We build the parts that don't yet need a license — and we tell you which parts do.
We build the engineering around a FinTech that hasn't picked up — or doesn't yet need — a regulatory license. Customer-facing apps and onboarding UX. Internal tooling for founders and ops teams. Integrations and orchestration around regulated vendors (Stripe, Onfido, ComplyAdvantage, banking-as-a-service providers). Data pipelines, analytics, and document extraction with human review. We are not the vendor that acts as the formal *provider* of a high-risk AI system under the EU AI Act, or that operates anything under your license. When your roadmap needs that, we say so before quoting.
Between idea and licensed operation, an EU FinTech typically has 6–18 months of building that mostly doesn't need to be regulated yet. Customer-facing apps. Internal dashboards. Integrations with already-licensed vendors. Data pipelines. Most engineering vendors don't know which parts those are — and the result is either over-scoping (paying enterprise prices for compliance scaffolding you don't need) or under-scoping (building features that have to be ripped out before authorization).
Big-4 consultancies are scoped for already-regulated buyers. Specialized RegTech firms sell to regulated operators. Other small studios understand modern web and AI engineering but not the regulatory map. Founders end up either explaining what 'PSD2 PISP' or 'crypto-asset service provider' means to their engineers, or paying €€€€ for a slide deck about what they should build.
We're a small Athens-based studio. We build well, we know modern web and AI patterns, and we read the regulatory landscape carefully enough to scope *around* it — not authorize it. We never act as the formal provider of an EU AI Act Annex III high-risk system (credit scoring, biometric ID, life or health insurance risk pricing). We never take work that requires a Notified Body certification we don't hold. We never build autonomous decisioning that moves customer money without an explicit human approval step. Where the EU AI Act, DORA, AMLD6, or MiCA actually bite, we'll say so before quoting — and point you at a regulatory counsel or a Notified Body before we point you at an SOW.
The interface and the flow. Signup, onboarding, dashboards. The KYC decisioning stays at your vendor; we own the UX that wraps it.
Admin panels, founder dashboards, case-management UIs, ops queues. The interfaces your team uses internally — outside the regulated boundary.
The connective engineering around third-party regulated vendors: KYC, AML, fraud, payments, banking-as-a-service. Request routing, retries, evidence collection, queue handoff.
Moving data between systems, building dashboards, assembling reports from primary data. No autonomous decisioning.
Structured extraction from KIDs, prospectuses, terms, and statements — routed to a human reviewer in your case management. We don't autonomously classify customers.
Retrieval over your policy documents, SOPs, and historical case notes for staff lookups. Not customer-facing, not decisioning.
Two to three weeks. We map the buyer question, the data, the regulatory shape, and what shipping looks like. Output is a written brief with a fixed-scope first phase.
A working slice end to end — the model, the integration, the UI, and the observability. Built to be evaluated, not to demo.
Production engineering: data contracts, decision logs, deployment, monitoring, runbooks. The thing your team can own after we leave.
Cutover, training, and a handover that includes the parts most teams skip — change-management notes, audit-ready docs, and a 30-day support window.
Mental Bound