As banks and financial institutions accelerate their digital transformation, the compliance landscape around them is tightening.
Frameworks such as DORA, the EU AI Act, and an expanding web of U.S. state privacy laws are reshaping how software must be built, tested, and documented.
The challenge is no longer just delivering secure, reliable systems, it’s ensuring those systems meet vastly different regulatory requirements across jurisdictions, without compromising usability or speed of delivery.
Few executives understand this balancing act better than Stéphan Donzé, the founder and CEO of AODocs, a cloud-based content services platform designed to combine regulatory rigour with a seamless user experience.
Donzé founded AODocs after leading engineering and product strategy at Exalead, later acquired by Dassault Systèmes, where he helped design enterprise-scale search and data management tools.
With more than 18 years in enterprise software and a master’s degree in software engineering from École Polytechnique in France, Donzé now leads AODocs from California, helping global enterprises navigate compliance and automation challenges at scale.
In a conversation with QA Financial, Donzé explains how AODocs designs, tests, and documents software across multiple regulatory regimes, and why full control of the technical stack has become essential for compliance in financial QA.
“We build for transparency and control, not for a specific regulation”
QA Financial: Stéphan, AODocs was founded on the idea that compliance and user experience don’t have to be in conflict. How do you navigate the challenges posed by conflicting regulatory regimes, such as DORA, the EU AI Act, and various U.S. state privacy laws, when building and testing software solutions for global enterprises?
Stéphan Donzé: I haven’t seen two regulations that truly contradict each other. They have different scopes, some ask for more, some for less, but ultimately, they all boil down to two main requirements: data residency and transparency.
Different countries want data stored and processed within their own borders. The U.S. wants data in the U.S., Europe wants data in Europe. We address this by maintaining separate hosting regions and compliance areas: a European version hosted in Europe, a U.S. version hosted in the U.S. For example, we have a U.S. environment that complies with FedRAMP to work with federal agencies, and another in Germany to meet European sovereignty requirements.
The second major requirement is transparency, clarity about how data is processed and how results are produced. This is central to the AI Act, GDPR, and other similar frameworks.
We build product features that allow customers to meet these transparency and traceability needs, but ultimately, compliance lies with the customer. The product must provide the means to comply, while the customer configures it to meet the law. We avoid building features tied to specific regulations, focusing instead on universal principles like transparency, traceability, and data retention.
“We test for traceability and transparency, not for laws”
QA Financial: With so many overlapping regulatory frameworks, how does AODocs ensure its automation technology works across jurisdictions without creating compliance issues for clients? How do you test this?
Stéphan Donzé: We don’t build one feature per regulation—we build features aligned with the general requirements underlying all of them.
Most regulations ask for transparency, so we implement transparency features. They ask for traceability, so we implement traceability. We test those features themselves, not the compliance with specific regulations.
When a new regulation introduces something genuinely new, we build generic features to address it. For example, DORA brought new requirements on redundancy, so we updated our security and architecture documentation to help customers demonstrate compliance. We didn’t create a DORA-specific feature, we created robust documentation on redundancy.
“Compliance testing is often documentation testing”
QA Financial: What are you observing among large financial institutions in terms of managing compliance complexity across Europe and the U.S., especially from a QA and testing perspective?
Stéphan Donzé: Many regulations are less about product features and more about explainability, documentation, and transparency. So testing becomes less about code and more about process validation.
In practice, this involves producing detailed documentation about how the software operates. Auditors often conduct gap analyses between what exists and what a regulation requires, sometimes annually, just like QA testing cycles.
We also internalise this process. Our in-house compliance team, experienced in ISO 27001 and related standards, conducts internal audits. It’s a form of “testing” compliance, but the emphasis is on documentation and transparency, not just technical testing.
QA Financial: Some vendors are withdrawing from Europe or struggling to meet U.S. regulatory demands. How has AODocs managed to design systems that give businesses control over where their data lives and how it’s handled?
Stéphan Donzé: Our solution is to create distinct hosting environments. We operate a European environment hosted in Europe with documentation focused on European requirements, and a U.S. environment that satisfies U.S. regulations.
This regionalisation simplifies sovereignty management. We’re now looking at the Middle East, where different countries, such as Saudi Arabia and Qatar, require separate environments.
This is only possible because we control every component of our product. Many companies can’t do this if they depend on third-party cloud services that aren’t regionalised. We’ve internalised key functions that we could have outsourced precisely to maintain this control.
“Control your stack if you want to control compliance”
QA Financial: What key lessons have you learned from working with multinational firms on regulatory compliance, and how have those shaped AODocs’ software and data-sovereignty strategy?
Stéphan Donzé: The main lesson is that compliance starts with control. You need to control your entire technical stack.
If you depend on external vendors, you must ensure they can support local hosting and compliance. Hyperscalers like Google offer excellent sovereignty options, but smaller vendors often lack that flexibility.
So, if you want to comply with data-sovereignty requirements and regional regulations, you must own and understand your entire stack, from infrastructure to application layer. That’s the foundation on which AODocs was built.
I believe that software testing teams must view compliance as a product capability, not an afterthought. By embedding transparency, documentation, and control into the QA lifecycle, enterprises can ensure their systems remain compliant, wherever they operate.
Regulations will keep changing. But if your architecture is transparent and your processes are auditable, you’re ready for whatever comes next.
QA FINANCIAL PODCASTS
Listen to Sudeepta Guchhait on Nasdaq’s new Mimic AI testing platform
QA Financial sits down with Sudeepta Guchhait, Senior Director of Product Framework & Quality Engineering at Nasdaq
——–
Listen to Wesley Scheffel and Robin Rain on Schroders’ DevOps strategy
We catch up with Wesley Scheffel, Head of Cloud Platform and Product Engineering at Schroders, and Robin Rain, Head of Cloud Platform Architecture
——–
Listen to Citi’s Jason Morris on Lightspeed and the future of continuous delivery
Jason Morris, Head of Developer Pipelines for Securities Markets and Banking at Citi, talks about Lightspeed
NEXT MONTH
Why not become a QA Financial subscriber?
It’s entirely FREE
* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *
REGULATION & COMPLIANCE
Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.
READ MORE
- Why real-time monitoring and scenario testing are becoming core QA disciplines
- BankDhofar takes an automated approach to strengthen QA
- Banks warned AI still fails on real-world software testing tasks
- SEC’s AI emphasis drives new QA and testing imperatives for US banks
- Inside the chaos: The new reliability discipline reshaping banking QA
WATCH NOW
