SECURITY, KYC & COMPLIANCE POLICY

Version	Effective	Next Review	Applies To
1.0	01 August 2025	01 August 2026	Every product and brand operated by Webrain OÜ (is*hosting shared hosting, VPS, dedicated servers, cloud and reseller services)

ABBREVIATIONS

• AML – Anti-Money Laundering
• CDD – Customer Due Diligence
• GDPR – General Data Protection Regulation
• KYC – Know Your Customer
• MLTFPA – Estonian Money Laundering and Terrorist Financing Prevention Act
• PEP – Politically Exposed Person
• STR – Suspicious Transaction Report

1. PURPOSE AND POLICY STATEMENT

This Policy is subject to applicable Estonian and European Union law.

This Policy establishes (1) technical and organizational security measures for Company infrastructure and customer protection, and (2) risk-based customer verification procedures to prevent abuse and maintain service integrity.

CRITICAL NOTICE: This policy is applied without exceptions. Any attempts to circumvent security measures, provide false information, or use our services for illegal activities will result in immediate service restrictions and potential account termination.

The Company adopts a zero-tolerance stance toward abuse, fraud, and illegal activities. We maintain robust security controls and work closely with payment providers and law enforcement when necessary.

This Policy serves as our operational framework and demonstrates our commitment to security excellence and regulatory compliance.

2. SCOPE & LEGAL FRAMEWORK

2.1. Applicable Legal Framework

2.2. Regulatory Authorities

• Primary Supervisor: Rahapesu andmebüroo (Estonian FIU) – Police and Border Guard Board
• Contact: aml@politsei.ee, +372 612 3000
• Data Protection: Andmekaitse Inspektsioon (Estonian DPA)

3. SECURITY PRINCIPLES

3.1. Core Security Principles

• Risk-Based Approach – Security measures proportional to identified risks
• Transparency – Clear communication with customers about security requirements
• Continuous Monitoring – Ongoing assessment of user behavior and transaction patterns
• Collaborative Resolution – Working with customers and partners to resolve security issues

3.2. Data Protection Principles

• Data Minimization – Only necessary data collected for security and compliance
• Purpose Limitation – Data used only for stated security and compliance purposes
• Transparency – Clear communication about data processing activities
• Storage Limitation – Data retained only as legally required

4. RISK ASSESSMENT CONSIDERATIONS

4.1. Geographic Risk Factors

We employ internal tools and methodologies to assess geographic and regulatory risks associated with customer locations. Our risk assessment considers various regional characteristics including:

• Applicable regulatory requirements and compliance obligations
• International sanctions and restrictions
• Financial crime prevention measures
• Data protection and privacy requirements
• Cross-border transaction compliance obligations

Risk classifications are regularly updated based on international standards, regulatory guidance, and security intelligence. Customers may experience different service levels or verification requirements based on applicable geographic risk factors.

4.2. Dynamic Risk Evaluation

• Risk assessments updated regularly based on regulatory changes
• Immediate adjustments following new international sanctions
• Customer notifications for significant changes affecting service availability

---

5. CUSTOMER RISK ASSESSMENT FRAMEWORK

5.1. Automated Risk Assessment

Customer interactions with our platform activate automated security verification systems utilizing multiple assessment categories:

Data Sources for Assessment: Our verification systems analyze only:

• Data explicitly provided by customers on the platform (email, phone, name, etc.)
• Device and software information used by customers to interact with our platform (browser type, operating system, device characteristics)

5.2. Customer Status Classifications

5.3. Status Determination and Actions

Customer status is automatically determined based on:

• Risk assessment results from multiple verification vendors
• Behavioral analysis and usage patterns
• Payment method and transaction characteristics
• Geographic and regulatory risk factors
• Service interaction and usage historical data

Automatic Actions:

• "Verification Recommended"/"Restricted Access" Status: Automatic KYC invitation sent with 72-hour deadline
• Failed Verification: Account status remains unchanged; customers may contact support for clarification (verification provider provides failure reasons)
• Successful Verification: Immediate status upgrade to "Verified" and restriction removal
• Deadline Violation: Account status and restrictions remain in effect; manual review by management required

---

6. KNOW YOUR CUSTOMER (KYC) PROCEDURES

6.1. Purpose and Rationale

To protect our infrastructure, law-abiding customers, and ensure compliance with international security standards, we have implemented selective customer identification (KYC) procedures.

This measure is necessitated by increasing cases of service abuse, including:

• Distribution of malware and malicious software
• Botnet command and control operations
• Attempts to circumvent technical restrictions
• Cryptocurrency-related financial crimes
• Other forms of service abuse and illegal activities

6.2. KYC Trigger Criteria

KYC verification is conducted on a selective basis. The decision is made based on our internal risk assessment system, which incorporates multiple security factors and compliance indicators to maintain service integrity and regulatory compliance.

Important Notice: A KYC request is not an accusation and should not be perceived as discrimination. This is a standard security precaution implemented to maintain service integrity.

Common Triggers Include:

• Risk assessment algorithm results
• Geographic risk factors
• Payment method characteristics
• Unusual service usage patterns
• AML system alerts
• Regulatory compliance requirements

6.3. KYC Service Provider and Process

All identification is conducted exclusively through our certified KYC platform — a verified international service complying with GDPR, KYC/AML, and other security standards.

Verification Process:

1. Customer receives unique verification link via secure communication
2. Document upload (government-issued ID)
3. Biometric selfie for identity matching
4. Additional verification steps as required
5. Automated processing and review
6. Account status update upon completion

Data Protection: Our company does not store or process document copies. All data transmission and storage occurs on the KYC provider's secure, encrypted servers with appropriate certifications.

6.4. Required Documentation

Individual Customers:

• Government-issued photo identification (passport, national ID, driver's license)
• Proof of address dated within 90 days (utility bill, bank statement, government correspondence)
• Biometric selfie verification
• Source of funds documentation (when triggered by AML screening)

Business Customers:

• Business registration and incorporation documents
• Beneficial ownership information and corporate structure
• Authorized representative identification and proof of authority
• Company address verification
• Financial statements and business activity documentation (when required)

6.5. Verification Timeline and Consequences

Timeline Requirements:

• Customers must complete verification within 72 hours of request
• In case of technical difficulties or exceptional circumstances, the deadline may be extended upon customer request
• Failure to complete within deadline may result in manual order cancellation by management
• Funds may be returned to internal account balance without additional notification
• New orders may only be possible after successful KYC completion

Processing Time: KYC verification typically completed within 1-2 business days of document submission.

6.6. Consequences of KYC Refusal

When customers refuse to complete verification, the following consequences may occur at the discretion of our compliance team:

• Order cancellation and service suspension may be implemented
• Service provision may be terminated until compliance
• Refunds may be subject to strict conditions in accordance with payment system requirements and applicable law

All decisions regarding the application of these consequences are made on a case-by-case basis by our compliance team, taking into account individual circumstances and regulatory requirements.

Refund Conditions (when applicable):

• Cryptocurrency: Refunds may require completing KYC identification and submitting written application
• Other Payment Systems: Refunds may be processed only through supported refund methods of the original payment system
• Administrative Fee: Up to 10% of refund amount may be retained to cover operational and verification costs

6.7. AML-Triggered Enhanced Verification

When AML filters detect high-risk activity, additional documentation may be required:

• Detailed source of funds explanation with supporting evidence
• Bank statements showing transaction history
• Employment verification or business income documentation
• Explanation of cryptocurrency acquisition and transaction purpose
• Video interview with compliance team (when necessary)

6.8. Customer Acceptance and Understanding

By placing an order, customers:

• Confirm they have read and agree to this KYC Policy
• Accept the refund conditions described above
• Acknowledge the importance of security procedure compliance
• Understand that KYC requirements are designed to create a safe and reliable environment for all users

7. AML COMPLIANCE THROUGH PAYMENT PROVIDERS

7.1. Payment Provider AML Controls

We rely on licensed payment service providers for AML compliance in financial transactions. Each payment gateway implements:

• Real-time transaction monitoring and screening
• Blockchain analysis and wallet risk assessment
• Sanctions list checking and compliance
• Suspicious activity detection and reporting
• Regulatory reporting requirements

7.2. Customer AML Obligations

By using our services and making payments, especially in cryptocurrency, customers confirm that they:

• Use cryptocurrency only from legal and traceable sources
• Do not conduct transactions related to anonymous services, darknet markets, mixers, or sanctioned addresses
• Agree to undergo verification through our KYC provider when requested
• Acknowledge that payments flagged as high-risk may be delayed, rejected, or blocked
• Guarantee the legal origin of all funds used for payments

7.3. High-Risk Wallets and Prohibited Operations

We reserve the right to reject or block any transactions associated with:

• Addresses linked to criminal activity, fraud, extortion, or terrorism
• Anonymous services including mixers, anonymizers, unlicensed exchanges
• Sanctioned jurisdictions or individuals subject to OFAC, EU, or UN sanctions
• Platforms deemed unreliable through automatic analysis by our payment providers
• Cryptocurrency wallets flagged by blockchain analytics as high-risk

7.4. AML Triggers and Enhanced Due Diligence

When AML filters are triggered or suspicious activity is detected, we may request:

• Complete KYC verification through our verification platform
• Documentation proving the legal origin of funds
• Additional information for comprehensive risk assessment
• Video verification or enhanced identity confirmation

Consequences of Verification Refusal:

• Service suspension or termination
• Freezing of funds pending investigation (with periodic review)
• Denial of refund requests until compliance requirements are met
• Account restrictions until verification completion

7.5. Payment Provider Cooperation and Investigation Process

When payment providers identify suspicious transactions:

1. Payment provider immediately freezes funds and initiates investigation
2. We receive notification and implement corresponding account restrictions
3. Customer is directed to resolve matter directly with payment provider
4. We cooperate fully with payment provider investigations
5. Additional KYC/EDD procedures may be required
6. Account restrictions remain until resolution

7.6. Refunds and AML Delays

AML-Related Transaction Blocks:

• Funds will not be returned or transferred until investigation completion
• KYC verification and source of funds documentation may be required
• In case of violations, funds may be transferred to law enforcement pursuant to court order or legal requirement under applicable Estonian and EU law
• Processing may be delayed pending regulatory review

Refund Policy:

• Refunds processed only through the same payment system used for original payment
• Subject to our KYC/AML policy and refund policy compliance
• 10% administrative fee applied to cover operational and verification costs
• Refunds may be denied for AML compliance reasons

7.7. Legal Cooperation and Confidentiality

Our AML procedures:

• Fully comply with data protection legislation requirements, including GDPR
• Ensure storage and processing of personal data only within regulated platforms
• Include readiness for cooperation with law enforcement upon official request
• Maintain strict confidentiality while meeting legal obligations
• Provide transparent communication about AML requirements to customers

8. BEHAVIORAL MONITORING AND SECURITY

8.1. Security Team Operations

Our security team continuously monitors:

• User behavior patterns and anomalies
• Service usage characteristics
• Potential abuse indicators
• Security incident patterns

8.2. Anomaly Detection

Monitoring Focus:

• Unusual account activity patterns and login behaviors
• Rapid service scaling or configuration changes
• Payment anomalies, disputes, or chargeback patterns
• Geographic inconsistencies in access patterns
• Technical indicators of potential security threats

Response Procedures:

1. Automated alert generation for unusual patterns
2. Security team investigation and analysis
3. Customer contact for clarification when needed
4. Proportional response based on risk assessment
5. Documentation of all actions taken

8.3. Customer Communication

When security concerns arise:

• Direct communication with customer
• Clear explanation of concerns
• Opportunity for customer to provide clarification
• Collaborative approach to resolution
• Escalation procedures for unresolved issues

9. PROHIBITED ACTIVITIES

9.1. Absolute Prohibitions

• Cryptocurrency mixing, tumbling, or anonymization services
• Darknet marketplace operations
• Ransomware-related activities
• Terrorist financing or support
• Child exploitation material hosting
• Illegal gambling or betting services
• Sanctions evasion activities
• Money laundering schemes
• Fraudulent financial services
• Malware or botnet operations

9.2. Enforcement Approach

Graduated Response:

• Warning and education for minor violations
• Service restrictions for moderate violations
• Account suspension for serious violations
• Permanent termination for severe violations
• Law enforcement notification for illegal activities

9.3. Due Process

All enforcement actions include:

• Clear notification of alleged violation
• Evidence of violation provided to customer
• Opportunity for customer response and appeal
• Escalation to senior management for significant actions
• Documentation of decision-making process

10. DATA PROTECTION & GDPR COMPLIANCE

10.1. Lawful Basis for Processing

• GDPR Article 6(1)(b) - processing necessary for contract performance
• GDPR Article 6(1)(f) - legitimate interests (fraud prevention, security)
• GDPR Article 6(1)(c) - processing necessary for legal compliance (where applicable)

10.2. Data Subject Rights

We respect all GDPR rights including:

• Right of access to personal data
• Right to rectification of inaccurate data
• Right to erasure (with legal retention exceptions)
• Right to restrict processing
• Right to data portability

Response Timeline: 30 days maximum for rights requests

10.3. Data Security

• Encryption for data in transit and at rest
• Access controls and authentication requirements
• Regular security assessments
• Incident response procedures
• Vendor security requirements

11. RECORD KEEPING

11.1. Retention Requirements

11.2. Data Security

• Encrypted storage for all retained records
• Access controls based on business need
• Regular backup and recovery procedures
• Secure deletion after retention period

12. TRAINING AND AWARENESS

12.1. Staff Training Requirements

All Staff:

• Security awareness and best practices
• Customer communication procedures
• Escalation protocols
• Data protection requirements

Security Team:

• Advanced threat detection
• Investigation techniques
• Regulatory requirements
• Customer interaction protocols

12.2. Ongoing Education

• Regular security updates and briefings
• Industry best practice sharing
• Regulatory change notifications
• Case study analysis and learning

13. INCIDENT RESPONSE

13.1. Incident Types and Response

Security Incidents:

• Immediate containment and investigation
• Customer notification if affected
• Evidence preservation
• Regulatory notification if required

Compliance Issues:

• Prompt investigation and assessment
• Customer communication and support
• Coordination with relevant authorities
• Process improvement implementation

Payment Issues:

• Coordination with payment providers
• Customer communication and support
• Compliance with provider requirements
• Regulatory reporting if needed

13.2. Escalation Procedures

• Clear escalation paths for different incident types
• Senior management involvement for significant issues
• Legal counsel consultation when needed
• External authority notification as required

14. VENDOR MANAGEMENT

14.1. Security Vendor Requirements

All security and verification vendors must maintain:

• Appropriate compliance certifications
• Strong data protection measures
• Regular security assessments
• Incident reporting capabilities

14.2. Payment Provider Standards

We work only with licensed and regulated payment providers that maintain:

• Full AML compliance programs
• Sanctions screening capabilities
• Suspicious activity monitoring
• Regulatory reporting procedures

15. CONTINUOUS IMPROVEMENT

15.1. Program Enhancement

We continuously improve our security and compliance program through:

• Regular risk assessments
• Technology upgrades and enhancements
• Process optimization based on experience
• Feedback incorporation from customers and partners

15.2 Regulatory Adaptation

• Monitoring of regulatory changes
• Policy updates as needed
• Staff training on new requirements
• System enhancements for compliance

16. CUSTOMER COMMUNICATION AND TRANSPARENCY

16.1. Proactive Communication

• Clear explanation of security measures
• Notification of policy changes
• Educational content about security best practices
• Regular updates on security enhancements

16.2. Appeals and Dispute Resolution

Right to Appeal: Customers who disagree with our security or compliance decisions have the right to appeal and request review.

Appeal Process:

• Contact our compliance team directly with detailed explanation of your concerns
• We will thoroughly review the circumstances and decision-making process
• We maintain an open dialogue approach and are committed to fair resolution
• Each case is evaluated individually with consideration of all relevant factors
• Response provided within reasonable timeframe with explanation of findings

Contact Information: compliance@ishosting.com

We encourage direct communication to resolve any misunderstandings or address concerns about our security procedures.

• Dedicated compliance and security support channels
• Clear escalation procedures for disputes
• Regular communication during investigations
• Transparent explanation of decisions

17. REGULATORY COOPERATION

17.1. Authority Engagement

We maintain cooperative relationships with:

• Estonian Financial Intelligence Unit
• Estonian Data Protection Authority
• Law enforcement agencies
• International regulatory bodies as appropriate

17.2. Information Sharing

• Prompt response to legitimate regulatory requests and law enforcement inquiries
• Suspicious activity reporting when identified through our monitoring or payment provider alerts
• Cooperation with AML investigations and financial crime prevention efforts
• Documentation of all regulatory interactions and compliance activities
• Transfer of funds to law enforcement when required pursuant to legal requirements and court orders

---

DOCUMENT CONTROL

Document Title: Security, KYC & Compliance Policy
Document ID: POL-001-2025
Version: 1.0
Classification: Public
Language: English

Approval Matrix:

• Author: Security & Compliance Team
• Reviewer: Senior Management
• Approver: Director
• Effective Date: 01 August 2025
• Next Review: 01 August 2026

Distribution:

• Published on company website
• Available to all customers and stakeholders
• Provided to regulatory authorities upon request

Change Log: