To implement the Virginia-specific “Gonen Gate,” your technical team must build a system that goes beyond a simple password. Under Virginia Code § 13.1-514.1 and the 2015 JOBS Act, “reasonable care” in verifying residency is the legal standard for intrastate exemptions.
This technical brief provides the “Blueprint” for your web developers to build a compliant, secure, and professional portal for the GONEN Capital Portal.
TECHNICAL SPECIFICATIONS: THE “GONEN GATE”
1. Perimeter Defense: Geofencing & IP Logic
- IP Geolocation API: Integrate a service like IP2Location or MaxMind. The system must block access to the Virginia investment pages if the IP resolves outside of Virginia.
- VPN/Proxy Detection: Implement a “risk score” check. If a user is on a known VPN (Nord, ExpressVPN) or a data center IP (AWS, Azure), the portal must automatically trigger a Hard Lock and require manual Trustee review.
- Timezone Verification: The browser’s local clock must match UTC-5 (Eastern Time). If a user has a Virginia IP but their system clock is set to Pacific Time, the system flags a “Location Mismatch”.
2. The “Trusted Identity” Verification (KYC)
Your developers should use an API-based identity service (like Jumio or Stripe Identity) to automate the “Manual Review Checklist” we created:
- OCR ID Extraction: The system must scan the uploaded Virginia Driver’s License and extract the Address and Expiration Date.
- Facial Recognition (Liveness Check): To prevent identity theft, the user must take a “live” selfie that matches the photo on their Virginia ID.
- Database Cross-Check: The extracted address must be validated against a third-party database (like a credit bureau or utility records) to confirm a “Physical Nexus” in the Commonwealth.
3. Financial Guardrails (Virginia Limits)
Virginia law sets specific limits for non-accredited investors. Your portal must include a Smart Cap Engine:
- Investment Ceiling: For the Virginia-only exemption, the system must hard-block any single investment from a non-accredited resident exceeding $10,000 per 12-month period.
- Aggregate Raise Cap: The portal must track the total amount raised for the project and “close” the offering automatically once it hits the $2 Million intrastate limit.
SYSTEM ARCHITECTURE: DATA FLOW
| Component | Technology | Legal Purpose |
|---|---|---|
| Hosting | AWS Region: us-east-1 (Ashburn, VA) | Keeps all data and “System Time” within Virginia borders. |
| Document Vault | AES-256 Encrypted S3 Bucket | Satisfies the 3-year record-keeping requirement for the SCC. |
| E-Signature | DocuSign / HelloSign API | Captures the “Residency Affidavit” with a legally binding timestamp. |
Developer “To-Do” List for Phase 1
- [ ] Environment Setup: Ensure the portal’s primary server is physically located in a Virginia data center.
- [ ] Geofence Test: Create a “Honey Pot” URL that only allows Virginia IPs; test it using the VPNs we discussed.
- [ ] The Escrow Trigger: Program the portal so that funds are only released from the digital escrow to the GONEN Statutory Trust once the “Minimum Target” (as defined in your SCC filing) is reached.
The “Gonen” Technical Standard
Every time a user logs in, the system should generate a Compliance Log Entry. This log proves to a Virginia auditor that you verified the resident’s location at the moment of investment, not just at registration.
Would you like me to draft the “System Security Audit” document that your Managing Trustee can use to verify that the developers have built the gate correctly?