collected. Buyers sign with their wallet on Base, Polygon, or Solana. Sellers register via EIP-712 signature on their wallet address + chosen slug. We never ask for name, email, address, or document. Our database stores wallet addresses and slugs, nothing else.
Sub-24h custodial window on sell-side. Buyer pays directly to our primary self-custody recipient 0xD6E8…2878 (EVM) or Gt9EC4…U8w8 (Solana) per chain — see data.js / /v1/_meta. Sell-side settlement runs daily at 00:00 UTC. The longest any seller's funds sit under our control is one calendar day — short enough to stay outside CASP custody thresholds in most EU member-state interpretations.
Take rate: 3 % paywall · 4 % proxy. Seller-side only — paywall mode (seller hosts) is 3 %; proxy mode (tools402 relays) is 4 %. Both rates are fixed in src/middleware/x402.ts. We are a marketplace facilitator, not an exchange with variable fees.
No fiat on-ramp or off-ramp. tools402 only routes USDC on Base, Polygon, and Solana (buyer payment live on all three). Conversion to fiat is the user's responsibility (Coinbase, Kraken, Wise, Revolut, etc.). We are not a fiat gateway.
USDC = e-money token, not "asset-referenced token". Circle's USDC qualifies as an EMT under MiCA Art. 48 (issued by a credit institution or e-money institution). Holding and transferring USDC is permitted to non-licensed entities under the EMT regime — no MiCA license needed on our side just to route it.
We do not claim CASP exemption. If we ever crossed €350k revenue from custodial operations OR started fiat conversion OR offered an order book, we would need to register. That day is not today. We monitor our take rate × volume monthly and will register proactively if any threshold approaches.

No KYC. No custodial > 24h. 3% paywall · 4% proxy. Three structural choices — our reading, not legal advice.

tax · eu

VAT and seller-side reporting.

VAT on the buy-side

tools402 is in pre-commercial experimental phase — no VAT is invoiced today and no entity has been incorporated yet. When commercial operations begin, applicable VAT rules will be published here. The take rate is collected only as USDC on-chain; we hold no fiat balances.

VAT on the sell-side (community)

Each community seller is responsible for their own VAT registration in their country of establishment. tools402 issues a transparent settlement record (/v1/_seller/<wallet>/stats?sig=…) that sellers can use as the basis for their own filings. We do not collect VAT on the seller's behalf.

1099 / US reporting

If we onboard sellers established in the US, we report 1099-K thresholds (currently $5 000 / 50 transactions per IRS 2024 guidance). Wallet-only sign-up means we can't issue 1099s automatically — sellers wanting 1099 must opt in through a manual KYC flow that is not enabled by default.

custodial wallet · hot key rotation

How sell-side custody actually works.

Sell-side payments batch through CDP managed settlement (Option A — no raw private key on VPS) for at most 24 hours. Concretely :

  • Buyer pays our primary self-custody recipient 0xD6E8aF2F65B4C9ACC7BF14A3096056e89E312878 (EVM chains) or Solana pubkey Gt9EC4XYqD9pUmTFAfBy9b3gbGG8eiv3ZNLMLCuyU8w8 — canonical in data.js
  • Internal ledger credits the seller's wallet minus the 3 % paywall / 4 % proxy take rate (src/middleware/x402.ts)
  • Cron job runs at 00:00 UTC daily via a systemd timer
  • Settlement via CDP Project 3 managed TEE (Smart Account 0x7725…42AA on Base, Solana EOA CDP on SOL) — separate from buyer-facing recipients
  • Hot wallet balance pre-batch check alerts via Sentry if insufficient (gas + reserve)
  • Dust threshold $1 USDC — amounts below carry over to the next window
  • Idempotence via MAX(window_end_ts) in settlements table, retry 3× exponential
  • Gas absorbed by tools402 (~$0.005 per Base transfer)

The settlement key is held in our infrastructure with strict access control. The recipient wallet and the settlement wallet are structurally separate — we audit this separation as part of Sprint 14 (48-hour burn-in security audit).

Disclaimer. This page is a description of our operational choices, not legal advice. Crypto-asset regulation is evolving fast — what is compliant in May 2026 may not be in 2027. Verify with your own counsel before relying on any of this. We document our stance to be transparent; we don't certify it.