Last update:
1. Purpose
This policy establishes the principles and minimum standards for customer identification, verification, ongoing due diligence and record‑keeping adopted by Froxy (a brand of Wergames OÜ) in order to comply with applicable Anti‑Money Laundering (AML), Counter‑Terrorist Financing (CTF) and data‑protection legislation, and to mitigate fraud and reputational risk across Froxy's proxy‑access and web‑scraper services.
2. Scope
- Legal entity: Wergames OÜ, reg. no. 14924570, Harju maakond, Tallinn, Kesklinna linnaosa, Tuukri tn 19‑315, 10120, Estonia.
- Products: All software‑as‑a‑service offerings under the Froxy brand, including (but not limited to) residential proxy access, datacenter proxy access, mobile proxy access, API‑driven web‑scraping solutions, dashboards and related billing portals.
- Customers: Natural persons and legal entities who open, activate or continue to use Froxy services.
3. Regulatory Framework
Froxy is established and operates in Estonia and is therefore subject to
- Money Laundering and Terrorist Financing Prevention Act (RT I, 16.03.2023, 5 - consolidated version);
- EU AMLD V/VI directives and delegated regulations;
- EU General Data Protection Regulation ((EU) 2016/679 - GDPR);
- Sanctions regimes adopted by the United Nations, European Union and Republic of Estonia;
- Any additional guidance or requirements issued by the Financial Intelligence Unit (FIU) Estonia and other competent authorities.
4. Roles & Responsibilities
| Role | Responsibilities |
|---|---|
| Director | Approves policy; provides resources; oversees compliance culture. |
| Designated Compliance Officer (CO) | Maintains policy; reports to FIU; oversees KYC process and third‑party vendors. |
| FIU Liaison (Designated Reporting Officer) | Point of contact for FIU inquiries and responsible for filing STRs in accordance with FIU guidelines. |
| Operations & Support Teams | Execute onboarding and monitoring tasks under CO supervision. |
| Third‑Party Vendors | Provide identity verification and risk‑signal data under written agreements. |
5. Risk‑Based Approach
Froxy applies a risk‑based methodology in line with article 8 of the MLTRPA:
- Customer Risk - assessment driven by Sumsub, security vendors' scores (e.g. document forgery, email reputation, device anomalies).
- Geographical Risk - heightened scrutiny for jurisdictions on FATF lists, sanctioned countries or countries with strategic deficiencies.
- Product/Service Risk - residential proxies and scraping at large scale attract increased fraud potential and are monitored accordingly.
- Channel Risk - non‑face‑to‑face onboarding mitigated via video‑liveness and biometric checks.
Risk levels are classified Low / Medium / High and determine the extent of due‑diligence measures and monitoring frequency. The Company maintains a risk assessment, reviewed at least annually, and updates controls and thresholds in line with emerging typologies and FIU recommendations.
6. Customer Status Classification
| Status | Definition | Consequences |
|---|---|---|
| Verified | KYC completed successfully within 72 hours. | Full platform functionality; prior restrictions (if any) lifted. |
| Not Verified | KYC not yet initiated OR pending (within 72 h window). | Temporary limitation: payment‑method binding disabled. |
| Restricted | a) KYC failed; or b) 72 h lapsed without completion and additional risk factors detected. | Certain functionality may be suspended; deposits/purchases blocked; service access limited. |
7. Identification & Verification Procedures
7.1 Natural Persons
- Identity Document Upload - government‑issued ID (passport, ID‑card, residence permit, driver's licence where permitted).
- Video Selfie & Liveness - performed in Sumsub mobile/web widget.
- Data Validation - Sumsub performs authenticity, face‑match and AML watch‑list screening; returns GREEN / RED decision.
- Timeframe - Customer must complete steps within 72 hours of trigger.
7.2 Legal Entities
- Certificate of incorporation or registry extract (≤ 3 months old).
- Articles of association.
- Proof of registered address.
- Identification of directors and ultimate beneficial owners (> 25 %).
7.3 Enhanced Due Diligence (EDD)
Applied to High‑Risk customers and may include: source‑of‑funds documents, corporate structure charts, bank‑statement verification, manual video interview.
8. KYC Trigger Events
| Trigger | Examples |
|---|---|
| Account Onboarding | New registration with payment method. |
| Transaction Thresholds | Cumulative spend or usage crossing internal limits. |
| Risk Alerts | High‑risk signals from security vendors, unusual IP patterns. |
| Regulatory Requests | FIU or court order. |
| Periodic Review | At least every 3 years for low/medium risk; annually for high risk. |
9. Ongoing Monitoring & Screening
- Daily automated screening against EU, UN, US OFAC, UK HMT sanctions lists.
- Behavioural analytics on traffic patterns, proxy chain length, scraping frequency.
- Automated ticket escalation to Compliance Officer upon match or anomaly.
10. Prohibited Activities
Use of Froxy services is strictly forbidden for activities that
- Violate international or Estonian sanctions;
- Facilitate money laundering, terrorist financing, or other financial crimes;
- Involve distribution of child sexual abuse material, malware, phishing, hate speech or violent extremist content;
- Violate intellectual‑property rights or data‑access restrictions;
- Contravene Froxy Terms of Use. Accounts engaged in prohibited activities are subject to immediate termination and reporting to competent authorities.
11. Data Protection & Privacy
- Data Controller: Wergames OÜ.
- Processors: Sumsub (identity), security vendors (emails, device fingerprint, etc). Each processor is bound by a GDPR‑compliant Data Processing Agreement (DPA).
- Data Minimisation: Froxy does not store raw KYC documents or biometric data; these remain solely with Sumsub under EU data-residency. Pseudonymized verification metadata is retained securely for audit and compliance purposes.
- Retention: KYC decision logs and audit metadata are retained for 5 years after business relationship ends, unless longer retention mandated by law; raw documents are retained by Sumsub per their policy (https://sumsub.com), to which customers are referred.
- Rights of Data Subjects: Access, rectification, erasure, restriction, objection and portability per Articles 15‑22 GDPR. Requests can be submitted to support@froxy.com.
- Security: TLS 1.3 in transit, AES‑256 at rest, role‑based access control, audit logging.
12. Incident Response & Suspicious Activity Reporting
- Compliance Officer files Suspicious Transaction Reports (STRs) to the FIU digitally via goAML within 2 working days of detection.
- Accounts subject to STR are immediately blocked pending investigation.
13. Record Keeping
Records supporting customer identification, verification, risk assessments, monitoring results and STRs are kept securely for 5 years after the end of the business relationship or completion of the occasional transaction, whichever is later.
14. Training & Awareness
All employees involved in customer onboarding, transaction monitoring, or system administration must undergo annual AML/KYC training.
Training covers identification procedures, red-flag indicators, sanctions screening, and data protection.
The Compliance Officer ensures updates to the training content in line with regulatory changes and FIU guidance.
15. Review & Updates
This policy is reviewed at least annually or sooner in response to legislative changes, regulatory guidance or material changes in Froxy's business model.