feat: comprehensive project structure improvements and Cloud for Sovereignty landing zone

- Add Cloud for Sovereignty landing zone architecture and deployment
- Implement complete legal document management system
- Reorganize documentation with improved navigation
- Add infrastructure improvements (Dockerfiles, K8s, monitoring)
- Add operational improvements (graceful shutdown, rate limiting, caching)
- Create comprehensive project structure documentation
- Add Azure deployment automation scripts
- Improve repository navigation and organization

docs/governance/procedures/kyc-aml.md

@@ -0,0 +1,240 @@
+# KYC/AML Standard Operating Procedures (SOP)
+
+**Version:** 1.0  
+**Date:** November 10, 2025  
+**Status:** Draft
+
+---
+
+## Overview
+
+This document defines the Standard Operating Procedures (SOPs) for Know Your Customer (KYC), Anti-Money Laundering (AML), and sanctions screening for eResidency and eCitizenship applications.
+
+## Screening Lists
+
+### Sanctions Lists
+
+**Primary Sources:**
+* UN Security Council Sanctions
+* EU Sanctions
+* OFAC (US Treasury)
+* UK HM Treasury
+* Other relevant jurisdictions
+
+**Update Frequency:**
+* Daily automated updates
+* Manual review for high-priority updates
+* Real-time screening for new applications
+
+### PEP Lists
+
+**Sources:**
+* World-Check
+* Dow Jones Risk & Compliance
+* ComplyAdvantage
+* Other commercial providers
+
+**Categories:**
+* Heads of State
+* Senior government officials
+* Senior political party officials
+* Senior judicial officials
+* Senior military officials
+* State-owned enterprise executives
+* Close associates and family members
+
+## Risk Scoring
+
+### Risk Factors
+
+**Low Risk:**
+* Clear identity verification
+* No sanctions matches
+* No PEP matches
+* Low-risk geography
+* Established history
+
+**Medium Risk:**
+* Partial identity verification
+* Potential PEP match (distant)
+* Medium-risk geography
+* Limited history
+
+**High Risk:**
+* Failed identity verification
+* Sanctions match
+* Direct PEP match
+* High-risk geography
+* Suspicious patterns
+
+### Risk Score Calculation
+
+**Formula:**
+```
+Risk Score = (KYC Risk × 0.4) + (Sanctions Risk × 0.4) + (Geographic Risk × 0.2)
+```
+
+**Thresholds:**
+* Auto-approve: < 0.3
+* Manual review: 0.3 - 0.8
+* Auto-reject: > 0.8
+
+## Enhanced Due Diligence (EDD)
+
+### Triggers
+
+**Automatic EDD:**
+* PEP match
+* High-risk geography
+* Risk score > 0.7
+* Suspicious patterns
+* Large transactions (if applicable)
+
+### EDD Requirements
+
+**Additional Checks:**
+* Source of funds verification
+* Additional identity documents
+* References or attestations
+* Background checks
+* Enhanced monitoring
+
+### EDD Process
+
+1. Identify EDD trigger
+2. Request additional information
+3. Verify sources
+4. Conduct enhanced screening
+5. Risk assessment
+6. Decision
+
+## PEP Handling
+
+### PEP Classification
+
+**Direct PEP:**
+* Current or former PEP
+* Immediate family member
+* Close associate
+
+**Indirect PEP:**
+* Distant relative
+* Former associate
+* Historical connection
+
+### PEP Process
+
+**Direct PEP:**
+1. Automatic EDD
+2. Enhanced screening
+3. Manual review required
+4. Risk assessment
+5. Decision with justification
+
+**Indirect PEP:**
+1. Standard EDD
+2. Risk assessment
+3. Decision based on risk
+
+## Source of Funds
+
+### Requirements
+
+**If Applicable:**
+* Fee payments
+* Donations
+* Service contributions
+* Other financial transactions
+
+### Verification
+
+**Methods:**
+* Bank statements
+* Payment receipts
+* Transaction history
+* Attestations
+* Third-party verification
+
+## Audit Trail
+
+### Requirements
+
+**Documentation:**
+* All screening results
+* Risk assessments
+* Decisions and justifications
+* EDD materials
+* Audit logs
+
+### Retention
+
+**Periods:**
+* KYC artifacts: 365 days (regulatory)
+* Application metadata: 6 years
+* Audit logs: 7 years
+* Credential status: Indefinite
+
+### Access
+
+**Controls:**
+* Role-based access
+* Audit logging
+* Data minimization
+* Encryption at rest
+* Secure transmission
+
+## Compliance
+
+### Regulatory Requirements
+
+**Jurisdictions:**
+* GDPR (EU)
+* CCPA (California)
+* Other applicable laws
+
+### Reporting
+
+**Obligations:**
+* Suspicious activity reports (if applicable)
+* Regulatory reporting
+* Internal reporting
+* Audit reporting
+
+## Testing
+
+### Mock Audit
+
+**Scope:**
+* End-to-end process testing
+* Risk assessment validation
+* EDD trigger testing
+* Audit trail verification
+* Compliance checks
+
+### Success Criteria
+
+**Requirements:**
+* All processes documented
+* All decisions justified
+* All audit trails complete
+* All compliance checks passed
+* No critical findings
+
+---
+
+## Revision History
+
+| Version | Date | Author | Changes |
+|---------|------|--------|---------|
+| 1.0 | 2025-11-10 | CISO | Initial draft |
+
+---
+
+## Approval
+
+**CISO:** _________________ Date: _________
+
+**Chancellor:** _________________ Date: _________
+
+**External Counsel:** _________________ Date: _________
+