Privacy and Security

Overview

Zipwire Attest is built with privacy and security as core principles. This page explains how we protect your data, maintain your privacy, and ensure the security of your digital identity.

Privacy-First Design

Your Data, Your Control

Zipwire Attest follows a self-sovereign identity model where you maintain complete control over your personal information:

• Centralized but Encrypted: Your personal documents are stored in centralized, double-encrypted storage

• Country Selection: You choose which country to store your data in

• Selective Disclosure: You choose exactly what information to reveal and to whom

• Self-Sovereign: You own and control your proofs and attestations

What We Store vs. What We Don't

What We Store (Securely)

• Double-encrypted PII in centralized storage (we cannot read the encrypted data)

• Cryptographic hashes on the blockchain (Merkle roots)

• Attestation records on the Base blockchain

• Verification metadata (timestamps, attestation IDs)

What We Don't Store

• Unencrypted personal documents in our systems

• Your private keys or wallet credentials

• Your browsing history or usage patterns

• Personal information in plain text

Security Measures

Document Security

Double Encryption

Your documents are protected by multiple layers of encryption:

1. Application-level encryption by Zipwire

2. Cloud provider encryption by our storage partner

3. Transport encryption (TLS) for all data transmission

Localized Storage

• Regional compliance: Data stored in your chosen region

• Sovereign data: Your customers choose where to store documents

• No cross-border transfer: Data stays within your selected jurisdiction

Blockchain Security

On-Chain Protection

• Cryptographic hashes only: Only Merkle root hashes are stored on-chain

• No personal data: Your actual documents never appear on the blockchain

• Immutable records: Attestations cannot be altered once recorded

• Verifiable integrity: Cryptographic proofs ensure data hasn't been tampered with

Attestation Security

• Revocable attestations: Zipwire can revoke attestations if needed

• Timestamp validation: Attestations include verification timestamps

• Attester verification: All attestations come from Zipwire's verified address

Wallet Security

Connection Requirements

• EOA & Smart Wallets: Supports traditional Externally Owned Accounts and modern Smart Wallets (e.g., Coinbase Smart Wallet).

• Flexible Connection: Supports browser extensions (MetaMask, Coinbase Wallet, etc.) and mobile wallets via WalletConnect.

• Signature Standards: Fully compatible with EIP-1271 and ERC-6492 for smart wallet signatures.

• Connection timing: Wallet must be connected before ID verification

Private Key Protection

• Never stored: We never see or store your private keys

• SIWE only: Only Sign-in with Ethereum (SIWE) is used, no transactions to sign

• No access: We cannot access your wallet or funds

Data Handling

Document Processing

Verification Process

1. Temporary processing: Documents processed temporarily for verification

2. Immediate encryption: Data encrypted as soon as it's received

3. Secure deletion: Temporary processing data deleted after verification

4. No retention: We don't retain unencrypted document data

Merkle Tree Creation

• Local processing: Merkle trees created in secure, isolated environments

• Salt generation: Random salts prevent preimage attacks

• Hash computation: Cryptographic hashes computed securely

• No data leakage: Original data never leaves the secure environment

Data Retention

Attestation Data

• Permanent on-chain: Attestation records are permanent on the blockchain

• User-controlled: Users can delete their local document data

• Verifiable forever: Attestations remain verifiable even after local data deletion

Document Storage

• User-controlled retention: You control how long documents are stored

• Download and delete: You can download your data and delete it at any time

• GDPR compliance: Data will be deleted if you abandon your account

• No backup copies: We don't create backup copies of your documents

User Control and Rights

Selective Disclosure

Complete Control

• Choose what to reveal: Select exactly which fields to share

• Context-specific: Different proofs for different use cases

• No over-sharing: Never reveal more than necessary

• Revocable sharing: Stop sharing proofs at any time

Proof Management

• Download proofs: Save ProofPacks locally for offline use

• Edit proofs: Advanced users can create custom redacted proofs

• Share selectively: Choose who receives your proofs

• Track usage: Monitor where your proofs are used

Data Deletion

Right to Delete

• Immediate deletion: Delete your documents at any time

• Complete removal: All local data removed from our systems

• Attestation preservation: Blockchain attestations remain for verification

• No recovery: Deleted data cannot be recovered

Technical Deletion

• Secure deletion: Data overwritten multiple times before deletion

• Verification: Confirmation that data has been completely removed

• Audit trail: Record of deletion for compliance purposes

Compliance and Standards

Regulatory Compliance

GDPR Compliance

• Right to be forgotten: Complete data deletion capability

• Data portability: Export your data in standard formats

• Consent management: Clear consent for data processing

• Privacy by design: Privacy built into every feature

Regional Compliance

• Local data storage: Choose your data storage region

• Regional regulations: Comply with local privacy laws

• Cross-border restrictions: Respect data sovereignty requirements

Security Standards

Industry Standards

• SOC 2 compliance: Security and availability controls

• ISO 27001: Information security management

• Encryption standards: AES-256 encryption for data at rest

• Transport security: TLS 1.3 for data in transit

Blockchain Standards

• EAS compliance: Ethereum Attestation Service standards

• Base network: Secure Layer 2 blockchain

• Cryptographic standards: Industry-standard hash functions

• Signature verification: ECDSA and other standard algorithms

Threat Protection

Attack Prevention

Preimage Attack Protection

• Random salts: Each data field has unique random salt

• Hash protection: Salts prevent reverse-engineering of data

• Cryptographic strength: Industry-standard hash functions

Tampering Prevention

• Merkle tree integrity: Cryptographic proofs prevent data tampering

• Blockchain immutability: On-chain records cannot be altered

• Signature verification: JWS envelopes prevent document tampering

Transparency

Open Standards

• ProofPack specification: Open standard for data exchange

• EAS integration: Open blockchain attestation service

• Verifiable code: Open source verification libraries

• Public attestations: All attestations visible on blockchain

Best Practices for Users

Security Recommendations

• Secure wallet: Use a hardware wallet for maximum security

• Regular updates: Keep your wallet software updated

• Backup proofs: Store ProofPacks securely for offline use

• Monitor attestations: Regularly check your attestation status

Privacy Recommendations

• Minimal disclosure: Only share what's absolutely necessary

• Context awareness: Use different proofs for different contexts

• Regular cleanup: Delete old documents and proofs regularly

• Stay informed: Keep up with privacy and security updates

Related Resources

• Attestation Schemas

• Proof Verification

• Understanding Merkle Trees and Proofs

• Data Ownership in Zipwire