Regulatory-grade market data

Compliance-grade market data, provable to the regulator.

MiCA is in force and national regulators ask for market data in ESMA's machine-readable format. Qalypto is not a compliance service and not a CASP. It is the layer underneath one: the verifiable market-data evidence your obligations rest on, in the regulator's format, cryptographically sealed and anchored in Bitcoin, auditable by anyone without trusting us.

190+
days sealed
6.9B+
rows under seal
daily
Bitcoin anchoring
4 / 13
venues / instruments

The regulatory moment

Since MiCA took effect, crypto-asset service providers must keep complete, ordered records of every order and transaction and be able to produce them in ESMA's ISO-20022 format on request. Crypto perpetual futures sit under MiFID II. Market-abuse surveillance and DORA vendor due diligence sit on top. All of it rests on one thing a firm can rarely prove: that its market data is complete and unaltered.

Qalypto turns those data duties into a product capability. We are not licensed and carry no CASP obligation. We give the regulated client the evidence, in the format, with the proof.

The obligations, mapped
Art. 76 record-keepingEvery order and transaction, ordered, retrievable
ESMA ISO-20022 formatauth.117 records, schema-valid at build time
Market-abuse / STORCase dossiers with the exact window's evidence
DORA vendor riskAnswer catalogue plus security whitepaper

What Qalypto is, and isn't

The line is drawn on purpose. Overstating scope fails due diligence. The honesty is the product.

What Qalypto provides

  • Trade, order-book, kline, ticker and liquidation data across 4 venues
  • ESMA-format records with the correct market fields (price, quantity, venue, DTI)
  • Cryptographic proof of integrity: Merkle roots, RFC-3161, Bitcoin anchor
  • Case dossiers, a retention and recovery policy, DORA vendor answers

What stays yours

  • Your CASP identity and counterparty (Buyr / Sellr) records
  • The regulatory filing itself and your relationship with your regulator
  • Order-lifecycle data that only your own systems hold
  • The legal determination of what your obligations require

The proof chain

From the WebSocket frame to a Bitcoin block. Change one field of one row anywhere in the history and the recomputed root no longer matches the anchored one. Mathematically, without asking us.

01

Capture

Every raw WebSocket frame is archived with a nanosecond timestamp before anything is parsed.

wire evidence
02

Store

Normalised into ClickHouse with provenance columns: when produced, when consumed, honest NULLs.

provenance
03

Seal

Each UTC day is folded into one Merkle super-root over every canonically serialised row.

RFC-6962
04

Anchor

The super-root is timestamped (RFC-3161, eIDAS-ready) and anchored in Bitcoin, for free, via OpenTimestamps.

RFC-3161 · Bitcoin
05

Publish

An append-only registry entry per day lands off-site in object storage, the public fixed point.

append-only
06

Verify

Anyone recomputes the chain from a single row to the Bitcoin block. Offline, no Qalypto system needed.

MIT · offline

How the data flows

Real components, not a marketing box diagram. The raw frame is archived before it is parsed, so the evidence exists independently of the database it later lands in.

4 venuesBinance · Bybit · OKX · Bitget
Producerspicows, raw frame archived
Kafkadurable transport
ClickHousestored with provenance
Proof buildernightly Merkle seal
AnchorsRFC-3161 + Bitcoin
compliance-apiyour export & dossier

How a regulator audits your data

Four commands, run by anyone, against public Bitcoin. No Qalypto system needs to be online or trusted. These are the real commands and the real output.

01

Recompute a single cell's root from the exported rows.

verify cell
$ python3 qalypto_verify.py cell \
    --rows data/trades.tsv \
    --root 557267c24e797d91...4a5bb03c

rows: 1816030
computed root: 557267c24e797d91...4a5bb03c
RESULT: VALID
02

Fold every cell into the day's super-root and match the registry.

verify day
$ python3 qalypto_verify.py day \
    --registry 2026-07-05-r0.json

cells: 20
computed super-root: 15e93b0c1b510032...19a0e165
RESULT: VALID
03

Prove one specific trade belongs to that sealed day.

verify inclusion
$ python3 qalypto_verify.py inclusion \
    --proof proof.json --registry 2026-07-05-r0.json

leaf -> cell root: ok
cell -> super root: ok
RESULT: VALID
04

Confirm the super-root is anchored in a real Bitcoin block.

verify bitcoin anchor
$ python3 qalypto_verify.py ots \
    --registry 2026-07-05-r0.json

Success! Bitcoin block 956970 attests
existence as of 2026-07-05

What you get

Delivered through an API-key-authenticated endpoint, every delivery logged with its own content hash. Request access at info@qalypto.com.

ESMA record-keeping export

GET /esma/auth117 returns schema-valid CryptoAssetRecordKeepingReport documents built from verified trades. The Docker image cannot be built if it would emit an invalid document.

auth.117 · ISO 20022

Case dossier

One symbol, one window (up to 7 days): all five channels, the exact quality-check and gap-ledger evidence of that window, and the proof-registry entries. One ZIP, ready as a STOR annex.

STOR-ready ZIP

Registry-verified DTIs

Every instrument carries its ISO 24165 Digital Token Identifier, taken only from the official DTIF registry, never guessed from the web.

ISO 24165 DTI

Retention and recovery policy

A client-facing document where every promise links to ledger proof: channel start dates stated honestly, disclosure-first.

policy + proof

DORA vendor answers

A searchable answer catalogue for the third-party-risk due diligence your clients run on their data vendors.

DORA 2022/2554

Open-source verifier

Recompute cell roots, day super-roots, single-row inclusion proofs and the Bitcoin anchor yourself. MIT, standard library only, in Python and JavaScript. Public at github.com/Qalypto/verifier and bundled in every dossier.

Python & JS · MIT

The actual output

Not a mock-up. On the left, a real ESMA auth.117 record generated from a verified trade. On the right, the contents of a case dossier. The counterparty fields carry the ISO-20022 internal placeholder (INTC) because those records are yours to complete, not ours to invent.

GET /esma/auth117 · one transaction record
{
  "Document": { "CrptAsstRcrdKeepgRpt": { "Tx": [{
    "New": {
      "TxRcrdId": "1457814345918189568",
      "ExctgPty": { "AltrnId": "TEMPLATE-CASP" },
      "Tx": {
        "TradDt": "2026-07-05T23:59:05.742Z",
        "TradgCpcty": "AOTC",
        "Qty":  { "Unit": "0.2" },
        "Pric": { "Pric": { "MntryVal": {
          "Amt": { "amt": "45.77", "Ccy": "USD" },
          "Sgn": "0" } } },
        "TradVn": "BITG",
        "TradPlcMtchgId": "1457814345918189568"
      },
      "CrptAsst": { "DgtlTknIdr": { "DTI": "WTX0G7K46" } },
      "Buyr":  { "AcctOwnr": { "Id": { "Intl": "INTC" } } },
      "Sellr": { "AcctOwnr": { "Id": { "Intl": "INTC" } } }
    }
  }] } }
}

Validated against ESMA's official schema at Docker build time. An image that could emit an invalid document cannot be built.

GET /dossier · a STOR-ready bundle
qalypto-dossier-LTCUSDT-2026-07-05.zip
├── data/
│   ├── trades.csv
│   ├── klines_final.csv
│   ├── orderbook_top.csv
│   ├── ticker.csv
│   └── liquidations.csv
├── evidence/
│   ├── quality_checks.csv    # this exact window
│   └── data_gaps.csv         # every disclosed gap
├── proofs/
│   └── registry_entries.jsonl  # roots · RFC-3161 · BTC
├── dossier.json
└── README.md                 # how to verify, yourself

One symbol, one window (up to 7 days). Every delivery is logged with its own content hash.

Why Bitcoin, not a database

A database you control can be edited, and no auditor can rule that out. A Merkle super-root anchored in Bitcoin cannot: rewriting one row changes the root, and the original root is already fixed in a block no one controls, not even us.

Bitcoin here is not a currency and not a smart contract. It is a public, append-only clock. OpenTimestamps batches thousands of roots into one transaction, so there is no wallet, no gas and no per-stamp fee. The legal timestamp (RFC-3161, qualified eIDAS on request) sits beside it: one neutral and global, one recognised in EU law.

Risks this eliminates
Silent data loss disguised as “no gaps”
Every gap is written to a public incident ledger, with cause and status.
Retroactive edits to history
Tamper-evident to the single row: change one field and the root no longer matches.
“Trust us” audits
The client recomputes the whole chain offline, with our open-source verifier.
Vendor lock on verification
The verifier is MIT-licensed and runs without any Qalypto system online.
Backfill laundering
Sealed days are append-only; any revision is logged, never silent.

Standards and references

Every claim on this page maps to a named regulation or technical standard. No acronym soup: the exact instrument, so your legal and technical teams can check us.

MiCA
Regulation (EU) 2023/1114, Art. 76 record-keeping of orders and transactions
RTS order book
Del. Reg. (EU) 2025/416
RTS transparency
Del. Reg. (EU) 2025/417
RTS record-keeping
Del. Reg. (EU) 2025/1140, the Art. 76 core
ESMA schemas
ESMA65-955014868-15160 V1.0 (auth.116 / auth.117 / auth.118), 2025-11-28
Derivatives
MiFID II: crypto perpetual futures are financial instruments, not MiCA crypto-assets
Operational resilience
DORA, Regulation (EU) 2022/2554
Merkle tree
RFC 6962 (Certificate Transparency), domain-separated
Timestamp
RFC 3161: placeholder TSA today, qualified eIDAS provider is a config switch
Blockchain anchor
OpenTimestamps to Bitcoin (calendar aggregation, no wallet, no fee)
Token identifier
ISO 24165 (DTI), sourced from the official DTIF registry
Messaging
ISO 20022 (the ESMA report envelope)

Proof, not promises. The market-data evidence your compliance obligations rest on, verifiable by anyone, from day one.

Qalypto provides market-data infrastructure and cryptographic evidence. It does not provide legal advice and is not a crypto-asset service provider. Regulatory obligations remain with the client.