Customer T&Cs
Versioned terms with required-acceptance signals. Field-level RBAC so legal owns the binding text, customer-experience owns the framing.
— solutions · banking
The CMS for European banks.
Banks and payment institutions in DORA scope have until 17 January 2025 — and every quarter thereafter — to demonstrate operational resilience to their supervisor. Estøkad is the CMS where that demonstration is a download, not a quarterly project. The evidence already exists in the audit chain; the pack assembles from it.
— the regulators in scope
What you're held to.
| Framework | What it requires |
|---|---|
DORA | In scope as of 17 January 2025 for credit institutions, payment institutions, and e-money institutions. Evidence pack on demand. |
MiFID II | Costs and charges disclosures, suitability statements, product governance — every customer-facing surface needs traceable provenance. |
PSD2 | API documentation + customer authentication notices. Multi-locale variants per market with audit-locked publish. |
EBA Guidelines | Outsourcing arrangements (EBA/GL/2019/02) — sub-processor register that the supervisor can read without follow-up requests. |
— the workflows
What ships through Estøkad.
MiFID II disclosures
KIDs and PRIIPs documents with per-product workflow. Approval gate enforces four-eyes. Audit chain proves who shipped what when.
PSD2 API docs
Developer-facing reference with locale variants per market. Cross-references between regulatory disclosure and the technical spec.
In-app banking content
Onboarding, KYC notices, dispute flows. Visual edit overlay lets product managers iterate without touching engineering.
— why Estøkad fits
The wedge for this industry.
For a bank the constraint is jurisdictional and procedural. The vendor must be in EU jurisdiction. The data must stay in the country chosen at signup. The audit trail must hold against a regulator's scrutiny. Estøkad is built so each of those is a default — not a configuration step that an engineer might forget.
The audit chain is append-only with cryptographic Merkle roots. Each chain head is signed by the workspace's region-specific KMS key; verifiers validate end-to-end. The DORA evidence pack pulls from this chain to assemble the third- party register, the incident log, and the residency proofs into a single download.
Field-level RBAC lets legal own the binding text without locking out the customer-experience team from iterating around it. Approval workflows gate every publish — the four-eyes rule, enforced.
— how to start
The path to production.
Banking customers typically start on the Regulated preset (€1,699/mo) and upgrade to Enterprise (€2,999/mo) when they need multi-space for their corporate vs retail vs investment-banking surfaces. Belgian banks usually add the €499/mo Belgium residency module; Luxembourgish institutions add the EU residency module to land in eu-lux-1 rather than the default Frankfurt.
The audit-retention 7y module (€129/mo) is standard for any institution with a 7-year regulatory retention requirement. The DORA pack itself is included in the Regulated preset; standalone it's €399/mo.