Concedus Core — the regulatory engine under every vertical.

Modular multi-API architecture, AI-integrated operations, EU multi-region infrastructure. Built for MiFID II and MiCAR compliance with DORA/BAIT-aligned IT governance.

V2.5 · APRIL 2026 · CONTINUOUS RELEASE CADENCE
All systems operational · EU multi-region
v2.5 · MiCAR onboarding GA v2.4 · Reporting webhooks v2.3 · Custody endpoints v2.5 · MiCAR onboarding GA v2.4 · Reporting webhooks v2.3 · Custody endpoints
Request API access Talk to our team
The core

One platform. Three verticals. One regulated perimeter.

Concedus Core is the central nervous system of the business — the proprietary regulatory engine that connects clients, products, partners, and regulators. It orchestrates every transaction, every onboarding step, every compliance check, and every regulatory report across the regulatory umbrella, private markets, and capital markets access verticals. Built in-house, EU-hosted, continuously released.

Architecture
Modular multi-API
Capital Markets + Alternatives
Resilience
EU multi-region
Full DR/BCP in place
Compliance
DORA + BAIT
Audit-ready by design
Uptime
99.99% target
EU multi-region failover
Architecture

Modular multi-API. Shared regulatory core.

Rather than a single monolithic API, Concedus Core exposes dedicated API stacks for different use cases. Each stack evolves independently on its own release cadence, but all share the same regulatory core — the same client model, the same compliance engine, the same audit trail.

01 · API STACK

Capital Markets API

Used by
Embedded finance, neobanks, investment platforms
Handles
Investment approval, transaction monitoring, real-time compliance checks, end-user lifecycle
Integrates
Execution partners (e.g., Upvest), custodians, market data providers
02 · API STACK

Alternatives API

Used by
Tied agents, issuers, placement agents, fund managers
Handles
Product onboarding, investor classification, subscription processing, pre-marketing, NPPR notifications
Integrates
Paying agents, depositaries, fund administrators

Both APIs share the same client record, compliance engine, and audit trail. No duplication, no sync issues — one regulatory perimeter.

Compliance engine

Every regulatory check, programmatic.

The compliance engine runs the regulated part of every interaction. Each workflow is a documented, versioned, auditable pipeline — accessible via API, running in real time.

KYC & KYB

Individual and entity onboarding, identity verification via integrated ID partners. Multi-jurisdictional.

Client classification

Retail / professional / institutional classification per MiFID II, with opt-up handling and audit trail.

Suitability & appropriateness

§ 64 WpHG suitability (advisory) and § 63(10) WpHG appropriateness (execution-only) with non-complex carve-out logic.

AML, PEP & sanctions screening

Ongoing monitoring and screening against current sanctions and PEP lists. Integrated at every transaction.

Target-market alignment

Product governance under § 80 WpHG — target-market definition, distribution strategy alignment, deviation handling.

Cost disclosure & reporting

Ex-ante and ex-post cost transparency per § 63 WpHG. Regulatory reporting under § 83 WpHG retention rules.

Security & resilience

Built to the standards you'd audit us against.

DORA compliant

Full alignment with the Digital Operational Resilience Act. Third-party risk management, ICT risk framework, incident reporting — all embedded.

BAIT aligned

Bankaufsichtliche Anforderungen an die IT — the German banking IT supervisory standard. Written IT strategy, IT governance, information risk management.

EU multi-region resilience

Primary operations on EU-hosted cloud infrastructure with multi-region redundancy. RPO and RTO targets aligned with DORA thresholds.

No third-party dependencies

Built in-house, end-to-end. Regulatory logic, compliance workflows, and reporting all run on Concedus infrastructure — no external SaaS in the critical path.

API access

API access is granted on request.

Full API documentation — authentication, endpoints, webhooks, schema — is provided under a scoped access agreement. We don't publish complete reference docs publicly: different client segments see different surfaces, and the exact documentation depends on whether you're integrating as a tied agent, issuer, fund manager, or neobank.

Submit a brief scoping request and our team will provision access to the right documentation bundle, typically within two working days.

Request API access

We'll come back within two working days with the right documentation bundle.

Submission data is retained for 90 days and used only for access provisioning. See Privacy policy.

Common questions

Platform — the usual questions

Why is API documentation on request, not public?
Different client segments (tied agents, issuers, fund managers, neobanks) use different API surfaces with different authentication, scope, and integration patterns. Rather than a generic public reference that misleads any specific audience, we provision scoped documentation bundles to qualified requesters.
What do the two API tracks (Capital Markets API, Alternatives API) have in common?
They share the same client record, the same compliance engine, and the same audit trail. A client onboarded via the Alternatives API can be served by the Capital Markets API without re-onboarding, if regulatory scope permits.
Do you offer a sandbox environment?
Yes. Approved integration partners receive sandbox credentials with realistic test data and end-to-end testing flows. Sandbox access is part of the scoped API access package, not separate.
How do you handle updates and breaking changes?
Concedus Core is on a continuous release cadence. API surface changes follow versioned semantic rules — major versions (breaking) signposted with 90+ days deprecation notice; minor and patch versions are backward-compatible. The v2 line is the current stable.
What about DORA's third-party risk requirements?
Concedus is prepared to serve as the regulated counterparty under DORA for EU-licensed clients. We provide the required documentation — ICT risk framework, continuity plans, third-party register inputs — as part of the onboarding package.
Is on-premise / dedicated infrastructure available?
Default is EU multi-region shared infrastructure. Dedicated-tenant or on-premise configurations are available for enterprise engagements on request.