G

GAO VPN — Sanctions & Compliance Profile

GAO VPN — Sanctions & Compliance Profile

1. Compliance Architecture — Overview

Gao VPN enforces sanctions and export control obligations at four independent layers. A violation requires bypassing all four simultaneously.

Layer 1: Purchase Flow Geofencing       block sanctioned users at payment  
Layer 2: Entry Node Geo-Restriction     block connections from sanctioned IPs  
Layer 3: Exit Node Destination Block    block traffic to sanctioned IP ranges  
Layer 4: Node Registry Jurisdiction     prohibit nodes in sanctioned regions

No single layer is sufficient alone. Defense-in-depth is required.

2. Sanctions Intelligence Source

2.1 Primary Sources

Source

Coverage

Update Cadence

OFAC SDN List (US Treasury)

Sanctioned entities + associated IPs

Daily pull

OFAC Consolidated Sanctions List

All OFAC programs

Daily pull

EU Consolidated Sanctions List

EU-sanctioned entities

Daily pull

UN Security Council Sanctions

Global baseline

Daily pull

IP range mapping vendor: Gao VPN supplements entity-based OFAC lists with Maxmind GeoIP2 Enterprise for geolocation and Recorded Future for sanctions-mapped IP intelligence. Vendor selection is final; contracts to be executed prior to Phase 1 launch. Any vendor change requires a compliance review and 30-day notice to legal counsel.

Update cadence: daily at 00:00 UTC. Sanctions feed failures are fail-closed — if the feed has not updated within 26 hours, the affected enforcement point enters deny-all mode for destination enforcement until the feed is restored.

2.2 CSAM Blocklist

Source

Update Cadence

IWF (Internet Watch Foundation)

Weekly

NCMEC CyberTipline hash feed

Weekly

Interpol ICSE database (where accessible)

Weekly

3. Enforcement Points — Detail

3.1 Layer 1 — Purchase Flow Geofencing

What it does: Blocks users in OFAC-sanctioned countries from purchasing VPN access (prepaid bundles, x402 pay-per-use).

Enforcement point: Gao VPN purchase API (operated by Toii Labs in Phase 1).

Method:

  • GeoIP check at purchase time against user IP

  • Decline purchase if IP resolves to: Cuba, Iran, North Korea, Syria, Belarus (sanctioned entities), the Covered Regions of Ukraine (Crimea, and the so-called Donetsk People’s Republic and Luhansk People’s Republic — collectively “Covered Regions” per OFAC Ukraine-/Russia-Related Sanctions), or any jurisdiction added to OFAC SDN with country-level designation

  • Return generic error (no reason disclosed — avoids enumeration)

Limitation acknowledged: VPN users may already be masking their IP. Purchase flow geofencing is a good-faith compliance measure, not an absolute technical barrier. Combined with Layers 2–4, the overall barrier is robust.

Responsibility: Toii Labs (Phase 1). Decentralized coordinators (Phase 2+) — governance vote required to update country list.

3.2 Layer 2 — Entry Node Connection Restriction

What it does: Entry nodes reject incoming WireGuard connections from IP addresses geolocating to OFAC-sanctioned countries.

Enforcement point: Entry node software (enforced at connection handshake, before any data is transmitted).

Method:

  • IP geolocation check at handshake (Maxmind GeoIP2 or equivalent)

  • Reject if source IP resolves to sanctioned country

  • Log rejection event (no content — source IP and timestamp only, purged 24h)

Update cadence: GeoIP database updated weekly. Node software checks for updates on startup and every 24h. If database is stale (>8 days), node enters restricted mode: only accept connections from known-clean regions.

Node operator obligation: Entry node operators MUST run current node software. Failure to update within 14 days of a mandatory update = slashing condition (see §6).

3.3 Layer 3 — Exit Node Destination Blocking

What it does: Exit nodes block outbound traffic to IP ranges associated with OFAC-sanctioned entities and countries.

Enforcement point: Exit node firewall rules (iptables/nftables), updated daily.

Method:

  • Maintain local deny-list of OFAC-sanctioned IP ranges

  • Block at kernel firewall level (not application level — cannot be bypassed by software bug)

  • IP ranges sourced from sanctions intel feed (§2.1)

  • Fail-closed: if feed has not refreshed within 26 hours, node blocks all traffic to previously-sanctioned ranges until feed restored

Scope of blocking:

  • OFAC SDN-associated IP ranges

  • Country-level IP blocks for: Cuba, Iran, North Korea, Syria, and the Covered Regions of Ukraine (Crimea and occupied territories per OFAC Ukraine-/Russia-Related Sanctions)

  • Any entity-level IP ranges added by OFAC with <48h propagation SLA

Update cadence: Daily at 02:00 UTC (staggered from feed pull to allow processing).

Node operator obligation: Exit node operators must run current blocking software. Override or disabling of blocking = immediate slashing (see §6).

3.4 Layer 4 — Node Registry Jurisdiction Prohibition

What it does: Prohibits node registration (Entry or Exit) from operators in OFAC-sanctioned jurisdictions.

Enforcement point: NodeRegistry smart contract (Base L2) + off-chain operator verification.

Method — Phase 1 (Toii-operated):

  • All nodes operated by Toii Labs (US entity)

  • Toii Labs performs KYB on any Phase 1 infrastructure partners

Method — Phase 2+ (permissionless):

  • Node registration requires operator to attest jurisdiction (on-chain attestation)

  • Operators in sanctioned jurisdictions cannot register (smart contract enforces)

  • Toii Labs and governance committee perform periodic spot-checks

  • False attestation = slashing + permanent ban from registry

Countries prohibited from operating nodes: Cuba, Iran, North Korea, Syria, Belarus (for sanctioned entities), the Covered Regions of Ukraine (Crimea and occupied territories per OFAC Ukraine-/Russia-Related Sanctions), and any jurisdiction designated by OFAC with a General License requirement.

4. Compliance Ownership by Phase

Phase 1 — Toii Labs as Operator

During Phase 1, Toii Labs operates all infrastructure. Toii Labs bears primary compliance responsibility.

Function

Responsible Party

Purchase flow geofencing

Toii Labs

Entry node geo-restriction

Toii Labs

Exit node destination blocking

Toii Labs

Sanctions intel feed subscription

Toii Labs

DMCA handling

Toii Labs

OFAC compliance program

Toii Labs

Toii Labs maintains a designated compliance officer responsible for sanctions program oversight.

Phase 2+ — Decentralized Nodes

When external node operators join the network:

Function

Responsible Party

Purchase flow geofencing

Toii Labs (centralized purchase API) or decentralized coordinator

Entry node geo-restriction

Individual node operator (enforced by software + slashing)

Exit node destination blocking

Individual node operator (enforced by software + slashing)

Sanctions intel feed distribution

Toii Labs distributes; node operators consume

DMCA handling

Individual exit node operators (per their jurisdiction)

Node registration compliance

NodeRegistry smart contract + governance

Node operators are independent contractors, not employees or agents of Toii Labs. Each operator is solely responsible for compliance with laws in their jurisdiction.

5. User-Facing Geo-Restriction Policy

5.1 Restricted Users

Users located in the following jurisdictions cannot access Gao VPN services:

  • Cuba

  • Iran

  • North Korea (DPRK)

  • Syria

  • The Covered Regions of Ukraine (Crimea and occupied territories per OFAC Ukraine-/Russia-Related Sanctions)

  • Any other jurisdiction subject to comprehensive OFAC sanctions at time of access

5.2 Enforcement Method

Users in restricted jurisdictions are blocked at:

  1. Purchase flow (cannot buy access)

  2. Entry node (connection rejected at handshake)

5.3 Good Faith Standard

Gao VPN applies a good-faith standard: restrictions are enforced based on IP geolocation. Users who mask their IP to bypass these restrictions do so in violation of Gao VPN Terms of Service and bear sole legal responsibility.

6. Slashing Conditions — Sanctions Enforcement

Existing slashing conditions (logging, downtime, DMCA) are supplemented with sanctions-specific conditions:

Violation

Evidence Required

Penalty

Exit node not blocking OFAC IP ranges

Spot-check audit: probe exit node with OFAC-range destination

15% stake slashed

Exit node blocking list > 48h stale

Automated check: timestamp of last update

5% stake slashed

Entry node accepting connections from sanctioned IPs

Spot-check: test connection from sanctioned IP range

10% stake slashed

False jurisdiction attestation on registry

KYC/investigation

100% stake slashed + permanent ban

Disabling or overriding blocking software

Audit log + node behavior analysis

20% stake slashed + removal

Repeat violations (same condition, >2x in 90 days)

Audit history

100% stake slashed + permanent ban

Audit process:

  • Automated: protocol runs weekly spot-checks against all exit nodes using probe IPs from OFAC-sanctioned ranges

  • Manual: governance committee may initiate investigation on complaint or anomaly

  • Results published on-chain (pseudonymous node ID, violation type, penalty applied)

7. DMCA & Legal Request Handling

7.1 Phase 1 (Toii-operated)

Toii Labs designated DMCA agent: [filed with US Copyright Office]

DMCA notices: dmca@toiilabs.com

Response SLA: 5 business days for valid notices.

Standard response: disable exit routing to infringing destination (not user ban — destination-level block only).

7.2 Phase 2+ (Node operators)

Each exit node operator is responsible for DMCA compliance in their jurisdiction.

Toii Labs provides:

  • Standard DMCA response template

  • Node Operator Legal FAQ

  • Recommended hosting jurisdictions (privacy-friendly, clear legal framework)

Exit node operators in the US must file a DMCA designated agent with the US Copyright Office before operating.

8. Data Retention & Privacy

Data Type

Retention

Location

Source IP (Entry Node)

24 hours max

Entry node only — never transmitted

Bytes transferred

30 days (billing)

Encrypted, aggregated

Session timestamps

30 days (billing)

Encrypted, aggregated

Destination URLs

Never logged

User identity

Never associated with session

Payment voucher

Never linked to session

Data minimization is enforced by protocol design, not just policy. Nodes that log prohibited data are subject to slashing (§6 above and existing slashing schedule).

9. Regulatory Classification Statement

Gao VPN is infrastructure software — a transport-layer protocol for encrypted internet traffic routing.

Gao VPN does NOT:

  • Provide financial services

  • Custody user assets

  • Guarantee compensation to node operators

  • Distribute revenue centrally

  • Operate as a money services business (MSB)

  • Constitute an investment contract under Howey Test analysis

Node operator compensation depends on independent operation, market demand, and verified routing performance. No guaranteed return exists.

Export control: Gao VPN uses publicly available cryptographic algorithms (WireGuard/ChaCha20-Poly1305, AES-256-GCM, Curve25519) that are EAR99 or publicly available under 15 CFR §742.15. No export license is required for distribution of the client software in non-sanctioned jurisdictions.

10. Open Questions for Legal Counsel

The following items require jurisdiction-specific legal review before public launch:

  1. US person / operator definition: Toii Labs as US entity operating Phase 1 nodes — confirm no OFAC General License required for bootstrap phase.

  2. 50 Percent Rule: If sanctioned persons own >50% stake in a node operator, that operator is treated as sanctioned. Confirm smart contract enforcement is sufficient or if additional KYB screening is needed at node registration.

  3. VPN as potential money transmitter: x402 micropayments flow through nodes. Confirm node operators are not inadvertently operating as money transmitters under FinCEN guidance.

  4. State-level requirements: Some US states (NY BitLicense, etc.) may have additional requirements. Confirm whether VPN bandwidth payments constitute covered activity.

  5. EU NIS2 Directive: If exit nodes operate in EU, confirm applicability of NIS2 cybersecurity requirements for network infrastructure operators.

  6. Apple / Google app store compliance: Both stores have specific VPN app requirements. Confirm compliance before mobile app submission.

GAO VPN Sanctions & Compliance Profile — GV-CP/1.0 Toii Labs LLC — For counsel review and public disclosure This document does not constitute legal advice.