DOMAIN:CLIENT_COMMUNICATIONS:CONTRACT_KYC¶
OWNER: eric
UPDATED: 2026-03-24
SCOPE: contract generation, KYC verification, digital signatures, payment gate
AGENTS: eric (primary), dima (intake handoff), aimee (scoping handoff), margot (relationship handoff)
REGULATION: EU Anti-Money Laundering Directive 5 (AMLD5), Dutch Wwft, eIDAS, GDPR
CONTRACT_KYC:OVERVIEW¶
PURPOSE: eric operates the STOP/GO gate between intake (dima) and scoping (aimee)
PRINCIPLE: no work begins until identity is verified and contract is signed
PRINCIPLE: KYC is a legal obligation, not a nice-to-have
PRINCIPLE: frictionless for honest clients, impenetrable for fraud
FLOW:
IF KYC fails THEN STOP — client is rejected with professional explanation
IF contract unsigned THEN STOP — no scoping, no work
IF both pass THEN GO — client proceeds to aimee for scoping
CONTRACT_KYC:CONTRACT_TEMPLATES¶
TEMPLATE_TYPES¶
TYPE: standard_service_agreement
USE_WHEN: typical client engagement (development project)
INCLUDES: scope reference, pricing, timeline, IP ownership, liability, termination
TYPE: retainer_agreement
USE_WHEN: ongoing maintenance/support relationship
INCLUDES: monthly hours, rate, rollover policy, scope of support
TYPE: nda
USE_WHEN: client shares confidential information before contract
INCLUDES: definition of confidential info, obligations, duration, exceptions
TYPE: data_processing_agreement
USE_WHEN: GE processes client's customer data (GDPR Article 28)
INCLUDES: processing purposes, security measures, sub-processors, breach notification
STANDARD_SERVICE_AGREEMENT_SECTIONS¶
1. DEFINITIONS
- "Client", "GE", "Services", "Deliverables", "Project"
2. SCOPE OF SERVICES
- Reference to Aimee's scope document (attached as Annex A)
- Change request procedure
- Out-of-scope handling
3. PRICING AND PAYMENT
- Rate: EUR {rate}/hr
- Invoicing: monthly in arrears
- Payment terms: 14 days net
- Late payment: statutory interest (Dutch Civil Code 6:119a)
4. TIMELINE
- Estimated delivery: {weeks}
- Milestones: as defined in Annex A
- Force majeure clause
5. INTELLECTUAL PROPERTY
- All custom code: ownership transfers to client on full payment
- GE retains license to reuse patterns, frameworks, and non-client-specific code
- Open source components: governed by their respective licenses
6. CONFIDENTIALITY
- Mutual NDA embedded in contract
- Duration: 2 years post-termination
- Exceptions: public info, independently developed, legally required disclosure
7. DATA PROTECTION
- GDPR compliance commitment
- DPA attached as Annex B (if personal data processed)
- Data retention: project data deleted 90 days post-completion unless otherwise agreed
8. LIABILITY
- Limited to 12 months of fees paid
- Excludes indirect/consequential damages
- No limitation for gross negligence or willful misconduct
9. TERMINATION
- Either party: 30 days written notice
- Immediate: material breach uncured after 14 days
- On termination: deliver all completed work, final invoice
10. GOVERNING LAW
- Dutch law
- Dispute resolution: mediation first, then District Court of Amsterdam
11. SIGNATURES
- Digital signature (eIDAS qualified or advanced)
- Date and place
CONTRACT_GENERATION_RULES¶
RULE: eric generates contract from template, never from scratch
RULE: scope section always references aimee's scope document
RULE: pricing filled from approved quote (aimee provides estimate, dirk-jan approves rate)
RULE: contract reviewed by dirk-jan before sending to client
RULE: contract sent as PDF with digital signature fields
RULE: client has 14 days to sign; after that, quote may need refresh
CONTRACT_KYC:KYC_REQUIREMENTS¶
LEGAL_BASIS¶
REGULATION: EU Anti-Money Laundering Directive 5 (AMLD5 / 2018/843)
DUTCH_LAW: Wet ter voorkoming van witwassen en financieren van terrorisme (Wwft)
APPLIES_TO: GE as a service provider accepting payments
THRESHOLD: all clients, regardless of transaction size (risk-based approach)
INDIVIDUAL_CLIENTS¶
REQUIRED_DOCUMENTS:
1. Government-issued photo ID (passport or national ID card)
2. Proof of address (utility bill or bank statement, < 3 months old)
3. Source of funds declaration (for engagements > EUR 15,000)
VERIFICATION_STEPS:
STEP: document collection (client uploads via secure portal)
STEP: document authenticity check (MRZ validation, hologram check via API)
STEP: liveness check (selfie + video matching against ID photo)
STEP: PEP/sanctions screening (Politically Exposed Persons, EU/UN/OFAC lists)
STEP: adverse media check (automated news screening)
STEP: risk assessment and decision
COMPANY_CLIENTS¶
REQUIRED_DOCUMENTS:
1. Chamber of Commerce extract (Kamer van Koophandel uittreksel) < 3 months old
2. UBO declaration (Ultimate Beneficial Owner — anyone holding >= 25% ownership)
3. ID verification of UBO(s) (same as individual requirements)
4. Company bank account verification (IBAN matching company name)
5. Articles of association (statuten) for companies < 1 year old
VERIFICATION_STEPS:
STEP: company existence verification (KvK API check)
STEP: UBO identification (KvK UBO register or self-declaration)
STEP: UBO identity verification (same as individual)
STEP: company PEP/sanctions screening
STEP: adverse media check on company and UBOs
STEP: risk assessment and decision
RISK_LEVELS¶
RISK: low
CRITERIA: Dutch company, simple ownership, UBO identified, no adverse findings
ACTION: standard verification, no enhanced due diligence
REVIEW_CYCLE: every 3 years
RISK: medium
CRITERIA: EU company, complex ownership structure, minor adverse media
ACTION: enhanced documentation, manual review by eric
REVIEW_CYCLE: annually
RISK: high
CRITERIA: non-EU company, PEP involvement, significant adverse media, opaque ownership
ACTION: enhanced due diligence, dirk-jan approval required
REVIEW_CYCLE: every 6 months
RISK: unacceptable
CRITERIA: sanctioned entity, confirmed money laundering, unable to verify UBO
ACTION: REJECT — do not onboard
REPORTING: suspicious transaction report to FIU-Nederland if applicable
CONTRACT_KYC:PASSPORT_VERIFICATION¶
MRZ_VALIDATION¶
WHAT: Machine Readable Zone on passport/ID card
FIELDS: document number, nationality, date of birth, expiry date, check digits
VALIDATION: parse MRZ, verify check digits, cross-reference with human-readable zone
DOCUMENT_CHECKS¶
CHECK: document not expired
CHECK: document type is accepted (passport, national ID — NOT driving license)
CHECK: MRZ check digits valid
CHECK: photo matches liveness check
CHECK: no signs of tampering (for manual review cases)
CHECK: document issuing country is recognized
ACCEPTED_DOCUMENTS¶
ACCEPTED: EU/EEA passport
ACCEPTED: EU/EEA national identity card
ACCEPTED: Swiss identity card
ACCEPTED: UK passport (post-Brexit, still accepted)
NOT_ACCEPTED: driving license (no nationality, not ICAO compliant)
NOT_ACCEPTED: residence permit (unless combined with passport)
CONTRACT_KYC:LIVENESS_CHECK¶
PURPOSE¶
WHY: prevent identity fraud (using stolen/printed photos)
METHOD: client records short video or takes selfie with movement instructions
MATCHES_AGAINST: photo on submitted ID document
IMPLEMENTATION_OPTIONS¶
PROVIDER: Onfido
INTEGRATION: REST API
FEATURES: document verification + facial biometrics + liveness detection
PRICING: per-check
COMPLIANCE: eIDAS, GDPR, SOC 2
PROVIDER: Veriff
INTEGRATION: SDK (web + mobile) or REST API
FEATURES: document + face match + liveness + address verification
PRICING: per-session
COMPLIANCE: eIDAS, GDPR, ISO 27001
PROVIDER: Sumsub
INTEGRATION: SDK or API
FEATURES: full KYC suite including document, face, AML screening
PRICING: per-verification
COMPLIANCE: eIDAS, GDPR
RECOMMENDATION_FOR_GE: Onfido or Veriff (both strong in EU market)
DECISION: deferred until first client requiring KYC
LIVENESS_RULES¶
RULE: liveness check must be completed within 24 hours of document upload
RULE: maximum 3 attempts before manual review triggered
RULE: if liveness fails 3 times → flag for manual review by eric
RULE: biometric data retained for verification period only, then deleted
CONTRACT_KYC:COMPANY_VERIFICATION¶
CHAMBER_OF_COMMERCE_CHECK¶
DUTCH_CLIENTS:
API: Kamer van Koophandel (KvK) API
ENDPOINT: https://api.kvk.nl/api/v1/basisprofielen/{kvkNumber}
RETURNS: company name, address, registration date, SBI codes, legal form
VALIDATES: company exists, is active, name matches provided name
EU_CLIENTS:
SOURCE: European Business Register (EBR) or national equivalent
METHOD: manual lookup + document verification
ALTERNATIVE: client provides official extract, eric verifies against public register
UBO_REGISTER¶
DUTCH: KvK UBO register (mandatory since March 2022)
EU: per-country UBO registers (AMLD5 mandate)
VERIFY: cross-reference declared UBOs with register data
IF discrepancy THEN flag for enhanced due diligence
VERIFICATION_TEMPLATE¶
COMPANY VERIFICATION REPORT
Date: YYYY-MM-DD
Verified by: eric
Company: {legal_name}
Registration: {kvk_number} / {country_register_id}
Legal form: {BV / NV / VOF / Eenmanszaak / etc.}
Registration date: {YYYY-MM-DD}
Address: {registered_address}
SBI codes: {industry_codes}
Active: {yes/no}
UBO(s):
1. {name} — {ownership_percentage}% — ID verified: {yes/no}
2. {name} — {ownership_percentage}% — ID verified: {yes/no}
PEP screening: {clear / match found}
Sanctions screening: {clear / match found}
Adverse media: {none / findings described}
Risk level: {low / medium / high / unacceptable}
Decision: {APPROVED / REQUIRES_ENHANCED_DD / REJECTED}
CONTRACT_KYC:DIGITAL_SIGNATURE¶
EIDAS_LEVELS¶
LEVEL: simple electronic signature (SES)
DEFINITION: any electronic data attached to other data used as a signature
EXAMPLE: typed name, checkbox "I agree", email confirmation
LEGAL_WEIGHT: admissible but weakest
USE_FOR: internal approvals, low-value agreements
LEVEL: advanced electronic signature (AES)
DEFINITION: uniquely linked to signatory, capable of identifying them, under their sole control
EXAMPLE: ZealID, Signicat, Scrive (EU preferred). DocuSign, HelloSign, Adobe Sign as secondary (US-based — EU data sovereignty risk).
LEGAL_WEIGHT: strong presumption of validity
USE_FOR: standard GE client contracts
LEVEL: qualified electronic signature (QES)
DEFINITION: AES + created by qualified signature creation device + based on qualified certificate
EXAMPLE: government-issued digital ID, qualified trust service provider
LEGAL_WEIGHT: equivalent to handwritten signature across all EU member states
USE_FOR: high-value contracts, disputes-prone situations
RECOMMENDED_PROVIDERS¶
PROVIDER: ZealID (Sweden — EU) LEVEL: QES (QTSP on EU Trusted List), AES INTEGRATION: REST API, webhook notifications COMPLIANCE: eIDAS QTSP, GDPR-native, PSD2 SCA NOTE: EU-based, qualified signatures by default. Ideal for high-assurance needs.
PROVIDER: Signicat (Norway — EEA) LEVEL: QES (QTSP under eIDAS), AES INTEGRATION: REST API, SDK COMPLIANCE: eIDAS QTSP, ISO 27001, connects to DigiD (NL), BankID (NO/SE) NOTE: EU-based, strong identity verification + signing combined.
PROVIDER: Scrive (Sweden — EU) LEVEL: AES INTEGRATION: REST API COMPLIANCE: eIDAS, GDPR-native NOTE: EU-based, good API, cost-effective for standard contracts.
SECONDARY: DocuSign (US) LEVEL: AES (standard), QES (optional add-on via EU trust service providers) INTEGRATION: REST API, webhook notifications on completion COMPLIANCE: eIDAS, SOC 2, ISO 27001 NOTE: US-based service. Use only if client explicitly requires. EU data sovereignty risk.
SECONDARY: HelloSign / Dropbox Sign (US) LEVEL: AES INTEGRATION: REST API NOTE: US-based service. Simpler, lower cost. Use only if client explicitly requires. EU data sovereignty risk.
SIGNATURE_FLOW¶
1. Eric generates contract PDF from template
2. Eric submits to e-signature provider API (ZealID/Signicat/Scrive preferred) with signature fields
3. Client receives email with signing link
4. Client reviews document
5. Client signs (AES: email + SMS verification; QES: eID verification via ZealID/Signicat)
6. Provider returns signed PDF + audit trail
7. Eric stores signed contract + audit trail
8. Eric updates client status to "contract_signed"
9. Client proceeds to Aimee for scoping
SIGNATURE_RULES¶
RULE: both parties sign (GE represented by Dirk-Jan)
RULE: signing order: client first, then GE (prevents sending unsigned GE commitment)
RULE: signed contract stored in client folder + compliance archive
RULE: audit trail (IP, timestamp, email verification) stored alongside
RULE: contract stored for 7 years post-termination (Dutch fiscal requirement)
CONTRACT_KYC:PAYMENT_PROCESSING¶
PAYMENT_METHODS¶
METHOD: bank transfer (SEPA)
PREFERRED: yes (lowest cost, standard for B2B in Netherlands)
PROCESSING: invoice includes GE IBAN, client transfers manually
RECONCILIATION: margot tracks via bank statements
METHOD: credit card (via Mollie or Stripe) PREFERRED: for small engagements or international clients PROCESSING: Mollie payment link in invoice (primary). Stripe secondary for international clients. NOTE: Stripe is US-based — EU data sovereignty risk. FEES: 1.4% + EUR 0.25 per transaction (EU cards)
METHOD: direct debit (SEPA incasso)
PREFERRED: for retainer clients (recurring monthly)
PROCESSING: client signs SEPA mandate, GE initiates monthly collection
LEAD_TIME: mandate setup 5 business days, collection 2 business days
PAYMENT_GATE¶
RULE: first payment (or deposit) must be received before scoping begins
RULE: deposit = 25% of estimated project value OR first month retainer
RULE: if deposit not received within 14 days of contract signing → follow up
RULE: if deposit not received within 28 days → contract void, client must re-sign
RECOMMENDED_PROVIDER¶
PROVIDER: Mollie
WHY: Dutch company, strong in NL/EU market, SEPA + cards + iDEAL
INTEGRATION: REST API, webhooks for payment status
COMPLIANCE: PSD2, PCI DSS Level 1
PROVIDER: Stripe (secondary) WHY: global coverage, excellent API, broader payment methods INTEGRATION: REST API, webhooks COMPLIANCE: PSD2, PCI DSS Level 1, SOC 2 NOTE: US-based service. Use only if client explicitly requires international coverage beyond EU. EU data sovereignty risk.
RECOMMENDATION: Mollie is PRIMARY for all NL/EU operations. Stripe only as secondary for international expansion, with sovereignty warning to client.
CONTRACT_KYC:DATA_RETENTION¶
KYC_DOCUMENTS¶
RETENTION: 5 years after end of business relationship (Wwft Article 33)
STORAGE: encrypted at rest, access-controlled
ACCESS: eric + dirk-jan only
DELETION: automated after retention period expires
CONTRACT_DOCUMENTS¶
RETENTION: 7 years after contract termination (Dutch fiscal law)
STORAGE: compliance archive, immutable
ACCESS: eric + dirk-jan + external auditor (on request)
BIOMETRIC_DATA¶
RETENTION: until verification completed, then deleted within 30 days
LEGAL_BASIS: GDPR Article 9(2)(g) — substantial public interest (AML)
DATA_SUBJECT_RIGHTS: right to information (Article 13), right to erasure does NOT apply during retention period
RETENTION_SCHEDULE¶
| Data Type | Retention | Legal Basis | Auto-Delete |
|-----------|-----------|-------------|-------------|
| ID document copy | 5 years post-relationship | Wwft Art. 33 | Yes |
| Liveness biometrics | 30 days post-verification | GDPR Art. 9(2)(g) | Yes |
| PEP/sanctions results | 5 years post-relationship | Wwft Art. 33 | Yes |
| Signed contracts | 7 years post-termination | Fiscal law | Yes |
| Payment records | 7 years post-transaction | Fiscal law | Yes |
| Communication logs | 2 years post-relationship | Legitimate interest | Yes |
GDPR_COMPLIANCE¶
PRIVACY_NOTICE: provided to client before KYC data collection
CONTENTS: what data, why, legal basis, retention period, rights, DPO contact
LEGAL_BASIS_FOR_KYC: legal obligation (GDPR Article 6(1)(c)) — Wwft compliance
LEGAL_BASIS_FOR_CONTRACT: contractual necessity (GDPR Article 6(1)(b))
CONTRACT_KYC:STOP_GO_GATE¶
DECISION_MATRIX¶
| KYC Status | Contract Status | Decision |
|---|---|---|
| Verified | Signed + deposit | GO — proceed to Aimee |
| Verified | Signed, no deposit | WAIT — follow up on deposit |
| Verified | Unsigned | WAIT — follow up on signing |
| Pending | Signed | WAIT — complete KYC first |
| Pending | Unsigned | WAIT — complete both |
| Failed | Any | STOP — reject client |
| Any | Expired (>28 days) | STOP — restart process |
REJECTION_TEMPLATE¶
Subject: Growing Europe — Unable to proceed
Dear {client_name},
Thank you for your interest in Growing Europe's services.
Unfortunately, we are unable to proceed with your engagement at this time.
We are not able to provide specific reasons for this decision due to
regulatory requirements.
If you believe this is an error, you may contact us to discuss
alternative documentation.
Kind regards,
Eric
Contract & Compliance — Growing Europe
RULE: NEVER disclose the specific KYC failure reason (Wwft tipping-off prohibition)
RULE: rejection communicated by eric, not margot
RULE: rejected client data retained per schedule, not deleted early
CONTRACT_KYC:PITFALLS¶
PITFALL: starting work before KYC is complete
IMPACT: Wwft violation, potential fine, audit failure
RULE: the STOP/GO gate is absolute. No exceptions without Dirk-Jan's personal approval.
PITFALL: accepting driving license as ID
IMPACT: insufficient for KYC (no nationality field, not ICAO standard)
RULE: only passport or national ID card accepted
PITFALL: retaining biometric data beyond 30 days
IMPACT: GDPR violation (Article 5(1)(e) — storage limitation)
RULE: automated deletion of liveness data 30 days after verification
PITFALL: tipping off client about suspicious activity report
IMPACT: criminal offense under Wwft Article 23
RULE: if SAR filed, communicate normally, NEVER mention the report
PITFALL: using simple electronic signature for high-value contracts
IMPACT: weak legal standing if disputed
RULE: AES minimum for all client contracts, QES for engagements > EUR 50,000
PITFALL: not re-verifying long-dormant clients
IMPACT: KYC data may be outdated
RULE: if client inactive > 12 months, re-verify before new engagement