# Privacy and Security ## Overview Zipwire Attest is built with privacy and security as core principles. This page explains how we protect your data, maintain your privacy, and ensure the security of your digital identity. ## Privacy-First Design ### Your Data, Your Control Zipwire Attest follows a **self-sovereign identity** model where you maintain complete control over your personal information: * **Centralized but Encrypted**: Your personal documents are stored in centralized, double-encrypted storage * **Country Selection**: You choose which country to store your data in * **Selective Disclosure**: You choose exactly what information to reveal and to whom * **Self-Sovereign**: You own and control your proofs and attestations ### What We Store vs. What We Don't #### What We Store (Securely) * **Double-encrypted PII** in centralized storage (we cannot read the encrypted data) * **Cryptographic hashes** on the blockchain (Merkle roots) * **Attestation records** on the Base blockchain * **Verification metadata** (timestamps, attestation IDs) #### What We Don't Store * **Unencrypted personal documents** in our systems * **Your private keys** or wallet credentials * **Your browsing history** or usage patterns * **Personal information** in plain text ## Security Measures ### Document Security #### Double Encryption Your documents are protected by multiple layers of encryption: 1. **Application-level encryption** by Zipwire 2. **Cloud provider encryption** by our storage partner 3. **Transport encryption** (TLS) for all data transmission #### Localized Storage * **Regional compliance**: Data stored in your chosen region * **Sovereign data**: Your customers choose where to store documents * **No cross-border transfer**: Data stays within your selected jurisdiction ### Blockchain Security #### On-Chain Protection * **Cryptographic hashes only**: Only Merkle root hashes are stored on-chain * **No personal data**: Your actual documents never appear on the blockchain * **Immutable records**: Attestations cannot be altered once recorded * **Verifiable integrity**: Cryptographic proofs ensure data hasn't been tampered with #### Attestation Security * **Revocable attestations**: Zipwire can revoke attestations if needed * **Timestamp validation**: Attestations include verification timestamps * **Attester verification**: All attestations come from Zipwire's verified address ### Wallet Security #### Connection Requirements * **EOA & Smart Wallets**: Supports traditional Externally Owned Accounts and modern Smart Wallets (e.g., Coinbase Smart Wallet). * **Flexible Connection**: Supports browser extensions (MetaMask, Coinbase Wallet, etc.) and mobile wallets via **WalletConnect**. * **Signature Standards**: Fully compatible with EIP-1271 and ERC-6492 for smart wallet signatures. * **Connection timing**: Wallet must be connected before ID verification #### Private Key Protection * **Never stored**: We never see or store your private keys * **SIWE only**: Only Sign-in with Ethereum (SIWE) is used, no transactions to sign * **No access**: We cannot access your wallet or funds ## Data Handling ### Document Processing #### Verification Process 1. **Temporary processing**: Documents processed temporarily for verification 2. **Immediate encryption**: Data encrypted as soon as it's received 3. **Secure deletion**: Temporary processing data deleted after verification 4. **No retention**: We don't retain unencrypted document data #### Merkle Tree Creation * **Local processing**: Merkle trees created in secure, isolated environments * **Salt generation**: Random salts prevent preimage attacks * **Hash computation**: Cryptographic hashes computed securely * **No data leakage**: Original data never leaves the secure environment ### Data Retention #### Attestation Data * **Permanent on-chain**: Attestation records are permanent on the blockchain * **User-controlled**: Users can delete their local document data * **Verifiable forever**: Attestations remain verifiable even after local data deletion #### Document Storage * **User-controlled retention**: You control how long documents are stored * **Download and delete**: You can download your data and delete it at any time * **GDPR compliance**: Data will be deleted if you abandon your account * **No backup copies**: We don't create backup copies of your documents ## User Control and Rights ### Selective Disclosure #### Complete Control * **Choose what to reveal**: Select exactly which fields to share * **Context-specific**: Different proofs for different use cases * **No over-sharing**: Never reveal more than necessary * **Revocable sharing**: Stop sharing proofs at any time #### Proof Management * **Download proofs**: Save ProofPacks locally for offline use * **Edit proofs**: Advanced users can create custom redacted proofs * **Share selectively**: Choose who receives your proofs * **Track usage**: Monitor where your proofs are used ### Data Deletion #### Right to Delete * **Immediate deletion**: Delete your documents at any time * **Complete removal**: All local data removed from our systems * **Attestation preservation**: Blockchain attestations remain for verification * **No recovery**: Deleted data cannot be recovered #### Technical Deletion * **Secure deletion**: Data overwritten multiple times before deletion * **Verification**: Confirmation that data has been completely removed * **Audit trail**: Record of deletion for compliance purposes ## Compliance and Standards ### Regulatory Compliance #### GDPR Compliance * **Right to be forgotten**: Complete data deletion capability * **Data portability**: Export your data in standard formats * **Consent management**: Clear consent for data processing * **Privacy by design**: Privacy built into every feature #### Regional Compliance * **Local data storage**: Choose your data storage region * **Regional regulations**: Comply with local privacy laws * **Cross-border restrictions**: Respect data sovereignty requirements ### Security Standards #### Industry Standards * **SOC 2 compliance**: Security and availability controls * **ISO 27001**: Information security management * **Encryption standards**: AES-256 encryption for data at rest * **Transport security**: TLS 1.3 for data in transit #### Blockchain Standards * **EAS compliance**: Ethereum Attestation Service standards * **Base network**: Secure Layer 2 blockchain * **Cryptographic standards**: Industry-standard hash functions * **Signature verification**: ECDSA and other standard algorithms ## Threat Protection ### Attack Prevention #### Preimage Attack Protection * **Random salts**: Each data field has unique random salt * **Hash protection**: Salts prevent reverse-engineering of data * **Cryptographic strength**: Industry-standard hash functions #### Tampering Prevention * **Merkle tree integrity**: Cryptographic proofs prevent data tampering * **Blockchain immutability**: On-chain records cannot be altered * **Signature verification**: JWS envelopes prevent document tampering ## Transparency ### Open Standards * **ProofPack specification**: Open standard for data exchange * **EAS integration**: Open blockchain attestation service * **Verifiable code**: Open source verification libraries * **Public attestations**: All attestations visible on blockchain ## Best Practices for Users ### Security Recommendations * **Secure wallet**: Use a hardware wallet for maximum security * **Regular updates**: Keep your wallet software updated * **Backup proofs**: Store ProofPacks securely for offline use * **Monitor attestations**: Regularly check your attestation status ### Privacy Recommendations * **Minimal disclosure**: Only share what's absolutely necessary * **Context awareness**: Use different proofs for different contexts * **Regular cleanup**: Delete old documents and proofs regularly * **Stay informed**: Keep up with privacy and security updates ## Related Resources * [Attestation Schemas](/zipwire-attest/attestation-schemas.md) * [Proof Verification](/zipwire-attest/proof-verification.md) * [Understanding Merkle Trees and Proofs](/fundamentals/security/understanding-merkle-trees-and-proofs.md) * [Data Ownership in Zipwire](/overview/data-ownership-in-zipwire.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.zipwire.io/zipwire-attest/privacy-and-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.