Data Protection Policy
At Vereign we respect your personal data. In this spirit, this data protection policy (hereinafter: “Privacy
Policy”) shall offer you full transparency on how we protect your data, while you use our “Vereign Credential
Manager”, which is provided to you free or charge and under the open source license Apache 2.0.
Vereign Credential Manager has the purpose to empower you to become part of a transparent and self
sovereign data ecosystem. Simply put, this is a wallet to receive and send “Verifiable Credentials”
(hereinafter “VCs”).
Such VCs are an open standard for digital credentials. They can represent information found in physical
credentials, such as a passport or license, as well as aspects that have no physical equivalent, such as
ownership of a user account. Ultimately, a VCs is a tamper-evident credential that has authorship and can be
cryptographically verified.
What exactly is contained and required by such VCs is defined by the company, institution or other individual
that is sending you an individual VC (hereinafter “Issuer”).
I. Overview and summary
Our Vereign Credential Manager is provided to you following a strong privacy by design concept.
Consequently, your user data is stored on your user device in an encrypted form and is shared exclusively
with individual Issuers, you yourself decide to interact with. We have no technical means to access this data
on your device.
In case you choose to communicate with another party using the Vereign Credential Manager, all
communication data will be encrypted locally on your device and send with the help of an SSI Mediator,
operated by us. This SSI Mediator will erase your fully encrypted communication data, as soon as it has
been safely transferred.
That means, only in case you reach out to us explicitly, for example send us an email in order to receive
support or in case of any concerns or questions, we will have actual access to your personal data. But
always limited to the extent, you yourself have chosen.
And in any case, in no event we will use your personal data for any purpose unrelated to the purposes as
outlined in this Privacy Policy. In particular, we are not allowed to sell your personal data to any third party for
any business or political agenda.
Nothing in the following detailed explanations shall put this initial summary in question. In case of
inconsistencies, the above summarizing statements shall prevail and bind us accordingly.
II. Name and contact details of the controller
Vereign AG
Dammstrasse 16,
6300 Zug, Switzerland
Email: contact@vereign.com
For questions with regard to this Privacy Policy or other concerns in this subject area, please contact our
data protection team directly by email: dataprotection@vereign.com.
III. What is the allowed purpose?
Our collection and processing of your personal data under this Privacy Policy is limited to the extent
necessary to provide you with an independent and self-sovereign wallet to verify, manage and reply to
individual VC request, as send to you by individual Issuers.
IV. What data is actually processed?
In detail the following data categories may be affected.
A) Your information, as included in an individual VC
An individual VC may contain all sorts of personal data (like for example your email, name, age or university
degree).
Also additional documents or presentations of proof may be requested (like a scan of your passport or
diploma). Whatever is required in an individual case, will be defined by the Issuer that is sending you a VC.
Whether you choose to provide such information and presentations to the Issuer, is always your explicit
choice.
The Vereign Credential Manager will enable you to manage the shared information, and therefore will
present you with a connection history with respect to the available connections and the list of connections
with different Issuers you choose to interact with.
Your information as included in an individual VC is stored encrypted within your Vereign Credential Manager
(locally on your device) and will only be presented after successful user authentication.
B) Your DID
A unique “Decentralised Identifier” will be assigned to you, which from a user perspective you may think of as
your SSI equivalent of an IP address.
C) SSI Mediator - Communication layer
In case you choose to reply to requests as issued by individual Issuers, the provided data will be send by the
means of an SSI Mediator, which is operated by us. All respective data is transferred encrypted and this
encrypted data will be erased by the SSI Mediator as soon as the communication with the Issuer has been
completed safely.
D) SEAL history
With the help of our Vereign Credential Manager you are also able to securely check a special kind of
tamper-proof verification and evidence of sent email just as well as benefit from revision secure archiving
(hereinafter “SEAL”).
Such a SEAL provides you with a tamper-proof verification and evidence of sent email just as well as a
respective revision-secure archiving.
Overall the purpose of this data processing is to provide an independent and self-sovereign proof for your
email and attachments, way beyond what traditional solutions like handwritten signatures or registered mail
services could offer.
1) deSEALing of your email and attachments
By simply scanning a QR SEAL (as defined below) with the help of our Vereign Credential Manager you are
able to securely conduct the process of deSEALing (as defined in detail below) and join the private QR SEAL
with the public QR TAIL (as defined below), locally on your device. The public QR TAIL is requested by your
device and the private QR SEAL does not leave your device. That means, all respective actual data related
to emails and attachments are processed exclusively locally on your device.
2) Overall privacy by design concept
In order to protect email data we have implemented a strong form of pseudonymization, which is the
foundation of our privacy by design concept. Before any email data is leaving the device of the email sender
(e.g. a laptop or mobile phone) email data is compressed, encrypted (AES-256 GCM) and subsequently
shredded in random data pieces (this entire process is hereinafter referenced as “SEALing”).
One part of this shredded data (together with one-time encryption keys) is exclusively stored in a QR code
which is attached to the body of the send email (we call this QR code “ QR SEAL”). The other remaining part
of the shredded data goes a separate way and is stored on remote servers (we call this part of the data “QR
TAIL”).
None of these two random data pieces alone can be restored into original email data. Only in case the
private QR SEAL is present it will be technical feasible to identify the matching public QR TAIL and combine
both data pieces in order to restore and authenticate email data (hereinafter referenced as “deSEALing”).
Overall, this means it will only be feasible for us (or anyone else) to conduct a deSEALing process with the
help of the public QR TAIL, in case the matching QR SEAL is present - which by itself is part of the send
email, already containing all the data elements that can be revealed by joining the QR SEAL with the QR
TAIL.
3) SEALing of email and attachments
To understand the deSEALING process that is conducted by the Vereign Credential Manager, it may help to
understand in detail the process for SEALING this email data in the first place, which has happened with the
help of other applications. To clarify: the Vereign Credential Manager itself only conducts the process of
deSEALING not the process of SEALING.
a) Metadata
Comparable to a receipt, evidencing emails and attachments have been send at a certain point in time, and
in order to offer a respective tamper-proof and automatically (if required also manually) verifiable audit-trail,
the following metadata were collected locally on the device of the sender of the email:
- Sender name and email address
- Subject of the message
- Name and email of all recipients (to and cc)
- Date of the message
- The names (links), size and signature of the attachments (if any)
- Hash and size of the message body
- Status ID
- Sender Vereign public key (UUIDv4)
(hereinafter collectively: “Metadata”)
This Metadata undergoes the process of SEALing, locally on the device of the sender. The resulting QR
SEAL is attached to the email and the public QR TAIL is send off to be stored in the InterPlanetary File
System (IPFS).
b) Hashes
In order to provide an additional layer of independent and tamper-proof evidence, hashes to a public
Blockchain have been written. Hash functions are widely used to mathematically prove that an original data
input has not been altered. As long as the hash input is complex enough, the hash output by itself is an
abstract piece of information and will not reveal any information of the original data input itself.
The following data input objects are mathematically obfuscated (again locally on the device of the sender) via
such a hash function:
- Entire message body
- Attachments of the email (if any)
(hereinafter “Sender Input Data”)
Together with multiple other hash outputs, the respective abstract hash has been written in a system data
container object and these objects were stored in the individual QR TAIL. These hashes in your QR TAIL are
secured by the QR SEAL, meaning without having access to your QR SEAL, nobody has access to the hash
and to its confirmational value in regards to your Sender Input Data.
V. And for how long will this data be stored?
In regards to the explained data categories, the following data erasure and storage periods apply.
A) Your information, as included in an individual VC
Your information as included in an individual VC will remain on your local device, as long as you choose to
keep it there. In case you shared such data with an individual Issuer this Issuer will have access to the data,
until the defined expiration date is due or else you agreed with an individual Issuer.
B) Your DID
Will remain in place, as long as you choose to use your individual Vereign Credential Manager.
C) SSI Meditor - Communication Layer
All communication data that is processed by the SSI Mediator will be erased after the communication with an
individual Issuer has been completed safely.
D) Seal history
Stays as long on your local devices as you choose to keep this SEAL history data, within your Vereign
Credential Manager.
VI. Applicable legal framework and legal basis
Our data protection practice complies with applicable law including but not limited to the Swiss Data
Protection Act (“Swiss DPA”) and its Ordinance (“Swiss DPO”). Also we are fully compliant with the General
Data Protection Regulations (“GDPR”) of the European Union and its local adaptations including but not
limited to the German Federal Data Protection Act (“Bundesdatenschutzgesetz”). We will continue to
monitor and analyse further country specific data protection regulations outside of the European Union but so
far we have identified the GDPR as sufficient and acceptable regulatory standard throughout the entire
world.
As far as the GDPR is applicable, we collect and use personal data as much as necessary to provide our
services requested by you (Art. 6 para. 1 Lit. b GDPR). A notable exception applies where a contractual
basis is not apparent and the processing of personal data can only be authorised via your explicit consent
(Art. 6 para. 1 Lit. a GDPR). In such a situation we will explicitly explain to you the exact purpose of the
concerned data processing and you may at any time retrieve your consent given to us.
VII. Data processors
The administration and processing of personal data in the scope of this Privacy Policy is primarily carried out
by us, and our subsidiary Vereign Labs Ltd.
However, specific tasks, we have entrusted to reliable external institutions, like data center or cloud
providers.
But any of such external providers, just as our subsidiary, are processing your personal data on our behalf.
All these parties remain contractually bound by confidentially, this privacy policy and any applicable law,
including but not limited to GDPR.
VIII. Your rights as a data subject
According to applicable law (in particular Swiss law and even more so GDPR) but also due to our own
commitment you shall have the following rights toward us:
A. Right of access: You may request information about your data processed by us, in particular about the
purposes of processing, the category of personal data, the categories of recipients to whom the data have
been or will be disclosed by us, the envisioned period of storage, the existence of a right of rectification,
erasure, restriction of processing or objection to it, the existence of a right to lodge a complaint, where your
data are collected from (if these are not collected by us), and the existence of automated decision-making,
including profiling.
B. Right to rectification: You have the right to demand without undue delay the rectification of inaccurate
personal data stored by us as well as to have incomplete personal data stored by us completed.
C. Right to erasure: You have the right to demand that personal data stored by us be erased as long as the
processing of this data is not necessary to fulfil a legal obligation, for reasons of public interest, or for the
establishment, exercise or defence of legal claims.
D. Right to block data: You have the right to demand to have your personal data blocked. Data that is blocked
will not be deleted from our databases, but it will not be processed as long as being blocked.
E. Right to data portability: You have the right to receive your personal data in a structured, commonly used
and machine-readable format, or to demand that it be transmitted to another controller.
F. Right to object: Consent given to process your personal data can be revoked at any time. As a result of
this, we will no longer be permitted to continue processing data based on this consent in the future.
G. Right to lodge a complaint: You have the right to lodge a complaint with any competent supervisory
authority. Therefore you may contact a locally competent authority at your place of residence or you may
report any presumed violation of applicable data protection law, to the Federal Data Protection and
Information Commissioner (FDPIC) as the federal data protection authority in Switzerland. The FDPIC’s
contact details are as follows:
Federal Data Protection and Information Commissioner
Feldeggweg 1, 3003 Berne, Switzerland
Tel: +41 58 462 43 95
Fax: +41 58 465 99 96
www.edoeb.admin.ch
H. Exercise your rights: In order to exercise your rights as a data subject, please contact our Data Protection
Team (dataprotection@vereign.com) or send an email or postal mail to our contact details as indicated under
clause I above.
In case you exercise your rights in accordance with the GDPR towards us, we will not charge any fees.
However, a reasonable fee may be charged if your inquiry is demonstrably abusive, improper or if you make
a repeated inquiry without relevant justification.
We may need to collect information about you that will enable us to clearly identify you as a data subject. In
doing so, we will endeavour not to complicate or even hinder your request. Rather, we want to make sure
that none of your personal data falls into the hands of unauthorised persons.
IX. Security
We have implemented extensive security provisions and measures to establish an appropriate level of safety
to protect personal data stored by us from unauthorized access, misuse, altering, misappropriation,
destruction, and loss. At Vereign we seek to combine and align our overall requirements concerning cyber
security and resilience, regardless whether these requirements are derived from best practise approaches,
applicable law or contractual regulations. This holistic point of view makes it feasible for us to deal with the
respective requirements in a transparent and effective way. As part of our security management processes,
we obligated ourself to conduct regular external penetration tests of our Seal Applications and its underlying
processes.
However, in case you choose to communicate with us via an insufficiently encrypted communication channel,
we would like to point out that such insufficiently encrypted data transfer cannot provide any guarantee that
access to your data by third parties is averted.
X. Amendments of this privacy policy
It may be necessary to adapt our data protection statement to changing framework conditions of a technical,
factual or legal nature. Therefore this Privacy Policy may be amended from time to time, provided that
nothing in newer versions of this Privacy Policy shall contradict the summary given to you in above
(“Overview and Summary”).
As of: January 2023