Data Security by Design

The following mechanisms were implemented to secure users’ data privacy:

Encryption and Data Security: (a) all data transport is encrypted; (b) the network is decentralized, reducing the risk of a single data breach; (c) Individuals have choice of custodial and non-custodial wallets; (d) personal data is not stored in the trust ledger (Velocity Blockchain Network); (e) metadata on the trust ledger follows a "two-man rule" encryption protocol. The blockchain network is not involved in processing or storing any personal data of users, other than for the purposes of complying with applicable anti- money laundering (AML), Countering the Financing of Terrorism (CFT), and sanctions laws.

Legal Measures: a set of mandatory participation terms and conditions (publicly advertised) that every participant (issuers, relying parties, tech vendors, node operators) must sign before being granted access to the underlying layer—rigorously delineate their legal and contractual responsibilities, encompassing various facets, security considerations, and are subject to enforcement by the decentralized community through various legal and economic sanctions.

Credential Integrity and Privacy Measures: (a) issuers digitally sign all credentials, ensuring they cannot be modified; (b) credential-issuing and presentation-sharing protocols are strictly peer-to-peer; (c) Network protocols require the use of private-public keys for authentication; (d) Network protocols are privacy-preserving and identity asymmetric, balancing information sharing.

Accreditation and Trust Management: (a) essential trust in Issuer and Relying Parties is managed through Accreditation Credentials signed by Velocity Network Foundation; (b) extended accreditation is required for issuing sensitive ID credentials; (c) all agents and the trust ledger layer enforce these accreditation rules.

Key Management: (a) network protocols mandate participants’ key rotation and either key removal or key expiry; (b) agent operators securely receive key material from their issuers and relying parties.

Data Security Accreditation

Velocity Network Foundation in its capacity as the steward of Velocity Network has been audited and certified for ISO27001, ISO27017, ISO27018, ISO27032 and ISO27701. The Foundation is also working toward SOC2 accrementition. These accreditations are critically important for the protocol adoption by enterprises as its directly connected to enterprise systems and processes. Enterprises seek this level of assurance that comes with the accreditations above.

Security Audits and Penetration Testing

Two separate security assessments were conducted on the different components of the protocol, specifically the Foundation commissions annual Penetration Tests and Security Audits by external information security consultants since 2022.

The audits covered the following areas:

• Software developed by the network including credential agents, registrar, credit management including vulnerability penetration tests covering the OWASP Top 10

• Protections against malicious actions including DDoS, forgery and phishing.

• Cryptographic algorithms and key management procedures

• Software development & change management processes

• Vulnerability scanning processes

• Incident management processes

• Customer personal data privacy and access

• Privilege granting and revocation processes