Security & Compliance

Every architectural decision made with a compliance officer's requirements as the constraint.

How we protect your users' data

User's Device

TLS 1.3

Document images processed + deleted. No biometric data persisted.

Solidus API Edge

BLAKE3 hash

Validatorsconsensus

BLS signature

Solidus Blockchaincredential hash anchored

User's DID Walletcredential stored by user

GDPR

No personal data stored on-chain. Right to erasure: supported.

Current

SOC 2 Type II

Audit in progress. Report available post-Year 2.

Planned

ISO 27001

Information security management system.

Planned

BIPA

Written biometric consent flow. No biometric template stored.

Current

MiCA

Credential attestation satisfies MiCA KYC requirements.

Current

eIDAS 2

W3C VC credentials compatible with eIDAS 2 wallet standard.

Current

FATF Travel Rule

Credential attestation model satisfies VASP Travel Rule.

Current

PCI-DSS

Not applicable — no card data processed.

N/A

Privacy by architecture

Zero Biometric Storage

Liveness images are processed in-memory and discarded. No facial template is ever written to disk.

Data Minimization

Only cryptographic proofs are stored on-chain — never names, passport numbers, or photos.

User-Controlled Credentials

Credentials live in the user's DID wallet. You cannot access them without the user's consent.

GDPR Right to Erasure

Deleting an account removes all off-chain data. The on-chain hash cannot be reversed to PII.

Consent-First

A signed consent transaction is required before any verification begins.

Open Source

All credential issuance logic is open-source and independently auditable.

Regulatory compliance, mapped

Requirement

Solidus Implementation

Article 5(1)(e) — Storage limitation

Biometric data deleted immediately after processing. Verification result stored as BLAKE3 hash only. No PII persisted post-session.

Article 17 — Right to erasure

Account deletion removes all off-chain data within 24 hours. The on-chain hash is a one-way cryptographic proof and cannot be reversed to recover PII.

Article 25 — Privacy by design

Zero-knowledge architecture. No personal data stored on the Solidus protocol layer. Compliance is architectural, not policy-dependent.

Article 32 — Security of processing

TLS 1.3 in transit. BLAKE3 hashing for verification results. BLS signatures for validator consensus. FIPS-validated key management.

Requirement

Solidus Implementation

Article 68 — KYC for VASP operators

KYC Level 2 satisfies MiCA Article 68 identity verification requirements for crypto-asset service providers operating in the EU.

FATF Travel Rule (via MiCA)

Credential attestation model is compatible with FATF Travel Rule originator/beneficiary identification via W3C VC metadata fields.

Requirement

Solidus Implementation

EU Digital Identity Wallet (EUDIW) compatibility

W3C VC credentials issued by Solidus are structurally compatible with the EU Digital Identity Wallet (EUDIW) standard. No format conversion required.

Electronic Attestation of Attributes (EAA)

Solidus credentials qualify as Electronic Attestation of Attributes under eIDAS 2, enabling their use in EU-regulated identity workflows.

Requirement

Solidus Implementation

VASP originator/beneficiary identification

Solidus credentials include VASP-identifiable fields compliant with FATF Recommendation 16 Travel Rule requirements for virtual asset transfers.

Counterparty VASP lookup

Credential attestation model supports counterparty VASP discovery without exposing raw PII in the transaction flow.

Requirement

Solidus Implementation

Written informed consent (740 ILCS 14/15(b))

A signed consent transaction is required on-chain before any biometric processing begins. Consent is cryptographically verifiable and timestamped.

Biometric data retention prohibition

Facial biometrics are processed in memory only. No facial template, biometric identifier, or biometric information is written to any storage medium.

Destruction schedule

As no biometric data is retained, no retention schedule is required. BIPA §15(e) satisfied by architectural non-retention.

Audit Roadmap

Solidus is pre-mainnet. Independent audits are scoped, scheduled, and will be published in full when complete. We do not list audits that have not happened.

BBS+ Selective Disclosure Audit

Cryptographic review of BBS+ over BLS12-381 issuer + verifier flows (live on testnet since May 2026)

Planned Q3 2026 · NLnet / NGI Zero work-package

Protocol Security Audit

Validator consensus, on-chain credential issuance, slashing logic

Engagement in progress with Trail of Bits / Sigma Prime · ~10-12 week long pole to mainnet

For audit-related inquiries: [email protected]

Responsible Disclosure

We take security seriously. If you discover a vulnerability in Solidus Verify, report it responsibly. We commit to acknowledging reports within 24 hours and resolving critical issues within 7 days. We will not pursue legal action against good-faith security researchers.

24-hour acknowledgment guaranteed

7-day resolution target for critical issues

No legal action against responsible researchers

SeverityReward

Critical(RCE, auth bypass)

Up to $10,000

High(data exposure, privilege escalation)

$2,500

Medium(CSRF, stored XSS)

$500

Low(information disclosure)

Acknowledgment

Submit Report

Security reports: [email protected] · PGP key available on request · Response within 24 hours

Solidus Verify is one product on the Solidus Network.

Explore the consensus, the validator economics, and the 15 other products on the same identity layer.

Explore the protocol