Tutorial: EU-compliant Bitcoin research stack

This tutorial describes a reference architecture for EU/EEA-based teams that want to assemble an institutional Bitcoin research chain around Trinity Insights, in line with MiCA, AMF discipline and GDPR.

Regulatory positioning

Trinity Insights is an educational analytical tool. Its delivery falls under financial information publishing, not a crypto-asset service within the meaning of EU Regulation 2023/1114 (MiCA). An internal team consuming Trinity therefore remains bound by its own status (proprietary management, internal research, investment service provider, etc.); Trinity confers no status or authorisation.

See the MiCA status page for the full attestations and the GDPR page for sub-processors and international transfers.

Reference architecture

Four layers, aligned with classic institutional requirements:

Source layer — Trinity Insights provides a normalised view (REST + MCP) of Bitcoin data (on-chain, macro, cycle, narrative, price, exchanges). EU hosting (Germany), strict TLS, access log.
Cache & observability layer — Internal cache (Redis or Memcached) on the client side to absorb spikes and reduce cost. Prometheus metrics exposed by your gateway. Structured JSON logs without PII in plain text.
Visualisation layer — Grafana or Metabase for data teams, native Trinity dashboards for analysts (the MCP surface mirrors exactly what the dashboard exposes).
Audit & retention layer — Append-only archival of research decisions, daily snapshots of Trinity scores, retention aligned with local accounting / contractual rules.

Deployment choices

Question	Pragmatic answer
REST or MCP?	REST for automated pipelines (cron, alerts, dashboards). MCP for human analysts conversing with an AI agent. Both point to the same tier and the same data surface.
Which tier?	Pro for most use cases (access to Trinity exclusive composites and cross-rubric query). Performance for intensive automated workloads (extended limits). See Pricing.
Where to store the API key?	Your infrastructure secret vault (HashiCorp Vault, AWS Secrets Manager, Doppler, Infisical, 1Password Secrets). Never in plain text in Git nor in an application container env var.
What to log?	Call identifier, endpoint, response code, timestamp, internal user identifier. NEVER the raw response content (hash it if you need auditability).
What retention?	Six months for interactive queries, ten years for accounting documents (French legal retention).

Data governance

Formally document Trinity sub-processors in your GDPR record of processing activities (article 30).
Sign a Data Processing Agreement (DPA) if you process personal data via Trinity (typical for B2B teams handling customer data).
Include a link to the Trinity full disclaimer in any internal or external communication carrying a Trinity score (note, briefing, alert).
Keep daily snapshots of composite scores in an append-only bucket (S3 Object Lock or equivalent).

Vocabulary discipline

To stay aligned with AMF discipline in external communications:

Favour descriptive vocabulary: "reading", "zone", "indication". Avoid any prescriptive wording that would imply a buy or sell action.
Do NOT extrapolate a Trinity score into an allocation recommendation. The score is descriptive, not prescriptive.
Do NOT expose the calculation detail of a Trinity exclusive composite (the third party has a right to use the score, not the formula).
Always include the disclosure "Educational analytical tool, does not constitute investment advice, Trinity Insights is not a CASP" when distributing.

Business continuity

Cache locally the last useful time window (typically 90 days) for your cardinal metrics. That way, in case of a Trinity incident, your stack keeps serving.
Subscribe to the Trinity status page for availability alerts.
Test the API absence path: your code must degrade gracefully (last value kept, internal alert, but no chain crash).

Compliance checklist

DPA signed with Trinity Insights (if personal data).
GDPR record of processing activities updated.
API key stored in an approved secret vault.
Structured call logs without plain PII.
MiCA + AMF disclosure present in every internal or external publication using a Trinity score.
Business continuity drill documented (API outage, graceful degradation).
Append-only archival of decisions and daily snapshots.

Related resources

Institutional disclaimer

This tutorial is strictly educational. It is not investment advice, legal advice, or compliance advice. Trinity Insights is not a Crypto-Asset Service Provider (CASP) registered under MiCA Regulation (EU) 2023/1114. For any real-world implementation in a regulated context, validate choices with your legal counsel. See the full disclaimer.

Regulatory positioning

See the MiCA status page for the full attestations and the GDPR page for sub-processors and international transfers.

Reference architecture

Four layers, aligned with classic institutional requirements:

Source layer — Trinity Insights provides a normalised view (REST + MCP) of Bitcoin data (on-chain, macro, cycle, narrative, price, exchanges). EU hosting (Germany), strict TLS, access log.

Cache & observability layer — Internal cache (Redis or Memcached) on the client side to absorb spikes and reduce cost. Prometheus metrics exposed by your gateway. Structured JSON logs without PII in plain text.

Visualisation layer — Grafana or Metabase for data teams, native Trinity dashboards for analysts (the MCP surface mirrors exactly what the dashboard exposes).

Audit & retention layer — Append-only archival of research decisions, daily snapshots of Trinity scores, retention aligned with local accounting / contractual rules.

Deployment choices

Question

Pragmatic answer

REST or MCP?

REST for automated pipelines (cron, alerts, dashboards). MCP for human analysts conversing with an AI agent. Both point to the same tier and the same data surface.

Which tier?

Pro for most use cases (access to Trinity exclusive composites and cross-rubric query). Performance for intensive automated workloads (extended limits). See Pricing.

Where to store the API key?

Your infrastructure secret vault (HashiCorp Vault, AWS Secrets Manager, Doppler, Infisical, 1Password Secrets). Never in plain text in Git nor in an application container env var.

What to log?

Call identifier, endpoint, response code, timestamp, internal user identifier. NEVER the raw response content (hash it if you need auditability).

What retention?

Six months for interactive queries, ten years for accounting documents (French legal retention).

Data governance

Formally document Trinity sub-processors in your GDPR record of processing activities (article 30).

Sign a Data Processing Agreement (DPA) if you process personal data via Trinity (typical for B2B teams handling customer data).

Include a link to the Trinity full disclaimer in any internal or external communication carrying a Trinity score (note, briefing, alert).

Keep daily snapshots of composite scores in an append-only bucket (S3 Object Lock or equivalent).

Vocabulary discipline

To stay aligned with AMF discipline in external communications:

Favour descriptive vocabulary: "reading", "zone", "indication". Avoid any prescriptive wording that would imply a buy or sell action.

Do NOT extrapolate a Trinity score into an allocation recommendation. The score is descriptive, not prescriptive.

Do NOT expose the calculation detail of a Trinity exclusive composite (the third party has a right to use the score, not the formula).

Always include the disclosure "Educational analytical tool, does not constitute investment advice, Trinity Insights is not a CASP" when distributing.

Business continuity

Cache locally the last useful time window (typically 90 days) for your cardinal metrics. That way, in case of a Trinity incident, your stack keeps serving.

Subscribe to the Trinity status page for availability alerts.

Test the API absence path: your code must degrade gracefully (last value kept, internal alert, but no chain crash).

Compliance checklist

DPA signed with Trinity Insights (if personal data).

GDPR record of processing activities updated.

API key stored in an approved secret vault.

Structured call logs without plain PII.

MiCA + AMF disclosure present in every internal or external publication using a Trinity score.

Business continuity drill documented (API outage, graceful degradation).

Append-only archival of decisions and daily snapshots.

Institutional disclaimer