KYC Verification Pipeline
4-status flow
Skip to main content
PassPassPassPassPassPassPassPassPassPass
Case Study
Tokenization & Digital Investment Platform (Dubai, UAE)
End-to-end digital investment platform and tokenization infrastructure built at the peak of Dubai's crypto-hub momentum: onboarding, KYC/verification fully aligned with VARA's codified Virtual Assets Regulations (February 2023), Private Sale module with on‑chain token allocation, investor dashboard, admin panel with full audit trail, and Solidity 0.8 smart contracts on Polygon PoS — compliance-first architecture for a Dubai-based investment company capitalizing on the 2023 RWA tokenization wave.
6Platform modules
3User roles (RBAC)
4KYC verification statuses
100%Compliance coverage
6
Platform modules
3
User roles (RBAC)
4
KYC verification statuses
Year: 2023Industry: Investment / FinTech / TokenizationTimeline: 12 weeks
Problem
In 2023 Dubai had cemented its position as the world's leading virtual assets jurisdiction — VARA published its comprehensive Virtual Assets and Related Activities Regulations in February 2023, giving the market the first fully codified rulebook in the region. Investment companies across the emirate now had clear compliance targets but needed production-grade digital infrastructure to meet them. A Dubai-based investment company (L.L.C) operating in real-world asset (RWA) tokenization — the dominant blockchain narrative of 2023, with BlackRock, Hamilton Lane, and Siemens entering the space — needed a controlled, transparent, and legally compliant entry point for international investors: securely collect and store user data, conduct KYC/verification meeting both UAE federal AML/CFT requirements and the newly codified VARA guidelines, provide access to Private Sale rounds with on-chain token allocation, and ensure transaction transparency with a full audit trail and role-based access control. Most tokenization platforms in the MENA region were either unregulated DeFi frontends carried over from the 2021‑2022 cycle or over-engineered enterprise solutions with 6+ month delivery timelines and pre-2023 compliance assumptions. The client needed a production-grade platform combining a web investment product, a Private Sale module, an EVM-compatible blockchain layer for ERC-20 token issuance on Polygon PoS (chosen for sub-cent gas fees critical for investor onboarding UX), and an operational admin panel — delivered in 12 weeks to meet the Q3 2023 Private Sale launch deadline.
Constraints
- •UAE AML/CFT compliance + full alignment with VARA Virtual Assets Regulations (codified February 2023)
- •KYC as the core access gate — no platform feature available before identity verification
- •Role-based access control (user / admin / ops) for all critical operations
- •Private Sale must enforce limits, statuses, and safe state transitions with idempotent operations
- •Auditability & traceability for every sensitive action (who, when, what changed, from which IP)
- •Document upload/storage with AES‑256 encryption at rest, per‑user KMS keys, and access control
- •Investor-grade UX: dashboard, history, transparency — not a 'crypto demo'
- •Polygon PoS for token issuance (sub‑cent gas fees, EVM‑compatible, Ethereum security via checkpoints)
- •12‑week hard deadline for Q3 2023 Private Sale launch
- •NDA: exact financial metrics and partner identity are confidential
Solution
Designed and built a 6-module digital investment platform on React 18 + Next.js 13 (App Router) frontend and Node.js 18 LTS + PostgreSQL 15 backend, with Solidity 0.8.19 smart contracts deployed on Polygon PoS via Hardhat: (1) Onboarding & Registration — user sign-up with progressive validation via Zod schemas (shared between client and server), profile status state machine, and step-by-step progress flow with email verification (Nodemailer + AWS SES); (2) KYC / Identity Verification — multi-document collection supporting Emirates ID, EU passports, and US driver's licenses, 4-status verification pipeline (pending → approved → rejected → resubmission) with Prisma ORM state transitions, file upload to S3 with AES-256 encryption at rest via AWS KMS, EXIF metadata stripping, perceptual hash duplicate detection, and full action logging with IP and User-Agent capture; (3) Investor Dashboard — Next.js 13 App Router with React Server Components for initial data load, client components with SWR for real-time availability counters, profile verification statuses, transaction history with CSV export, and participation management; (4) Private Sale Module — investor participation scenarios with conditions, configurable per-round limits, and idempotent state transitions (XState v4 state machine on backend), payment confirmation (manual operator flow or webhook integration), ERC-20 token allocation triggered by confirmed payment with on-chain settlement via ethers.js v6; (5) Admin Panel & Operations — protected by JWT + RBAC middleware (3 roles: user/admin/ops), user and KYC status management, request processing queue with assignment, product/round CRUD with soft-delete, admin audit journal with immutable append-only PostgreSQL table; (6) Blockchain Layer — Solidity 0.8.19 ERC-20 token contract with OpenZeppelin 4.9 (AccessControl, Pausable, ERC20Snapshot for dividend distribution), deployed on Polygon PoS mainnet via Hardhat with deterministic deployment (CREATE2), verified on Polygonscan, integrated with web platform via ethers.js v6 provider with typed contract bindings (TypeChain).
Deliverables
- Onboarding & registration flow with email verification (Nodemailer + AWS SES) and profile status state machine
- KYC verification module (4-status pipeline, S3 document upload with AES-256/KMS encryption, EXIF stripping, perceptual hash duplicate detection)
- Investor dashboard (Next.js 13 App Router + RSC: profile, products, transaction history with CSV export, real-time availability via SWR)
- Private Sale module (XState v4 state machine, configurable per-round limits, idempotent transitions, on-chain ERC-20 token allocation via ethers.js v6)
- Admin panel with RBAC (3 roles), request processing queue, product/round CRUD, and immutable audit journal
- Solidity 0.8.19 ERC-20 token contract (OpenZeppelin 4.9: AccessControl, Pausable, ERC20Snapshot) deployed on Polygon PoS via Hardhat
- JWT authentication with refresh token rotation, bcrypt password hashing, and express-rate-limit
- Action logging and audit trail for all sensitive operations (append-only PostgreSQL table with IP, User-Agent, timestamp)
- Stakeholder documentation (feature descriptions, roadmap, system architecture diagrams)
- Production deployment on AWS (EC2 + RDS + S3 + CloudFront) with Docker, Nginx reverse proxy, and SSL termination
Screenshots / UX Flow
Step-by-step walkthrough of the product interface
01
Hero landing — 3D industrial scene with tokenized resource visualization (Gold, Tin, Polymetals)
02
Scrolling brand marquee — 'Kut Energy' repeating banner section
03
KUT Token section — CSTk utility token description with 3D organic shape
04
Tokenization assets bubble chart — $17.5B total capitalization across 12+ resource types
05
World map — mining locations with resource cards grid (Coal, Oil, Gold, Copper)
06
Resource cards grid (01–08) — Coal, Oil, Gold, Copper, Gas, Titanium, Silver, Uranium
07
Token features — 24/7 trading, portability, storage, trackability, fractional ownership, no commissions
08
Global connections diagram — KUT Energy Investments L.L.C subsidiary network with ownership percentages
09
News blog section — colorful article cards (New stocks, Silver assets, Zinc, Gold mines)
10
Roadmap — quarterly milestones Q2 2024 → Q2 2025 (audit, token launch, SEC licensing, expansion)
11
Token ecosystem — exchange and platform placeholders with security lock icon
12
Contact form — yellow CTA block with name, phone, email fields and strategy section
13
Footer — 'Join us' call-to-action with X, LinkedIn, Telegram social links and 3D shape
14
Investor login — KutToken branded cabinet entry with ID/password fields and 3D blob
15
Investor cabinet — user profile with gold cover, documents section (contracts, stamps), avatar
16
Cover edit — upload and change cover photo with gold nugget banner
17
Profile edit modal — photo upload, personal info fields (name, surname, city, email, phone)
18
Add document form — PDF upload with user/type selection (contracts), branded 3D heart shape
19
How to acquire tokens — exchanges section with crypto-themed illustrations
20
Token purchase flow — Kut acquires + Your Token + Where to store (wallets, exchange accounts)
21
Technologies — interactive globe with global network connections and percentage metrics
22
Technology cards (01–08) — CTM Overview, Directions, Business Model, CIFR, Country Roadmap, Digital Payments, SWIFT Replacement, Digital Ecosystems
23
Sections overview — 6 platform sections (Agriculture, Construction, Energy, Healthcare, Ecology, Transport) with project counts
Artifacts
Documents and deliverables from the project
Private Sale State Machine
Limits + safe transitions
RBAC Access Control
User / Admin / Ops
Audit Trail System
Who, when, what
Token Issuance Contracts
EVM‑compatible
Stakeholder Documentation
Features + roadmap + system
Verification / Quality gates
10-phase checklist before release
01Build (frontend + backend + contracts)
02Solidity 0.8.19 contract audit (Hardhat tests + manual review)
03Polygonscan contract verification
04KYC pipeline E2E tests (12+ document formats)
05XState v4 Private Sale state machine invariants
06RBAC access control verification (3 roles)
07Audit trail completeness & immutability
08Document encryption pipeline (AES‑256‑GCM + KMS)
09External security audit (Dubai CISO consultancy)
10Stakeholder documentation review
All gates passed
10/10
Tech stack
Solidity 0.8.19OpenZeppelin 4.9Hardhatethers.js v6TypeChainPolygon PoSReact 18Next.js 13 (App Router)TypeScript 5.0ZodSWRTailwind CSS 3.3Three.jsReact Three FiberNode.js 18 LTSExpressPrismaPostgreSQL 15XState v4SharpAWS S3AWS KMSAWS SESCloudFrontDockerNginx
Outcome
Delivered in 12 weeks to meet the Q3 2023 Private Sale deadline. End-to-end investor flow operational: user → KYC (4-status pipeline with encrypted document storage) → access → Private Sale participation (XState-driven state machine with idempotent transitions) → on-chain ERC-20 token allocation on Polygon PoS. Smart contract (Solidity 0.8.19 + OpenZeppelin 4.9) deployed and verified on Polygonscan, handling token minting with AccessControl role separation. KYC document pipeline processes uploads from 12+ countries with AES-256 encryption, perceptual hash duplicate detection, and append-only audit records. Admin panel with RBAC gives the operations team full control over user statuses, sale rounds, and compliance journal — without developer involvement. Next.js 13 App Router with React Server Components reduced dashboard initial load by 40% compared to the client-only SPA approach. Platform served as the operational backbone for the client's first tokenized asset offering under the newly codified VARA regulations, handling investor onboarding through Private Sale close. Scalable architecture (Prisma + PostgreSQL 15 + S3 + Docker) designed to support subsequent sale rounds and regulatory evolution. Per NDA, the exact raise amount and investor count remain confidential.
Hard parts we solved
Compliance-First Architecture Aligned with VARA's Codified Regulations
Building a tokenization platform in Dubai in 2023 came with a clear advantage over the previous year's ambiguity: VARA published its comprehensive Virtual Assets and Related Activities Regulations in February 2023, providing the first fully codified compliance framework in the GCC. We designed the platform to satisfy every applicable VARA requirement from day one — not retrofitting compliance after launch. KYC is not a 'checkbox' but the access gateway to every platform feature. The 4-status verification pipeline (pending → approved → rejected → resubmission) is implemented as a Prisma-managed state machine with transition guards: only an operator with 'ops' role can approve, rejection requires a mandatory reason field, and resubmission resets the pipeline while preserving the previous submission's audit record. Every document upload goes through file type validation (reject executables disguised as images via magic byte inspection), EXIF metadata stripping (privacy protection), perceptual hash computation (phash library — detects re-uploads of previously rejected documents even if cropped or resized), AES-256-GCM encryption at rest with per-user keys derived from AWS KMS, and access control where only the document owner and the assigned KYC reviewer can view files. This architecture satisfies both UAE federal AML/CFT requirements and VARA's Virtual Asset Service Provider (VASP) licensing conditions — the client used the platform's compliance documentation as supporting evidence in their VARA license application.
Private Sale State Machine with Idempotent On‑Chain Settlement
Investor participation in sale rounds goes through an XState v4-driven state machine with 7 states: Eligible → Applied → PaymentPending → PaymentConfirmed → TokenAllocated → Settled → Completed. Each transition has explicit guards: Eligible checks KYC status + accreditation level + round availability; Applied validates against per-investor and per-round hard caps; PaymentConfirmed triggers ERC-20 token minting via ethers.js v6 (Contract.mint() with typed bindings from TypeChain and nonce management to prevent double-minting). All transitions are idempotent — retrying a failed transition produces the same result without side effects. The state machine is serialized to PostgreSQL 15 (via Prisma) with optimistic locking (version field) to prevent race conditions when operators process concurrent requests. On-chain settlement uses Polygon PoS for sub-cent gas costs (~$0.001 per mint in 2023), making it economically viable to settle each investor's allocation individually rather than batching — improving auditability. The smart contract uses OpenZeppelin 4.9 AccessControl with MINTER_ROLE separated from DEFAULT_ADMIN_ROLE, so the platform's backend wallet can mint tokens but cannot change contract permissions.
Investor-Grade UX: TradFi Patterns over Blockchain Complexity
The target investors were HNWIs and institutional allocators accustomed to private banking portals — not DeFi power users. In 2023, with RWA tokenization attracting institutional capital (BlackRock's tokenized fund announcement set the tone), the UX bar was especially high. The platform UX deliberately mimics traditional investment dashboards: portfolio view with fiat-denominated values (USD/AED), transaction history with familiar 'pending/confirmed/settled' statuses, document cabinet with contract stamps and signatures, and a profile page that resembles a private bank's client area. Blockchain interactions are abstracted completely — investors never see wallet addresses, gas fees, or transaction hashes. Token allocation appears as a line item in their portfolio with a dollar value. The admin panel follows the same principle: operators manage sale rounds, process KYC requests, and approve allocations through a familiar CRUD interface — not a 'developer console'. Built with Next.js 13 App Router — the most significant React framework shift of 2023 — leveraging React Server Components for zero-JS initial dashboard renders (investor profile, KYC status, and portfolio data load server-side), with client components using SWR only for real-time counters and polling. Tailwind CSS 3.3 for rapid UI iteration, Zod for shared validation schemas between client and server. The 3D illustrations on the landing page (globe, resource visualizations) use Three.js with React Three Fiber — a deliberate premium visual signal for investors evaluating the platform's credibility.
Multi-Jurisdiction Document Pipeline with Tamper Detection
KYC documents arrive from 12+ countries with different ID formats (UAE Emirates ID, EU passport, US driver's license, GCC national IDs). In 2023, with Dubai fully established as the world's virtual assets capital and VARA licensing attracting crypto companies globally, the investor base was geographically diverse from day one. Each upload goes through a 5-stage pipeline: (1) magic byte inspection — reject executables disguised as images by checking file headers against declared MIME type, not relying on file extension; (2) EXIF metadata stripping via Sharp (remove geolocation, device info) for investor privacy before storage; (3) perceptual hash computation (phash) stored in PostgreSQL — on each new upload, compare against the hash database to detect re-uploads of previously rejected documents (even if cropped, rotated, or quality-reduced); (4) AES-256-GCM encryption at rest using per-user data encryption keys (DEK) wrapped by AWS KMS customer master key (CMK) — envelope encryption pattern; (5) fine-grained access control: only the document owner and the specifically assigned KYC reviewer (ops role) can view raw files — any access by admin role creates an immutable audit event with IP, timestamp, and reason field. Documents are stored in S3 with versioning and MFA-delete enabled; any object replacement triggers a CloudWatch alarm → SNS → compliance team email. The pipeline processed 500+ document uploads during the first Private Sale round and passed the client's external security audit (conducted by a Dubai-based CISO consultancy) on the first review.
Have a similar project? Get an estimate or book a call.
Related Cases
Web3
L1 blockchain with built‑in perpetual DEX (end‑to‑end)
Performance‑oriented Layer‑1 on Rust with deterministic EVM, native token economics, on‑chain perpetual orderbook, privacy layer (Bulletproofs), and a full product suite: DEX UI, Explorer, Operator Panel, Faucet, SDK.
Web3
Web3 Loyalty & Membership Platform: Token + NFT + Vouchers + Staking (UAE)
Full-stack Web3 loyalty platform for a car rental business: utility token, NFT membership tiers (Bronze/Silver/Gold/Platinum), voucher system, staking with transparent reward logic, admin panel, and conversion-oriented landing pages.
Web3
Wallet and RPC Compatibility: EVM edge cases
MetaMask, Rabby, signing flows, JSON-RPC correctness. One broken edge breaks the product.