The platform

Financial-grade engineering for a regulated product.

Every design decision answers one question: can we prove this to a regulator, an auditor and a customer? The result is a platform where going live is a configuration change — not an architecture change.

Two-stack architecture

A boundary the code will not let you cross.

The platform is split into two independently deployable stacks with a deliberate wall between them. The customer-facing stack holds all personal data, collects local currency and runs every compliance control. The execution stack — the only place that ever touches the international exchange — sees nothing but opaque references and USD amounts.

The boundary is not a policy. It is enforced in the schema and in tests: the execution side has no columns that could hold a name, phone or ID, and the intent receiver rejects any payload that looks like personal data.

  • Signed, replay-proof channel — every internal message carries an HMAC, a nonce and a timestamp window.
  • Opaque user references — the exchange side keys on UUIDs, never identities.
  • Least privilege by construction — exchange credentials exist in exactly one stack.

Core capabilities

Eight systems, one auditable whole.

01 KYC & identity

Pluggable identity verification (local or global vendors) with age and residency checks at onboarding — behind a single provider interface.

02 AML & sanctions

Screening, risk scoring and velocity monitoring with escalation hooks, producing the records a compliance officer needs on demand.

03 FX engine

Rate-locked LKR↔USD quotes that are single-use and time-boxed — the customer transacts at exactly the rate they were shown.

04 Position ledger

Double-checked, decimal-exact accounting of balances, reservations, positions and payouts. No floating-point money, ever.

05 Aggregation & allocation

Customer intents are aggregated into an omnibus order and fills are distributed pro-rata with largest-remainder rounding — no invented or lost contracts.

06 Reconciliation

Resolutions and payouts are reconciled back to every position automatically, with breaks surfaced rather than absorbed.

07 Settlement batcher

Nets a whole period into one instruction, generates a regulator-ready export, and waits for human authorisation. It never auto-executes.

08 Audit log

A hash-chained, append-only record with a verification routine that detects any tampering across the entire history.

End to end

How a single wager moves through the system.

Money is Decimal from the first cent to the last. The journey below is covered end-to-end by automated tests before any release ships.

1 · Onboard

Verified

The customer registers; identity, age and sanctions checks run and are recorded in the audit chain.

2 · Deposit at a locked rate

FX

A single-use quote fixes the LKR↔USD rate for five minutes; the deposit settles at exactly that rate or not at all.

3 · Place an intent

Signed

The wager becomes a signed order intent — carrying only an opaque reference — that crosses the boundary to the execution stack.

4 · Aggregate & execute

Omnibus

Intents in the window are pooled into one order to the regulated exchange; fills return for allocation.

5 · Allocate exactly

Pro-rata

Filled contracts are distributed so the sum of allocations equals the fill precisely — no rounding leakage.

6 · Resolve & pay

Reconciled

When the event resolves, payouts flow back to each position and reconcile against the ledger.

7 · Settle & report

Netted

The period nets to one human-approved instruction with a regulator-ready export — and the whole chain verifies.

Built on a modern, boring-on-purpose stack

Proven components. No surprises in production.

Python · typed & async Next.js customer app PostgreSQL per jurisdiction Decimal money RSA-PSS request signing HMAC + nonce replay guard Hash-chained audit Containerised runtime Pluggable KYC / payment / FX Automated money-path tests CI on every change Alembic migrations