Skip to content
Independently verified · Quarterly re-audit
EU VETTED

Trustly

VERIFIED
Payments · Sweden
Founded 2008 · trustly.com ↗

Swedish open-banking A2A payment innovator (Trustly Group AB, 2008), $10B annual volume, 33+ markets; Nordic Capital + BlackRock PE owned.

In short

Trustly, in the Payments category, offers EU hosting with Sweden as its hosting location, but a US parent or sub-processor leaves material CLOUD Act exposure.

Assessment notes

Trustly Group AB (Stockholm, founded 2008) is the leading European open-banking 'Pay by Bank' / account-to-account payments specialist (Swedish-Finansinspektionen-supervised payment institution + UK FCA authorised + EU PSD2, ISO 27001 + SOC 2 + TÜV Saarland + GDPR certifications, ~US$10B annual processed across 275M transactions and 9,000+ merchants) but ownership is a US/Nordic PE consortium (Nordic Capital majority since 2018, BlackRock Private Equity Partners US co-investor), an IPO at ~US$10B is being explored, and the 2022 Finansinspektionen €11M AML-deficiency fine remains a flag; ownership_signal: eu_hq_us_funded, cloud_act_exposure: material; no public DPA or sub-processors list accessible at audit.

CLOUD ACT
OWNERSHIP
SUB-PROCS
not disclosed
Verified signals
Jurisdiction
  • EU / adequacy hosting
  • EU / adequacy operator
  • No US CLOUD Act exposure
Transparency
  • Public DPA
  • Sub-processors disclosed
  • Open-source clients
  • Third-party certification
JUMP TO
OVERVIEW

About Trustly

Trustly is a Swedish open-banking payments innovator operated by Trustly Group AB in Stockholm, founded in 2008 and the leading European specialist in account-to-account (A2A) "Pay by Bank" transactions: the alternative payment rail that bypasses card schemes entirely by initiating direct bank transfers from consumer accounts. The company processes approximately US$10B annually across 275M transactions, connects 9,000+ merchants to 650M consumer bank accounts globally, and operates in 33+ markets across Europe and North America. Offices span Stockholm (HQ), Örebro, Gzira (Malta), London, Helsinki, Barcelona, Lausanne, Luxembourg, Lisbon, Izmir (Turkey), Ottawa, San Carlos (California), and Vitória (Brazil).

Regulatory and compliance posture is strong: Trustly holds a Swedish payment-institution licence supervised by Finansinspektionen plus a UK Authorised Payment Institution licence from the FCA, and provides cross-border services under PSD2. Certifications confirmed on the public site include ISO 27001, SOC 2, TÜV Saarland accreditation, and GDPR alignment. Open-banking expertise predates the regulatory codification: Trustly was building bank-account-to-merchant rails for 13 years before PSD2 made A2A a regulated category.

The ownership and history side complicate a procurement-grade audit. Nordic Capital (a Stockholm-based Nordic PE firm) acquired Trustly from Bridgepoint in 2018; BlackRock Private Equity Partners (US, the private-equity arm of the world's largest asset manager) joined as a co-investor. An IPO was actively explored in 2021 at a rumoured €9B valuation but was put on hold in 2022 after the Swedish Finansinspektionen imposed a SEK 130M (~€11M) fine for serious anti-money-laundering deficiencies. As of late 2024 / 2026 Nordic Capital is again exploring options including sale or IPO at approximately US$10B. The BlackRock co-investment plus the AML fine history plus non-EU offices (Ottawa, San Carlos, Izmir, Vitória) result in ownership_signal: eu_hq_us_funded and cloud_act_exposure: material despite the strong Swedish regulatory anchoring.

Pricing is enterprise / volume-negotiated; no public per-transaction tier. Best fit: Swedish, Nordic, and broader EU retailers, gambling operators (Trustly is dominant in regulated gaming), and B2B platforms wanting open-banking-native A2A rails as a Stripe / PayPal alternative.

SUB-PROCESSORS

Sub-processor map · not disclosed

Vendor does not publish a sub-processors list. Schrems II compliance and CLOUD Act exposure cannot be independently verified without it.
CERTIFICATIONS

Frameworks & certifications

ISO/IEC 27001
ACTIVE
SOC 2
ACTIVE
Informational · US framework
FEATURES

Capability matrix

Card payments No
SEPA Direct Debit No
Buy now, pay later No
Open banking (A2A) Yes
Recurring / subscriptions Yes
Payment links No
In-person / POS No
Marketplace / split No
INTEGRATION & ACCESS
REST API Yes
SSO (SAML / OIDC) Yes
COMPLIANCE & GOVERNANCE
Audit log Yes
Self-host / on-prem option No
PRICING

Pricing & tiers

PAID
Custom pricing

Contact vendor for tier or volume pricing.

View pricing page ↗
PUBLIC DOCUMENTS

Public documents

Vendor does not publish a public DPA. Without a publicly accessible Data Processing Addendum, small EU customers cannot self-serve the processor agreement. This is recorded as no public DPA (see How we assess).
Vendor does not publish a sub-processors list. Schrems II compliance and CLOUD Act exposure cannot be independently verified without it.
  • Data Processing Addendum (DPA)
    — missing
    missing
  • Sub-processors list
    — missing
    missing
  • Terms of Service
    trustly.com/legal…
    Open ↗
ALTERNATIVES

Alternatives in this category

Adyen
Netherlands · Founded 2006
EU-BASED

Dutch publicly-listed payments giant (Euronext Amsterdam), DNB-licensed credit institution + EU/UK/US banking licences; €1.4T processed/yr.

Public DPA Sub-processors Open source
FROM
CLOUD ACT
MINOR
Alma
France · Founded 2019
EU-HOSTED

Paris-area French BNPL for merchants: 2/3/4/10/12 installments + Pay Later; 21,800+ merchants across 8 EU countries; Alma SAS, EU-owned.

Public DPA Sub-processors Open source
FROM
CLOUD ACT
MATERIAL
Dintero
Norway · Founded 2017
EU-BASED

Oslo fintech (Dintero AS): Finanstilsynet-authorised PI and, since 2025, the only Norwegian-owned direct Visa/Mastercard acquirer; checkout for e-com, marketplaces and physical retail.

Public DPA Sub-processors Open source
FROM
CLOUD ACT
MINOR