Welcome to IdNFTTM, the system that offers users full and personal control of their Digital ID.
Any and All biometric data and ID documentation that you upload to IdNFTTM is encrypted and stored on THE USERS PHONE, and only THEY are able to use, view, edit, share or delete it. Also, to further their security all biometric checks are completed by our advanced Artificial Intelligence system, with no human interaction.
IdNFTTM only supplies, if requested, a simple ‘Yes or No’ to a third party confirming the users ID. At no time do we share any of the users Data supplied, unless they specifically request that we do so, or the agree in advance that we can do.
If for any reason a third party requires a copy of the users photo ID, in each and every instance the user is asked to confirm that you are happy to share it.
As all the identifying biometrics and photo ID are stored directly on the users phone, and never uploaded to any ‘cloud’ server or any other external place, if the user deletes the app they then delete all and every piece of data they have ever shared with IdNFTTM.
Full Data Protection Policy
Resiliant (hereinafter – the Company) as a software product or as a service business takes all its responsibilities with regard to the management of the stringent requirements of the EU GDPR and all other countries data protection laws very seriously.
This document provides both users and companies with the policy framework that Resiliant has introduced to effectively manage Data Protection for all interested parties.
This Policy is addressed to the Resiliant’s clients as well as to those individuals who will provide their personal data for processing (hereinafter – Data Subjects).
The Company is a Processor of personal data under Article 28 of the EU GDPR and is engaged by the Company’s client (hereinafter – the Controller) to process his or her personal data for the agreed purpose, established in a separate data protection agreement. In certain cases the Company may serve as the Data Controller under Article 24 of the EU GDPR.
The Company confirms that any and all of the personal data and biometrics submitted by the Data Subjects remain stored securely on the users phone, and is not stored, trafficked or passed through any external devices or servers.
Our corporate clients within or outside the EU and EEA would not need to have access to the personal data of the Data Subjects unless it is necessary under applicable laws. Resiliant at no time shares the ID documents and biometric information supplied by the Data Subjects to any third party unless requested by the data user in writing, or necessary under applicable laws.
If the user chooses to share any biometric data or identifiable documents via Resiliant to a client, then that data becomes the responsibility of the Data Controller at the Clients business.
Scope of the Policy
Although Resiliant does not have site of any personal data, the purpose of this policy is to ensure that the Resiliant’s staff shall comply with the provisions of regional or English law and the EU GDPR if they ever do have to process personal data, and to share to all users (Data Subjects) information showing how we control and protect their personal data.
The company adheres to the principles of data protection as laid down by the EU GDPR and other regional data protection laws, and is constantly reviewing and making all and any improvements required. In accordance with those principles personal data shall be:
- Processed fairly and lawfully and in a transparent manner in relation to the data subject;
- Processed for specified, explicit and legitimate purposes only and not further processed in a manner that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and up to date;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- Not kept longer than necessary;
- Processed in a manner that ensures appropriate security of the personal data;
- Not transferred outside the countries of the USA, European Economic Area or the EU without adequate protection, and without the data users consent.
[a] Resiliant’s responsibilities
Resiliant is responsible for establishing policies and procedures in order to comply with the EU GDPR and the local laws of all territories. The key person in this area is our Data Protection Officer, whose contact info is available at: email@example.com.
[b] Data Protection Officer’s responsibilities
The Data Protection Officer holds responsibility for:
- drawing up guidance and promoting compliance with this policy in such a way as to ensure the easy, appropriate and timely retrieval of information;
- the appropriate compliance with subject access rights and ensuring that data is processed in accordance with the Data Protection Act 2018 and the EU GDPR and other territories data protection laws;
- ensuring that any data protection breaches are resolved, catalogued and reported appropriately in a swift manner;
- investigating and responding to complaints regarding data protection including requests to cease processing personal data.
[c] The Responsibilities of Resiliant staff
All our staff members who process personal data must comply with the requirements of this policy or any subsequently improved policies. Staff members must always ensure that:
- all personal data is kept securely;
- no personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party;
- any queries regarding data protection, including subject access requests and complaints, are promptly directed to the Data Protection Officer;
- any data protection breaches are swiftly brought to the attention of the Governance Team and that they support the Data Protection Officer in resolving breaches;
- where there is uncertainty around a Data Protection matter advice is sought from Data Protection Officer.
[d] Third-Party Processors
Where external companies are used to process personal data on behalf of Resiliany, responsibility for the security and appropriate use of that data remains with Resiliant. Where a third-party processor is used:
- a third-party processor may be chosen only when it provides sufficient guarantees about its security measures to protect the processing of personal data;
- reasonable steps must be taken that such security measures are in place;
- a written contract establishing what personal data will be processed and for what purpose must be set out;
- a data processing agreement must be signed by both parties.
Specific measures to ensure data protection
The company shall carry out the following specific measures to ensure data protection:
- Any personal data storage or processing shall be made on the basis of respective Service Agreements, Non-Disclosure Agreements and Data Processing Agreements compliant with the EU GDPR and all other territories data protection laws;
- The Company uses a specially designed API interface (IFrame) that makes it possible to submit the data directly to the users phone, encrypted to SHA-256
- All information gathered undergoes anonymization/pseudonymization and hashing;
- All persons dealing with personal data shall be officially authorized and must undergo background checks and special periodical training;
- The Company shall hold data protection and security audits by a leading international expert institution;
- The Company shall not disclose any biometic information that is provided to it, unless requested to or by strict agreement do so by the user
- The Company shall not accept for processing of any personal data of children;
The Company is working on preventing any unauthorized physical access, damage and interference to Company’s information and information processing areas. In particular, the Company has established:
- Removable media blocked company wide;
- CCTV monitoring;
- Enforced entry controls into our premises;
- Defined secure areas for authorised personnel;
- and Physical protection of hardware against natural disasters, malicious attack or accidents.
Software and network security
The Company holds regular vulnerability scans against our full infrastructure. We also have external, independent, penetration tests conducted on a periodic basis.
- Our dashboard supports several regimes of secrecy, so that our clients could monitor the status of processing without learning any personal data of the their customers.
- Code changes are always peer reviewed and static source code reviews are performed systematically and at a high frequency.
- All engineering and development operations staff are regularly trained on system, application and network security.
- Our IT and container infrastructure is continuously monitored and audited for change.
- Critical systems and information are protected with strong authentication mechanisms.
- All networks connections are protected by firewalls and are monitored by cyber security solutions to detect intrusions and suspicious activity.
- Machine learning is used to discover malicious behaviour of network endpoints and applications.
- All our computers, laptops and servers utilise full disk/volume encryption and are installed with antivirus/malware protection which is automatically updated to the latest version and signatures available.
- All user information is encrypted using AES-256 at rest as well as in transit.
Data protection breaches
Where a Data Protection breach occurs, or is suspected, it should be reported immediately to the Data Protection Officer or the CEO. The report should include full and accurate details of the incident including who is reporting the incident and what classification of data is involved.
Data subjects’ rights
Each Data Subject providing his/her personal data to the Company has the following rights that the Company fully respects:
- Right to obtain confirmation as to whether or not his or her personal data are being processed (Article 15 EU GDPR);
- Right to obtain rectification of inaccurate personal data without undue delay (Article 16 EU GDPR);
- Right to erase personal data or “right to be forgotten” (Article 17 EU GDPR);
- Right to restrict data processing, in particular when the accuracy of the data is contested (Article 18 EU GDPR);
- Right to receive communications as to rectification or erasure of personal data or restriction on processing (Article 19 EU GDPR);
- Right to receive personal data in the form that is machine-readable and ready for transmission to another controller (Article 20 EU GDPR);
- Right to object data processing (Article 21 EU GDPR);
- Right not to be subject to a decision based solely on automated processing (Article 22 EU GDPR).
The data that we collect
The Company usually collects the following personal data:
- name and surname,
- passport or any photo identity card data,
- registered address
- facial image.
- Phone IMEI (International Mobile Equipment Identity)
- GPS Location
However, this information is stored on the users phone, and they and they along only have access to this information.
The purposes for which we collect the data
The Company collects and processes the personal data for the purpose of identification and client diligence compliance in accordance with the laws governing the intended business relationship (KYC and AML compliance).
The Company subjects the personal data to automated reading, verification of the authenticity and other automated processing of photos and scanned copies of documents and with further check against the data in multiple databases, including (but not always) inter alia International politically exposed persons (PEPs) and Sanctions, Country Specific Sanctions Lists, Criminal Lists and Financial Lists.
Once the personal data is not any more necessary for the purposes of applicable compliance rules, the Company shall erase the data completely off its servers without leaving any backup copies or, based on the same condition, transfer the data to the relevant Controller.
Consent to personal data processing
The company always collects and processes the personal data based upon Data Subjects’ free and informed consent given in explicit manner. The current text of the consent is shown above.
This Policy is constantly reviewed and rectified in order to provide best compliance with the EU GDPR and other applicable national laws.
If you have any request or complaint regarding the above, or you want to exercise any of the right granted to you by applicable laws, please contact us at firstname.lastname@example.org