Privacy by Design

Compliance with global data privacy regulations

Velocity Network protocols address the core principles and requirements of modern privacy regulations applicable in most jurisdictions. A set of mandatory participation terms and conditions (publicly advertised) that every participant (issuers, relying parties, tech vendors, node operators) must sign before being granted access to the underlying layer, rigorously delineate their legal and contractual responsibilities, encompassing various facets, including data privacy and security considerations, and are subject to enforcement by the decentralized community through various legal and economic sanctions.

The following mechanisms were implemented to secure users’ data privacy:

Requirement	Implementation
Transparency	All participants must be completely transparent to the individual in relation to processing their Personal Data. Their privacy statements, user agreements, transaction terms and conditions; all must require the individuals’ consent.
Purpose Limitation	Disclosure Requests must specify the purpose for which the personal data is required and the duration that credentials will be retained as well as all related terms and conditions pertaining to the disclosure. Disclosure history must be logged on the individual’s Wallet. The individual must be able to selectively mark credentials and/or Claims to share and approves terms and conditions.
Automated Decision-Making	The individual must be made aware of the existence of automated decision-making, including profiling. in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual, must be presented to the individual prior to disclosure, so they will be able to make an informed decision.
Data Minimization	Relying Partys are liable to limit requests to disclose credentials only to what is relevant strictly necessary in relation to the purpose for which it is being processed.
Limited Disclosure	Selective disclosure of credential is already implemented, and the protocol is on a clear path to achieve zero knowledge proofs (ZKP) in 2-3 years.
Accuracy	The individual is able to review credential data and selectively accept them. The individual must also consent to the Issuer’s Terms and Conditions clearly presenting the Issuer’s privacy statements, user agreement and all related terms and conditions pertaining to the issuing. The Issuer is able to present evidence for such consent.
Rectification	The individual must be clearly notified of the way to contact the Issuer for data rectification if the credential contains errors in data. It is the responsibility of the governing body of the LER infrastructure to assure that the Issuers are liable to the rectification of inaccurate personal data within a reasonable time and implement Data Rectification processes as required under the GDPR and other modern privacy regulations.
Storage Limitation	The individual must consent to the relying party’s Terms and Conditions clearly presenting the purpose for which the credentials are required and the duration that they will be retained, privacy statements, user agreement and all related terms and conditions pertaining to the disclosure. The relying party is able to present evidence for such consent.
Storage Limitation	Relying Partys are liable to keep personal data in a form which permits identification of Individuals for no longer than the duration necessary for the purposes for which the personal data is being processed.
Integrity and Confidentiality	All entities that participates in the credential exchange and storage, are liable to provide appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
Selective Disclosure by Default	Individuals can share only the specific credentials they choose, ensuring selective sharing of Credentials or Claims.

Privacy by Default	Relying Partys are liable to ensure that the strictest privacy settings will apply by default, without any manual input from the individual.
Right of Portability	Individuals are able to move, copy or transfer credentials easily from one wallet to another in a safe and secure way, without affecting its usability.
Right of Access	The individual have unrestricted access to their credentials stored on their wallets.
Data Privacy Officer (DPO)	All participants are liable to appoint a DPO. The DPO is responsible for monitoring GDPR compliance, providing advice, and acting as a point of contact for individuals and supervisory authorities.
Record Keeping	All participants are liable to maintain detailed records of processing activities, including purposes, legal bases, categories of data, recipients, and retention periods.
Vendor Management	All participants are liable to assure that third-party vendors or processors also comply with modern privacy regulations when processing personal data on their behalf.
Data Breach Management	All participants are liable to maintain a procedure for promptly identifying, reporting, and addressing data breaches and notifying relevant authorities and affected individuals within required timeframes.
Data Subject Rights	All participants are liable to maintain mechanisms for handling individuals' requests to exercise their rights, such as access, rectification, erasure, and data portability.

The protocol enables a direct connection between the individual and their counterparty, whether Issuer or Relying Party. Data is transmitted directly from the individual who holds the credentials to the system that is receiving the data. There is no central mediator tracking what you are doing. There are no data brokers or additional intermediaries. No other participant knows about this interaction, not even the original Issuer of the credential. The data that is shared is up to the individual, down to the field.

Recovery and Device Migration

Recovery mechanisms become essential in cases where individuals lose access to their credentials or if their credentials are compromised. However, the decentralised nature of Velocity ecosystem, where users are responsible for managing their own data and keys, poses a significant challenge. The following mechanisms have been implemented to address this issue:

The simplest method for credential recovery involves storing encrypted backups managed by the users themselves through their device backup or wallet service backup. This allows users to restore their credentials, for instance, on a new device if their previous one is lost.

If backups are unavailable, the user needs to return to the issuers to reclaim their original credentials.