Trust Model

Every system requires some level of trust. Hadinet Africa is designed to minimize the trust you need to place in any single component. This page explains exactly what you trust each part of the system with.

Trust Summary

Component	What You Trust It With	Trust Guarantee
Your Wallet	Your identity (DID). Whoever controls the wallet controls the identity.	Self-custody — you are responsible for securing your private key
KYC Provider	Seeing your personal documents during verification. They have their own data retention policies.	Regulated third party (Smile ID, Plaid) with established compliance
Attestor (TEE)	Briefly processing verification results in-memory. Running in a Trusted Execution Environment means even the operator cannot inspect what is happening inside.	Hardware-enforced isolation — the TEE prevents memory inspection
Cartesi Rollup	Storing your non-PII metadata and ZK proofs. The rollup is deterministic and fraud-provable — validators cannot alter your data.	Deterministic execution + fraud proofs via Arbitrum
IPFS (Pinata)	Storing encrypted document blobs. They cannot decrypt them.	Encryption at rest — data is useless without the decryption key

Detailed Trust Analysis

Your Wallet

Your wallet is the root of your identity. It holds your private key, from which your DID is derived. If someone gains access to your wallet, they can:

Authenticate as you to Hadinet
Access your dashboard and vault
Initiate new verifications under your DID

They cannot:

Change your existing on-chain verifications
Decrypt your vault documents (the key is in the TEE, not the wallet)
Access your personal data (it was never stored)

Mitigation: Use a hardware wallet or secure your seed phrase. Enable any additional wallet security features available.

KYC Provider (Smile ID / Plaid)

The KYC provider is the only entity that sees your personal documents. This is a necessary trust requirement — someone must verify your identity to issue a credential.

What the provider knows:

Your name, date of birth, and document details (during verification)
That you completed a verification session

What the provider does not know:

Your wallet address or DID
That you are using Hadinet
Where your proof will be stored

The provider's access is one-directional: they verify you, but they cannot link you to your on-chain identity.

Attestor (TEE)

The attestor runs in a Trusted Execution Environment — a hardware-isolated secure enclave. It briefly processes your verification result to generate the ZK proof.

What the attestor sees (briefly, in-memory):

The verification result from the KYC provider
Metadata: country code, verification level, status

What the attestor cannot do:

Store personal data (processed in-memory only)
Be inspected by the server operator (TEE isolation)
Forge a verification (ZK proofs are tied to real TLS sessions)

The TEE guarantee means that even if the server hosting the attestor were compromised, the attacker could not extract data from inside the enclave.

Cartesi Rollup

The Cartesi rollup stores your verification records and vault metadata. It runs a deterministic RISC-V Linux VM.

What is stored:

Verification status, country code, provider name, level
ZK proof data
Document vault metadata (file names, types, IPFS references)

What is not stored:

Any personally identifiable information
Actual document files (those are on IPFS)
Encryption keys

The rollup's deterministic execution means every validator node processes the same inputs and arrives at the same state. If any validator publishes incorrect state, it can be challenged through Arbitrum's fraud proof mechanism.

IPFS (Pinata)

Pinata stores your encrypted document files on IPFS via a private gateway.

What Pinata has:

Encrypted file blobs (AES-256-GCM)
File size and storage metadata

What Pinata cannot do:

Read your files (they are encrypted)
Link files to your identity (metadata is on-chain, not in IPFS)
Decrypt the files (the key is inside the attestor's TEE)

Even if Pinata's storage were breached, the attacker would obtain only encrypted blobs with no way to decrypt them.

Trust Minimization Principles

Hadinet follows several principles to minimize the trust you must place in any single entity:

Separation of concerns — No single component has complete information. The KYC provider knows your identity but not your wallet. The rollup knows your wallet but not your identity. The attestor sees the link briefly but does not store it.
Hardware-enforced isolation — The TEE prevents even the system operator from accessing data during processing.
Cryptographic verification — ZK proofs replace trust with math. Instead of trusting someone's claim, you verify a cryptographic proof.
No persistent PII — There is no database of personal data to breach, subpoena, or misuse.
User sovereignty — You control your wallet, your DID, and your on-chain proofs. No one can revoke or modify them.

Next Steps

Privacy Model — The complete data protection architecture
Encryption — Technical details of the three encryption layers
System Overview — How all components fit together

Trust Summary​

Detailed Trust Analysis​

Your Wallet​

KYC Provider (Smile ID / Plaid)​

Attestor (TEE)​

Cartesi Rollup​

IPFS (Pinata)​

Trust Minimization Principles​

Next Steps​