Victim Support Portal
Last updated April 19, 2026 · Direct, verified channel for victims and their representatives
This portal exists for one specific purpose: to give victims of harmful content — and the parents, guardians, lawyers, advocates, and law enforcement officers acting on their behalf — a direct, verified channel to request that we transmit hash-only metadata to the relevant external reporting database (NCMEC for child sexual abuse material, GIFCT for terrorism content, StopNCII for non-consensual intimate imagery, Polaris Project for human trafficking, or others). One uniform process covers every category: a verification ticket, identity check by our legal team, and only then transmission.
We do not monitor.
We do not scan.
We do not report.
- No content scanning of any kind. Anywhere. Ever. No PhotoDNA, no client-side scan, no keyword detection, no behavioural profiling, for any category of content.
- No ability to read end-to-end encrypted messages. The keys live on user devices. A court order cannot change physics.
- No automatic reports to NCMEC, GIFCT, StopNCII, Polaris, FBI, Interpol, or any other agency or hash database. We do not "scan and notify". We do not "voluntarily share". Period.
- This portal exists for one narrow case: a verified victim (or their parent, lawyer, or law enforcement officer with an active case) wants us to file a hash-only external report. Even then, we independently verify identity before transmitting anything.
- We refuse most such requests at the verification stage. The public canary page shows how many we filter out. False claims trigger a permanent ban and, where applicable, a referral to Kazakhstan police under Article 419 of the Criminal Code.
Pick the category that applies to you
The procedure is the same for every category: write to legal@umbrellax.io (PGP-encrypted preferred), tell us which category you are reporting under and which of the four roles you are, attach the verification documents listed for that role below, and wait for our legal team to review. Verification happens within 7 calendar days. If verification succeeds, we file the external report within 48 hours. If we receive no documents within 30 days the ticket auto-closes.
CSAM — Child Sexual Abuse Material
What this covers
Sexually explicit material depicting any person under 18, whether the material is real, AI-generated, drawn, or otherwise synthetic. This includes solicitation messages and sextortion demands directed at minors.
Who can request external reporting (NCMEC)
- Adult survivor — if you are an adult depicted in CSAM that appeared on Umbrella X.
- Parent or legal guardian of a minor depicted in the material.
- Licensed lawyer or advocate retained by the victim or family.
- Law enforcement officer with an open case file.
Documents required (in addition to the role-based documents listed in "Documents required by role" below)
- If you have it: the in-app report ID Umbrella X sent you when the material was confirmed.
- If not: an approximate description of where the material appeared (channel, group, or chat) and approximate dates.
What we send to NCMEC
- Perceptual hash of the confirmed material (the file itself is already deleted).
- Date the material was first reported on Umbrella X (rounded to nearest day).
- Country of the requesting party (top-level only).
The actual content is never sent (we have already deleted it). The identity of the victim is not sent unless you specifically ask us to include it; even then we encourage direct communication with NCMEC instead.
NCII — Non-Consensual Intimate Imagery
What this covers
Intimate images or videos of an adult shared without that adult's consent. Includes "revenge porn", voyeur content, sexual deepfakes of real people, and threats to share such material ("sextortion").
Important: StopNCII.org also offers a self-service hash submission: a victim can hash their own intimate images on their own device and submit just the hash to StopNCII, which then distributes the hash to participating platforms (including, when we are live, Umbrella X) so that the image is blocked at upload everywhere. If you have not yet had the image leaked but are at risk, that pre-emptive route is faster and gives you full control. We strongly recommend it.
Who can request external reporting (StopNCII)
- Adult depicted in the imagery (the most common case).
- Lawyer or advocate retained by the depicted person.
- Law enforcement officer with an open case file (e.g., investigation of sextortion network).
Note: there is no "parent or guardian" path here because StopNCII is for adults. A minor depicted in intimate imagery is treated as a CSAM case (above), not an NCII case.
What we send to StopNCII
- Perceptual hash of the confirmed material (the file itself is already deleted).
- Country of the requesting party (top-level only).
The identity of the victim is never sent. StopNCII works on hashes only.
Terrorism and violent extremism
What this covers
Content that promotes, glorifies, recruits for, or instructs in terrorism or violent extremism. Includes designated terrorist organisation propaganda, attack-planning material, instructions for weapons of mass impact, and imagery of attacks designed to spread or celebrate them.
Who can request external reporting (GIFCT)
- Witness or recipient who personally encountered the material — and who is willing to identify themselves to our legal team (not publicly).
- Lawyer or advocate retained by a victim of an attack the material relates to, or by a family member of a victim.
- Law enforcement officer with an open counter-terrorism case file.
- Recognised counter-terrorism NGO with documented standing in the relevant jurisdiction (we will verify with the NGO directly).
What we send to GIFCT
- Perceptual hash of the confirmed material.
- GIFCT category tag (designated propaganda, attack imagery, manifesto, etc.).
- Country of the requesting party (top-level only).
Mass violence content (live-streamed attacks, manifestos)
What this covers
Live or recorded video of mass-casualty attacks (mass shootings, vehicle attacks, knife attacks at public gatherings) and the perpetrator's manifesto. The Christchurch Call protocol exists specifically to prevent the viral spread of such content in the hours and days immediately after an event.
Who can request external reporting
- Victims, families of victims, or survivors of the relevant attack.
- Lawyer or advocate retained by victims or families.
- Law enforcement officer investigating the attack.
- Recognised victim-support NGO active in the relevant jurisdiction.
For active mass-violence incidents, we will expedite verification to within 24 hours given the time-sensitive nature of preventing viral spread.
Human trafficking
What this covers
Recruitment, transportation, harbouring, or exploitation of persons by force, fraud, or coercion for commercial sex or forced labour. Includes online recruitment ads, communication channels used to coordinate trafficking, and material identifying victims of trafficking.
Who can request external reporting
- Survivor of trafficking who personally encountered the material on Umbrella X.
- Lawyer or advocate retained by a survivor.
- Law enforcement officer with an open trafficking case.
- Recognised anti-trafficking NGO (verified directly with the organisation).
Note: human trafficking does not have a single global hash database equivalent to NCMEC or GIFCT. We coordinate case-by-case with Polaris Project, Stop the Traffik, or the relevant national hotline. Our role is limited to passing the hash and minimal metadata.
Other categories
What this covers
Categories not listed above where you believe an external report is warranted: doxxing campaigns with imminent physical risk, coordinated harassment with a credible threat of violence, illegal goods or services involving immediate harm to identifiable victims, and similar.
Who can request external reporting
- The directly affected person.
- Lawyer or advocate retained by the affected person.
- Law enforcement officer with an active case.
Because there is no standard hash database for these categories, our legal team will work with you to identify the appropriate authority (typically the law enforcement agency in the jurisdiction with the strongest connection to the material) and to ensure that the disclosure is the minimum required.
Documents required by role (applies to every category)
Adult survivor or directly affected person
- One government-issued photo ID (passport, national ID card, or driving licence). Used only to confirm identity for this specific case; not stored beyond verification.
- A short written statement explaining your connection to the material.
Parent or legal guardian (CSAM only)
- Birth certificate of the child or court order establishing guardianship.
- Government-issued photo ID of the parent or guardian.
- Short written statement of connection to the material.
Licensed lawyer or victim advocate
- Confirmation of bar membership / advocate licence (a licence number plus the issuing bar association, or a scan of your bar card).
- Power of attorney, retainer agreement, or equivalent document showing you are authorised to act for the victim or their representative on this matter. Personal details of the victim may be redacted; we just need to see the authorisation chain.
- Government-issued photo ID for cross-reference against the bar record.
Law enforcement officer
- Service identification or warrant card.
- Case file reference number from your agency's case management system. We do not need the full case file; the reference is enough for us to confirm the request is part of an active matter.
- If your jurisdiction has an MLAT framework with Kazakhstan, that strengthens the request but is not strictly required for hash-only external reporting.
Recognised victim-support or anti-trafficking NGO (terrorism, mass violence, trafficking)
- Organisation registration document.
- Letter from a senior officer of the NGO confirming the request and the staff member submitting it.
- Government-issued photo ID of the staff member submitting the request.
How to make a request (the same flow for every category)
- Send an email to legal@umbrellax.io with a subject line like
External report request — [category](replace [category] with CSAM, NCII, terrorism, mass violence, trafficking, or other). Encrypt the email using our PGP key (see "Encryption" section below). - In the email, tell us:
- Which category you are reporting under.
- Which of the four (or five) roles above you are.
- If a report has already been filed in Umbrella X, the in-app report ID we sent you.
- If no report has been filed yet, a description of when and where the material appeared (channel, group, or chat — approximate dates are fine).
- The country where the victim resides or the country of the law enforcement / NGO case file.
- Attach the verification documents appropriate to your role and category. Encrypted PDF, JPEG, or PNG are all fine.
- Wait for a response from our legal team. We acknowledge every email within 24 hours and complete the verification review within 7 calendar days. For active mass-violence incidents we expedite to 24 hours; for ongoing law enforcement investigations we expedite to 48 hours.
- If verification succeeds, we file the external report within 48 hours, send you a copy of the filing confirmation, and increment the public counter on the canary page. Your identity and personal information are not disclosed in any public counter or transparency log entry.
- If verification fails or documents are missing, we explain why and what is needed. You can re-submit at any time.
- If we receive no response within 30 days of our initial reply, the verification ticket is closed and no external report is filed. You can re-open the request later by replying to the same thread.
What we send externally, and what we do not
What we send (only after verification, only with your authorisation, only to the database appropriate to the category):
- The perceptual hash of the confirmed material (the actual file is already deleted from our servers and we cannot recover it; the hash is what these databases use to match against their own records).
- The timestamp of when the material was first reported on Umbrella X (rounded to the nearest day).
- The category tag for the database (e.g., NCMEC category, GIFCT category).
- The country of the requesting party (top-level only; no exact location).
What we never send:
- The actual content of the material (we have already deleted it).
- The identity of the victim (unless you specifically ask us to include it; even then, we encourage you to communicate directly with the database).
- The identity of the reporting party who flagged the material in the app.
- Any other user data unrelated to the specific case.
- Information about how Umbrella X operates internally, including the identity of moderators or details of our review pipeline.
What happens if verification fails
If we determine that the documents provided do not establish your standing to request external reporting on this specific case, we explain what is missing and how to fix it. The verification ticket remains open for 30 days for resubmission.
If we determine that the request is knowingly false — for example, fabricated documents, identity theft, or a coordinated attempt to weaponise an external reporting database against a third party — we close the ticket without filing, ban the originating Umbrella X account permanently, and (where applicable) refer the matter to the Kazakhstan authorities under Article 419 of the Criminal Code (knowingly false denunciation). This protects real victims from the harm caused by false reports clogging the pipelines of NCMEC, GIFCT, StopNCII, Polaris, and similar organisations.
Encryption: PGP key
All emails to legal@umbrellax.io involving victim verification should be encrypted with our PGP public key. This protects your identity and the contents of your message in transit. The key fingerprint and download instructions:
Fingerprint: [to be published with first quarterly transparency dump]
Download: /legal-key.asc (available after first publication)
Keyserver pool: keys.openpgp.org · keyserver.ubuntu.com · pgp.mit.edu
If you cannot use PGP, send a plain message asking us to initiate a Signal session. We will reply with a Signal handle, and you can then send the documents over Signal end-to-end encrypted. Signal is a third-party service, but it is the most accessible E2E channel available. Do not send unencrypted documents containing personal identification over plain email if you can avoid it.
Privacy of your verification request
We treat verification requests as the most sensitive data we handle. Specifically:
- Verification documents are stored encrypted at rest (AES-256-GCM with keys held in our hardware security modules) and accessible only to two named members of our legal team and one senior reviewer.
- Documents are deleted within 30 days of case closure (whether successful or not), keeping only the audit-log entry that records "verification approved by [reviewer ID] on [date] for [category]" or "verification declined: [reason category]".
- Your identity is never published in any public counter, transparency log entry, or quarterly dump. The public record only shows that "1 NCMEC report was filed at victim request in Q2 2026" or "1 StopNCII report was filed at victim request in Q3 2026", not who requested it.
- If you withdraw your request before we file the external report, we honour the withdrawal and delete all related documents within 7 days.
Coordinated victim-support resources
Umbrella X is a messenger; we are not a victim-support organisation. The following organisations specialise in helping victims of the categories above and may also be able to file external reports directly on a victim's behalf, often with more legal support than we can provide:
CSAM
- National Center for Missing & Exploited Children (NCMEC) — destination for hash reporting; also runs CyberTipline for direct victim reporting.
- INHOPE — international association of internet hotlines; find your local hotline.
- Internet Watch Foundation — UK-based; accepts reports globally.
NCII
- StopNCII.org — pre-emptive hash submission and platform-wide blocking. Strongly recommended.
- Revenge Porn Helpline (UK) — supports adults; runs StopNCII.
- Cyber Civil Rights Initiative (US).
Terrorism / mass violence
- Global Internet Forum to Counter Terrorism (GIFCT) — industry hash database.
- Tech Against Terrorism — UN-backed initiative.
Human trafficking
- Polaris Project — US National Human Trafficking Hotline.
- Stop the Traffik — UK, intelligence-led.
- UNODC — UN Office on Drugs and Crime; international coordination.
Working with one of these organisations may be faster and easier than working with us directly, particularly if the material is also present on platforms other than Umbrella X. We are happy to coordinate.
Contact summary
- External report request (any category):legal@umbrellax.io with subject "External report request — [category]" (PGP-encrypted preferred).
- General abuse report (no external reporting):abuse@umbrellax.io or in-app long-press → Report.
- Press / media:press@umbrellax.io.
- Other legal matters:legal@umbrellax.io with appropriate subject line.
This portal is operated by the legal team of UmbrellaX LLP, a limited liability partnership registered in the Republic of Kazakhstan under business identification number 260440006927, with its registered office at Zheltoqsan St., 1-6, building 3, apt. 13, Oral, West Kazakhstan Region.