Security

Access Control

The Access Control module is a critical component that governs user permissions based on identity verification data. It ensures that only users who have completed the required KYC (Know Your Customer) or KYB (Know Your Business) processes can interact with specific features of the system, particularly those involving sensitive smart contract operations

Wallet-Based Identity Collection

• Each user is identified by their wallet address, which serves as a unique identifier across the system.

• When users connect their wallet to the dApp, their wallet address is extracted and used to retrieve or link their profile within the Access Control module.

• This wallet address is used to store and retrieve identity information, creating a user profile that the system can reference for KYC or KYB purposes.

KYC/KYB Verification Integration

• Access Control relies on the Identity Verification Service to validate each user’s KYC or KYB status.

• When a user connects their wallet, the Access Control module queries the Identity Verification Service to check whether this wallet address is associated with a verified identity.

• If a user has not completed KYC/KYB, they are redirected to the verification process before gaining full access.

Permission Management

• Access Control maintains a permission matrix, mapping wallet addresses to allowed actions based on their KYC/KYB status.

• Verified users are granted access to specific smart contract functions (e.g., making transactions, accessing restricted data) depending on their verification level.

• For example, users verified under KYB may have additional permissions to manage business accounts, while regular KYC users may only access individual-level actions.

Real-Time Permission Verification

• Every time a user initiates an interaction that requires verification (e.g., submitting a transaction), the dApp sends a request to Access Control.

• Access Control checks if the wallet address associated with the request has the required permissions.

• If permissions are validated, Access Control allows the transaction or action to proceed; otherwise, it denies access and notifies the user of any additional steps needed.

Role-Based Access Levels

• Access Control can implement role-based access levels for different user types (e.g., Admin, Regular User, Business User).

• These roles are assigned based on KYC/KYB data and dictate what smart contract interactions and dApp features each user can access.

• This approach provides flexibility, allowing the system to enforce more granular permissions tailored to each user’s verified status and role.

Data Privacy

To ensure the highest standards of data privacy and protection, particularly regarding sensitive KYC (Know Your Customer) and KYB (Know Your Business) data, in compliance with regulations such as the General Data Protection Regulation (GDPR) and other relevant privacy laws. The platform follows strict protocols to manage, store, and process user information responsibly, protecting users’ personal data and adhering to legal obligations.

Third-Party Identity Verification Services

• Use of Licensed and Trusted Providers:

  • All KYC/KYB data collection and verification are outsourced to trusted, licensed third-party providers (e.g., Shufti Pro, Onfido) specializing in identity verification.

• Data Handling by Third Parties:

  • These providers collect, process, and store user identification information as part of the verification process.

  • Our platform does not directly store users’ private information (e.g., personal documents, selfies, or address proofs), unless explicitly required for regulatory or compliance purposes.

• Compliance and Certifications:

  • The third-party providers are compliant with data protection standards such as GDPR, ISO 27001, and SOC 2, ensuring secure data handling practices.

  • They maintain robust security measures, including encryption, access control, and regular audits, to protect user data against unauthorized access and breaches.

Minimization of Data Storage

• No Storage of Sensitive Data by Default:

  • By default, the platform avoids storing sensitive user data, such as identity documents, photos, or detailed personal information.

• Limited Data Retention:

  • Only essential data (e.g., verification status, timestamp, unique identifiers) is retained by the platform for operational purposes, such as ensuring access control and maintaining an audit trail.

  • If additional data retention is required for legal or compliance reasons, users are informed, and explicit consent is obtained.

• Purpose Limitation:

  • Any data collected is strictly limited to the specific purpose for which it was requested (e.g., verifying eligibility to invest). This ensures that data is not misused for other purposes outside of the scope of KYC/KYB.

User Consent and Transparency

• Explicit User Consent:

  • Before any personal information is collected for KYC/KYB, users are informed about the nature of the data being collected, its purpose, and the parties involved in processing it.

  • Users must explicitly consent to the collection and processing of their data, and they are given the choice to decline if they do not wish to proceed (noting that some features may be restricted without verification).

• Data Access and Control:

  • Users have the right to access their personal information that has been collected and processed as part of KYC/KYB.

  • They can also request corrections or deletion of their data where permissible under applicable laws.

• Transparency in Data Use:

  • The platform provides clear information on how and where user data is processed, including the identity verification providers involved, their data handling practices, and how long the data will be retained.

Data Encryption and Security Measures

• Encryption:

  • All sensitive data exchanged with third-party providers is encrypted in transit and at rest, ensuring it cannot be intercepted or accessed by unauthorized parties.

  • Encryption standards such as TLS 1.2+ are used for data in transit, and AES-256 for data at rest, to maintain high levels of security.

• Access Control:

  • Access to KYC/KYB data is restricted to authorized personnel only, both within the platform and the third-party verification providers.

  • Role-based access control and multi-factor authentication (MFA) are implemented to prevent unauthorized access to sensitive information.

• Regular Security Audits:

  • Both the platform and third-party providers conduct regular audits and vulnerability assessments to identify and mitigate potential security risks.

Data Retention and Deletion Policy

• Data Retention Period:

  • The platform retains KYC/KYB verification statuses and relevant metadata (such as verification date and provider) for as long as legally required, to comply with regulatory audits or legal inquiries.

  • No sensitive personal data (e.g., passport numbers, addresses) is stored by the platform unless specifically mandated by regulatory authorities.

• Right to Erasure:

  • Users have the right to request the deletion of their personal data upon account closure or after a certain period, subject to any regulatory or compliance obligations that may require data retention.

  • The platform works with third-party providers to ensure that data is securely deleted from all systems upon user request or when retention is no longer required.

Compliance with Data Protection Laws (e.g., GDPR, CCPA)

• Adherence to GDPR Principles:

  • The platform complies with GDPR principles such as data minimization, purpose limitation, and transparency. Users are provided with clear information on their data rights, including access, correction, and erasure.

• Privacy by Design and Default:

  • Privacy is embedded into the platform’s design and operational processes, ensuring that user data is handled with the highest level of protection by default.

  • Only necessary data is collected, and privacy impact assessments are conducted regularly to evaluate and enhance data protection practices.

• Cross-Border Data Transfers:

  • If user data is processed outside of the user’s jurisdiction (e.g., processed in a non-EU country for EU users), adequate safeguards such as Standard Contractual Clauses (SCCs) or equivalent legal mechanisms are in place to ensure data protection compliance.

Compliance

In decentralized finance (DeFi), compliance requirements are critical for adhering to financial regulations, especially as regulatory bodies worldwide focus on enforcing anti-money laundering (AML) and counter-terrorist financing (CTF) laws. Here’s a breakdown of key compliance areas in DeFi investments, including user identification and verification before allowing investments.

Know Your Customer (KYC) Requirements

• Purpose:

  • KYC regulations mandate that financial institutions, including DeFi platforms, identify and verify users’ identities to prevent illegal financial activities.

• Requirement:

  • Users must provide valid identification documents (such as passports, driver’s licenses, or government-issued IDs) before making any investment.

• Process:

  • Identity Verification:

    • Users are required to upload their identification documents, which are verified through third-party identity verification services (e.g., Shufti Pro).

    • Address Verification: Some platforms may require additional proof of address, such as utility bills, to verify the user’s residency.

• Compliance Impact:

  • Enforcing KYC ensures that DeFi platforms are not used for illegal activities, aligning with AML and CTF requirements.

Anti-Money Laundering (AML) Compliance

• Purpose:

  • AML regulations are designed to prevent money laundering, a process where illicit funds are disguised as legitimate income.

• Requirement:

  • DeFi platforms are required to monitor transactions for suspicious activity and report any findings to relevant authorities.

• Process:

  • Transaction Monitoring:

    • Using automated tools, the platform continuously monitors user transactions for unusual patterns, such as large, rapid, or international transfers.

  • Suspicious Activity Reports (SARs):

    • If any suspicious behavior is detected, the platform must file SARs with relevant authorities to comply with AML laws.

• Compliance Impact:

  • Strict adherence to AML regulations reduces the risk of the platform being exploited for money laundering and protects its reputation.

Counter-Terrorist Financing (CTF) Compliance

• Purpose:

  • CTF laws aim to prevent the use of financial systems for financing terrorism.

• Requirement:

  • Similar to AML, CTF compliance requires DeFi platforms to conduct thorough checks to prevent terrorist organizations from utilizing the platform.

• Process:

  • Sanctions Screening:

    • The platform cross-references user information with global sanctions lists to identify individuals or organizations linked to terrorist activities.

  • Enhanced Due Diligence (EDD):

    • For users flagged during sanctions screening, EDD is applied, which involves collecting additional information and monitoring their transactions closely.

• Compliance Impact:

  • Implementing CTF measures helps in preventing the use of DeFi investments to fund illegal or harmful activities.

KYB (Know Your Business) for Institutional Investors

• Purpose:

  • KYB ensures that business entities investing through the platform are legitimate and comply with financial regulations.

• Requirement:

  • Institutional or business accounts must undergo KYB verification before being allowed to invest.

• Process:

  • Business Document Verification:

    • Companies must submit legal documents such as business registration certificates, tax IDs, and licenses.

  • Ownership Verification:

    • KYB checks the identities of beneficial owners or directors of the business to ensure legitimacy.

• Compliance Impact:

  • By verifying business accounts, DeFi platforms avoid dealings with shell companies or businesses involved in illegal activities.