Bring your own data provider
Every tenant screens against PROOViD's built-in, free sources out of the box. If you hold a licence for a commercial dataset, you can layer it on with your own API key — configured per tenant, encrypted at rest, and used only for your screens. PROOViD never bundles, resells, or pays for third-party data: you bring your own key.
Built-in & free (no key needed)
These run on every screen with no configuration — they are public-domain or open government data:
- Sanctions — UN, OFAC (US Treasury SDN), EU and UK (OFSI) consolidated lists.
- PEPs — Politically-Exposed Persons from Wikidata (CC0 public domain): heads of state, prime ministers, ministers, central-bank governors, ambassadors and legislators.
The local engine (fuzzy + phonetic + nickname matching, classification and risk
scoring) always runs against these. Commercial providers are additive — they widen
coverage; they never replace the built-in screening.
Commercial providers you can add
Each is opt-in per tenant and uses your credentials:
| Provider type | What it adds | You supply |
|---|---|---|
OpenSanctions your key |
The OpenSanctions consolidated sanctions + PEP dataset (curated, multi-source, deduplicated) | Your OpenSanctions API key (+ optional collection / datasets / threshold) |
AdverseMedia your endpoint |
Your own adverse-media / news source — sidesteps the shared free-GDELT rate limit | A GDELT DOC 2.0-compatible endpoint URL (+ optional key / keywords) |
CriminalRecords your endpoint |
Your court / registry / vendor criminal-records feed (matches are crime-tagged → Fail) |
A JSON HTTP endpoint URL (+ optional key) |
Licensing is yours. Commercial datasets carry their own terms — e.g.
OpenSanctions is CC BY-NC, so commercial use requires a licence from them. You obtain the licence
and key; PROOViD simply uses the key you provide.
Configure a provider
Admin-only, per tenant. The key is write-only (sent on configure, never returned), stored AES-GCM encrypted, and masked when listed.
Add or update
PUT /v1/tenants/{tenantId}/providers/{providerType}
Authorization: Bearer <admin token>
Content-Type: application/json
{providerType} is one of OpenSanctions, AdverseMedia,
CriminalRecords. Body fields:
| Field | Type | Applies to | Notes |
|---|---|---|---|
enabled | bool | all | Required. Turn the provider on/off. |
apiKey | string | all | Your key. Required to enable; omit to keep the stored key. Never returned. |
baseUrl | string | AdverseMedia, CriminalRecords | Your endpoint URL. Required to enable AdverseMedia. |
collection | string | OpenSanctions | Scope to match, e.g. default or sanctions. |
threshold | number | OpenSanctions | Provider-side min score 0–1 (falls back to your profile threshold). |
includeDatasets | string[] | OpenSanctions | Restrict to these datasets (empty = all). |
topics | string[] | OpenSanctions | Restrict to these risk topics (empty = all). |
algorithm | string | OpenSanctions | Scoring algorithm, e.g. logic-v1. |
keywords | string[] | AdverseMedia | Negative-context terms (empty = sensible defaults). |
maxRecords | number | AdverseMedia | Max articles considered per screen. |
Example — OpenSanctions with your key
curl -X PUT https://aml-screening.dloizides.com/v1/tenants/$TENANT_ID/providers/OpenSanctions \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"enabled": true,
"apiKey": "<your-opensanctions-key>",
"collection": "default",
"threshold": 0.7
}'
Example — your own adverse-media endpoint
curl -X PUT https://aml-screening.dloizides.com/v1/tenants/$TENANT_ID/providers/AdverseMedia \
-H "Authorization: Bearer $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"enabled": true,
"apiKey": "<optional-key>",
"baseUrl": "https://news.example.com/api/v2/doc",
"keywords": ["fraud", "sanction", "money laundering"],
"maxRecords": 50
}'
List configured providers (keys masked)
GET /v1/tenants/{tenantId}/providers
Authorization: Bearer <admin token>
Remove a provider
DELETE /v1/tenants/{tenantId}/providers/{providerType}
Authorization: Bearer <admin token>
Validation: enabling any provider without a key (and with none stored)
returns
400 — "Enabling a provider requires an API key"; enabling
AdverseMedia without a baseUrl returns 400 —
"Enabling an adverse-media provider requires an endpoint (baseUrl)". Every change is written
to the tamper-evident audit log.How it behaves on a screen
- Enabled providers run in parallel with the built-in engine; their matches are classified and risk-scored by the same rules.
- A provider you configure for a type overrides the built-in default for that type (e.g. your adverse-media endpoint replaces the shared free GDELT).
- If your provider is unreachable, the screen still completes on the built-in sources — a provider outage never fails a screen.
- Your key is scoped to your tenant only; it is never shared, logged, or returned.
© PROOViD AML · Developer Docs
API reference · Authentication