V-ID CUSTOMER RESPONSIBILITIES
V-ID expects each of its customers to act as a data controller for any personal data that is entered into a V-ID configured platform. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller. V-ID is a data processor and processes personal data on behalf of the data controller when the controller is using the V-ID Platform.
Data controllers are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling data subjects’ rights with respect to their data.
V-ID PLATFORM and GDPR
V-ID has implemented appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR.
Blockchain solutions like V-ID store the SHA256 hash of a file in one or more blockchains. Using this method, it is possible to check whether the content of a copy has changed compared to the original file by verifying it’s hash.
A hash is often described as a digital fingerprint of a file. SHA256 hashing is a one-way transformation of data to an unreadable piece of data. The hash value consists of 256 bits, a string of 64 characters.
During the validation process all sensitive data remains on the client side. For additional security, hashes are peppered and salted on several levels.
More on V-ID, blockchain and GDPR Compliance.
During the verification process the hash of the offered file is calculated client side. Again, the V-ID platform does not handle the actual content of the file.
V-ID employees keep up to date on security and privacy technology and legislation.
Continuous enhancements are made to the V-ID Platform to keep security up to date, perform regular security review processes, update and monitor the security infrastructure and regular verification of policies.
Our contracts clearly and simply outline privacy and data ownership commitments to customers. If needed, we will work with our customers to define specific processing terms and conditions. All data that a user enters into the V-ID platform will only be processed in accordance with the agreed terms and conditions. All V-ID employees have signed a confidentiality agreement.
USE OF SUB-PROCESSORS
V-ID does not use data sub-processors unless explicitly requested for or mutually agreed with the customer.
V-ID hosts all solutions in secure and ISO 27001 compliant data European (most Dutch) centres. Access to the servers is restricted to authorised personnel only. Per configuration a different and extensive set of user profiles and access roles is configured to control access and use of data per user.
AVAILABILITY, INTEGRITY, AND RESILIENCE
V-ID hosts all solutions based on highly redundant hardware,providing our customers with maximum protection against system unavailability and loss of data.
Escrow agreements can be contracted to ensure software and data availability in the event of V-ID not being able to deliver its services.
V-ID conducts disaster recovery on a regular basis.
The V-ID platform uses various levels of encryption to protect data from being viewed by unauthorised users.
Data in transit is always SSL encrypted, mostly through HTTPS connections. Encryption schemes are frequently reviewed to stay up to date with the latest security standards and quality. Outdated encryption schemes are deprecated as needed.
V-ID employees have access rights based on their job function and role. Access is granted on a need-to-know basis and regularly reviewed and adjusted.
V-ID constantly scans for platform vulnerabilities using a wide variety of tools and mis-use detection systems including regular penetration testing, brute force sign on attempts, DDOS attacks and other techniques that potentially put customer data at risk.
The V-ID platform contains a series of features and functions to protect personal data against unauthorised or unlawful processing. Examples are 2-factor authentication, password strength checking, IP address checking, auto-disabling of profiles after a series of invalid login attempts and monitoring of suspicious logins using a frequently updated set of rules.
DATA RETURN & REMOVAL
Administrators can export and delete data via the V-ID platform at any time during the term of the agreement. All data is linked to user profiles. Depending on the agreed policy data can be auto-deleted after a period of time. All data that is related to a user can be deleted by deleting the user profile.
"For us the combination of V-ID and LTO Network is a natural one. Not only because of the energetic and open-minded way they handle blockchain projects with their knowledge and experience but also because both of them are fun to cooperate and explore possibilities in the blockchain space with. ”
Katja van Kranenburg - Hanspians, CMS Law Partner