From eb3a90b7e762929b546bec059d400038eee0523c Mon Sep 17 00:00:00 2001 From: Kalin Canov <kalin.canov@vereign.com> Date: Tue, 19 Dec 2023 17:11:04 +0200 Subject: [PATCH] Update GDPR file and adding GDPR section in README --- GDPR.md | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ README.md | 5 ++++ 2 files changed, 73 insertions(+) create mode 100644 GDPR.md diff --git a/GDPR.md b/GDPR.md new file mode 100644 index 0000000..167b33b --- /dev/null +++ b/GDPR.md @@ -0,0 +1,68 @@ +# GDPR Compliance Document +The objective of this document is to detail, the data being stored and proccessed by the Trust Service API. + +# Issuing Verifiable Credential + +## What information is stored +### Source User Information (Private) +The Open Id connect claims MAY contain all sorts of personal data (like email, name, age and others), typically received from an external source. + +### Technical User Information (Public) + +- Schema information (public) +- Credential/credential definition ids and states +- DID of issuer +- DID of holder +- Created/updated dates +- Offered credential attributes and attachments + +## How is the information stored and used +### Source User Information +Source User Information is encrypted using the Private Key of the organizational deployment, thereby creating the Verifiable Credential. This Verifiable Credential is shared with the legitimate recipient. Subsequently Source User Information(including the Verifiable Credential), is permanently erased from organizational deployment. + +### Technical User Information (Public) +Technical User Information is used to send the Verifiable credential to legitimate recipient. After successful issuance of the Verifiable Credential, per default Technical User information is permenetly erased from organizational deployment. + + +## Who can access the information +The Source User Information and Technical User Information both are accessible only by the system administrators of the organizational deployment. + +## How long will the information stay +### Source User Information +The Source User Information is wiped out once the Verifiable Credential is issued. + +### Technical User Information (Public) +The Technical User Information is wiped out per default after Vereifiable Credential is isssued or optionally stored according to retention periods (not defined yet). + +# Receiving Verifiable Credential + +## What information is stored +### Source User Information (Private) +The Open Id connect claims MAY contain all sorts of personal data (like email, name, age and others), typically received from an external source. + +### Technical User Information (Public) + +- Schema information (public) +- Credential/credential definition ids and states +- DID of issuer +- DID of holder +- Created/updated dates +- Offered credential attributes and attachments + +## How is the information stored and used +### Source User Information +Source User Information is decrypted. Per default received Verifiable Credential is not stored permanently. In case this is changed within a specific organizational deployment, an amendment of this GDPR Compliance Document will be necessary. This is the due to the fact that these details depend on the specific use cases and intentions. + + +### Technical User Information (Public) +Technical User Information is used to received the Verifiable credential from legitimate sender. After successful acceptance of the Verifiable Credential, per default Technical User information is permanently erased from the organizational deployment. + +## Who can access the information +The Source User Information and Technical User Information both are accessible only by the system administrators of the organizational deployment. + +## How long will the information stay +### Source User Information +The Source User Information is wiped out per default once the Verifiable Credential is received. + +### Technical User Information (Public) +The Technical User Information is wiped out per default after Vereifiable Credential is received or stored according to retention periods (not defined yet). diff --git a/README.md b/README.md index a23a7e0..19215d1 100644 --- a/README.md +++ b/README.md @@ -75,6 +75,11 @@ go mod vendor [Dependencies](go.mod) +## GDPR +<hr/> + +[GDPR](GDPR.md) + ## License <hr/> -- GitLab