Inside MoonPay’s Impressive Privacy Advantage
MoonPay makes cryptocurrency accessible for over 30 million users globally, complying with strict financial regulations and safeguarding a privacy-minded customer base. To keep pace, Kevin Bajurin built a privacy program designed to scale, strengthening privacy audit readiness and supporting MoonPay’s ISO/IEC 27001 and 27701 certifications.
Because Kevin’s career began in litigation, he has a proactive mindset when it comes to privacy leadership. While others might treat privacy compliance as a checkbox, Kevin takes a more deliberate and structured approach that aligns with regulatory expectations.
To achieve this, MoonPay has established a program rooted in informed data mapping and strategic, forward-looking policy. These measures aren’t just for the benefit of a worst case scenario—they also demonstrate a business maturity that attracts higher profile partners and earns approval from auditors.
A key part of Kevin’s approach is continuously strengthening MoonPay’s Record of Processing Activities (RoPA). Under the GDPR, maintaining a RoPA is a legal requirement, and in practice it becomes a backbone for demonstrating accountability. But most privacy teams create flimsy RoPAs at the last minute that don’t provide any practical application at all.
In contrast, Kevin leverages DataGrail Live Data Map to create a living document that informs strategic data privacy decisions. Live Data Map detects connected systems and the data they contain, then uses AI to recommend how those systems map to MoonPay’s RoPA. Meanwhile, DataGrail centralizes all tracked risks in Risk Register, allowing Kevin and his team to quickly triage potential issues and prioritize the most important system integrations for DSR management.
MoonPay’s RoPA is just one example of how Kevin embraced automation within MoonPay’s privacy program. He used the same strategy for MoonPay’s Data Protection Impact Assessments (DPIAs) With DataGrail Risk Assessments, Kevin centralizes risk evaluation and ensures potential risks are automatically tracked and monitored across their lifetime.
Regulators don’t expect perfection, but they do expect evidence of accountability. Kevin encourages privacy leaders to start with a baseline. Automation helps set the foundation and stay current without a large team.
Privacy isn’t just for late-stage companies. If you wait, you end up trying to prove trust and accountability during diligence with a patchwork process, which slows down partners, investors, and audits and creates costly cleanup later.
