Flow of Data: KYC Proof of Personhood

Zeronym's Proof of Personhood via KYC consists of the following components:

User agent (UI)
Zeronym server
ID verification provider
Verifier

The flow of data is outlined in the following sequence diagram. Please refer to notes for detailed explanations for relevant parts.

Issuance and Proving

Sections 1 and 2 in the sequence diagram constitute issuance. This is where the user's private credentials are issued.

Section 3 is proving, where the user proves facts about their issued credentials.

Notes on handling of user data by IDV Providers

Following data are requested by IDV providers as photo or/and video stream during the verification process.

Selfie (photo, video stream)
One of the following documents
- Passport
- Driver License
- Identity Card

Currently, following IDV providers are supported.

Veriff has clearly outlined in its trust center

a list of compliances (i.e: GDPR)
regarding data collection, retention and deletion controls
- a list of subprocessors

Onfido has its privacy policy

a list of compliances
regarding data
ControlCase has issued compliance certificate for ISO 27001

Facetec has two privacy policies (site and sdk)

SDK privacy policy seems more relevant for usage for ID verification. Its documentation on privacy is sparse compared to the other 2 providers.

In article #2, it mentions that any data sent to its server is encrypted, siloed and is never stored with any additional personally identifiable information (PII).
In article #6, it provides detailed info on its compliance to GDPR for EU residents.

Notes on client-side encryption of IDV session result

IDV provider returns the session result to user.

With Silk wallet:

The result is encrypted on client-side using a derivative of the PRF.

With other wallets:

The result is encrypted with key derived with hash(userSignature(aConstantMessage)) to generate ciphertext.

Notes on ciphertext and storage of userCredentials

Only the encrypted ciphertext which is non PII is stored in Zeronym database as below.

// userCredentialsv2
{
  "_id": {
    "$oid": "676d..."
  },
  "holoUserId": "f111...",
  "encryptedGovIdCreds": {
    "ciphertext": "0x...",
    "iv": "0x...",
    "_id": {
      "$oid": "676d..."
    }
  },
  "__v": {
    "$numberInt": "0"
  }
}

Notes on verifier and SBT issuance

The user submits a zero knowledge proof of uniqueness (see the circuit here) to the verifier server. The verifier verifies the ZKP, and upon verification, issues a soulbound token to the user. The circuit ID, issuer address, expiry, and actionNullifier, the ZK proof are embedded in the Soul-bound token.

PreviousFlow of Data NextWhere data is(n't) stored

Last updated 19 days ago

// userCredentialsv2 { "_id": { "$oid": "676d..." }, "holoUserId": "f111...", "encryptedGovIdCreds": { "ciphertext": "0x...", "iv": "0x...", "_id": { "$oid": "676d..." } }, "__v": { "$numberInt": "0" } }