Legal

KYC Policy

Last updated: May 1, 2026. Helodata runs Know-Your-Customer (KYC) verification on every account. No anonymous access, no exceptions. This is one of our strictest and most-questioned policies — and a core reason we can sell to banks, public companies, and government contractors. This page details how we verify, why we verify, and how to appeal.

Why KYC

Proxy abuse is the industry's central pain point. Most proxy vendors do not verify customer identity — and so the same IP pool ends up containing public-company e-commerce-monitoring traffic, government-affiliated surveillance traffic, and fraud-ring traffic side by side. When any of them abuses, the IP range gets blacklisted and everyone suffers; when regulators investigate the source, no one can explain.

Our answer is to replace 'undifferentiated supply' with 'tiered onboarding' — KYC identifies every Helodata user, makes them traceable, and makes them accountable. This isn't moral posture — it's commercial logic: compliant customers pay a premium for clean IPs. Our renewal rates and enterprise share have stayed above industry average for exactly this reason.

Regulatory: our service falls under 'financial infrastructure' or 'communications intermediary' categories in several jurisdictions — Hong Kong AMLO, EU 5/6 AMLD, Singapore PSA, US BSA — all of which require Customer Due Diligence (CDD). We over-deliver — identifying the corporate entity, the Ultimate Beneficial Owners (UBOs), and the controlling persons.

This is the moat for compliant customers: the reason you can get our SOC 2 report, sign a DPA, and pass your customer's vendor-risk review is that your 'neighbors' on the network were verified to the same standard.

Customer tiers

Individual developer

Less than 1 year as customer, monthly spend < USD 500. Basic KYC (automated standardized document checks).

SMB

Headcount < 50 and revenue < USD 5M. Enhanced KYC (corporate documents + 1 UBO verification).

Mid-market & enterprise

Headcount ≥ 50 or revenue ≥ USD 5M. Deep KYC (full UBO chain + sanctions screening + business due diligence).

Public companies

Streamlined path — leveraging existing regulatory disclosure + verified contact identity.

Government

Dedicated channel — additional contract terms, special data residency, independent audit.

Resellers / VARs

Strictest — all of the above + business model description + auditable proof of your own KYC process for end customers.

Required: individual customers

  • IdentityGovernment-issued document (passport, national ID, driver license), within validity, clearly readable, all four corners visible
  • LivenessSelfie + liveness detection (blink, smile, head turn) via Sumsub / Onfido, matched against the document photo
  • AddressUtility bill, bank statement, or rental contract within the last 90 days
  • ContactSMS verification + work email (personal email allowed but work email speeds enterprise upgrade)
  • Source of funds (high spend)Triggered at monthly spend ≥ USD 5K — payslip, company financials, or investment agreement

Required: business customers

  • Corporate documentsCertificate of incorporation; offshore companies also need a Certificate of Good Standing
  • Corporate structureOrg chart + share-ownership chart (identifying every UBO with ≥ 25% ownership)
  • UBO verificationEach UBO's ID + selfie + address proof, same standard as individual customers
  • AuthorizationBoard resolution / articles authorizing the signatory to bind the company
  • AddressRegistered + operating address (with explanation if different)
  • Business description1–2 page summary: how you plan to use Helodata, target industry, traffic estimate, responsible team
  • Financial verificationRecent audited financials or bank statements (triggered at annual spend ≥ USD 50K)
  • Banking infoCorporate account proof (we do not accept personal accounts paying for a company)

Required: resellers / VARs

  • Full business KYCAll items in the previous list
  • Reseller agreementSign the Helodata Reseller Agreement (VAR/MSP) defining rights and obligations
  • End-customer KYC SOPSubmit your KYC SOP documents; effective only after Helodata review
  • Customer rosterQuarterly submission of end-customer roster: name / country / business type
  • Abuse-mitigation capabilityDemonstrate independent abuse-monitoring and -response capability (cannot rely solely on Helodata)
  • Annual auditCooperate with an annual reseller-operations audit by Helodata

Process (standard 24 business hours)

Step 1 — Submit: upload documents via the dashboard's Compliance tab. All documents are end-to-end encrypted; Helodata staff see only the minimum information needed for the review.

Step 2 — Automated checks: (a) OCR + document authenticity (anti-PS, anti-screenshot, anti-forgery); (b) global sanctions screening (OFAC, EU, UN, UK HMT, HK CFR); (c) PEP (Politically Exposed Persons) screening; (d) adverse-media screening (fraud / money-laundering / corruption history). Whole pipeline takes 5–15 minutes.

Step 3 — Risk scoring: a 0–100 score across 30+ dimensions including industry, geography, document completeness, and UBO complexity.

Step 4 — Routing: score < 30 auto-pass; 30–70 routed to human triage (compliance analyst + senior analyst, 4-eyes); 70–90 routed to Head of Compliance; > 90 enters Enhanced Due Diligence (EDD).

Step 5 — Decision: pass → activated; conditional pass → restricted scope or additional materials required; deny → reason provided where legally allowed + appeal path.

Step 6 — Notification: email + dashboard. Pass means full product access immediately; conditional pass shows the restriction in the dashboard.

Our KYC partners

Sumsub (London): primary, covering 220+ countries of document recognition, FATCA / CRS / GDPR compliant.

Onfido (London): backup, used as failover; strongest in UK / US markets.

Internal red team performs adversarial testing of the KYC pipeline quarterly (photo masks, face swaps, deepfakes). In our most recent 2025 test, document-authenticity rejection rate was 99.7%.

All third-party KYC data sharing flows through ISO 27001-compliant channels with GDPR Article 28 DPAs.

Enhanced Due Diligence (EDD)

Triggers: sanctions-list grey-zone matches, high-risk countries (FATF grey + black lists), PEP affiliations, complex offshore structures, cash-intensive / crypto / gambling / weapons industries, UBOs unwilling to disclose.

Scope: (a) detailed source-of-funds with documents; (b) business due-diligence call (30–60 min); (c) third-party background investigation when warranted; (d) Head of Compliance personal sign-off; (e) post-pass enrollment in the "high-touch" customer pool with quarterly review.

EDD typically takes 5–10 business days.

Who we cannot onboard

  • Sanctions listYou, your company, or any UBO with ≥ 25% ownership appears on OFAC SDN, EU, UN, or UK HMT lists
  • Sanctioned regionsComprehensively US-sanctioned jurisdictions: Cuba, Iran, North Korea, Syria, Crimea, Donetsk / Luhansk / Zaporizhzhia / Kherson
  • Abuse historyEntities previously sanctioned by Helodata at Tier 3 / 4 (5-year ban) or blacklisted by peer proxy vendors
  • Human-rights riskKnown state-affiliated surveillance organizations targeting journalists / activists / protesters, their contractors, or their proxies
  • Child-safety riskEntities involved in child exploitation, CSAM distribution, or targeted harassment of minors
  • LE non-cooperationHigh-risk customers who refuse to disclose UBOs or complete EDD
  • Banned industriesWeapons (low-grade civilian excepted), drugs (legal pharmaceuticals excepted), human trafficking, illegal wildlife trade

re-KYC triggers

Routine: at least annual update (verifying address, UBOs, document validity).

Event-driven: regulatory penalty, adverse media, sanctions-list change, UBO change ≥ 25%, annual spend tier crossing (USD 50K → 500K → 5M), Suspicious Activity Report (SAR) filed.

Customer-initiated: M&A, equity restructuring, relocation, name change — please notify Helodata proactively.

Non-compliance: re-KYC requests must be addressed within 14 days (account downgrade), 30 days (suspension), 60 days (termination).

Document security & privacy

Storage: customer-sensitive documents (IDs, passports, UBO files) use AWS KMS envelope encryption + application-layer deterministic encryption — keys distinct from business-database KMS.

Access: 8 certified compliance analysts (CAMS / ACAMS) + 4 security engineers; all access logged in a tamper-evident audit trail; quarterly access review; annual independent third-party audit.

In transit: mTLS + file-level PGP with Sumsub / Onfido; with regulators using the strictest legally-permitted method.

Retention: ≥ 5 years per regulatory requirements (extendable to 10 years under applicable law). Irreversible deletion after retention (overwrite + cryptographic destruction).

Customer rights: outside regulatory or judicial process, we proactively delete after retention expires; customers may request a machine-readable KYC export (JSON).

Denial, appeal, and disputes

Denial notice: where legally allowed we tell you the reason. For 'sanctions match' or 'AML suspicious activity' the law may forbid disclosure of specifics; we then point you to independent legal advice.

First-instance appeal: within 14 days of denial, email kyc@helodata.com with supplementary evidence. We commit to independent review by a senior compliance analyst (other than the original decision-maker) within 5 business days.

Second-instance appeal: if upheld, you may escalate to the Head of Compliance within 14 days; that round resolves within 30 business days.

Independent oversight: an independent compliance advisor reviews 5–10% of denied cases each quarter. Where systemic bias is found, we update the SOP.

Transparency report

We publish an annual KYC transparency report including: (a) total applications; (b) approval rate; (c) denial reason distribution; (d) median review time; (e) appeals filed and overturned; (f) sanctions-list matches (no specific identities); (g) SARs filed.

Latest report at /transparency/kyc.

Contact

KYC questions
kyc@helodata.com
Appeals & escalation
compliance@helodata.com
Privacy / data requests
privacy@helodata.com
Transparency report
/transparency/kyc