Compliance
The Document Vault is designed with regulatory compliance as a core consideration. This document outlines how the vault's architecture aligns with data protection regulations, data sovereignty requirements, and institutional compliance obligations.
Data Sovereignty
User Data Sovereignty
The vault enforces user data sovereignty through its architecture:
- User controls access: No one can access a user's documents without their explicit, signed consent. This includes Hadinet operators.
- User controls deletion: Users can delete their documents at any time.
- User controls sharing: Access grants are time-limited, revocable, and auditable.
Jurisdictional Considerations
- Storage location: Encrypted files are stored on IPFS through Pinata. The encrypted nature of the files means that the storage location does not expose personal data.
- Processing location: Encryption and decryption occur inside TEEs.
- Metadata location: On-chain metadata is stored on Arbitrum (a global blockchain). Metadata contains no PII.
Privacy Protections
The vault implements privacy protections aligned with major data protection frameworks:
Right of Access
Users can view all their documents and metadata through the vault interface at any time. The on-chain audit log provides a complete record of all access events.
Right to Erasure
Users can delete any document from the vault. Deletion unpins the file from IPFS and marks the on-chain record as deleted. While the on-chain metadata record persists (blockchain immutability), it contains no PII, and the encrypted file becomes progressively inaccessible as IPFS nodes garbage-collect it.
Data Minimization
- On-chain metadata stores only minimal fields (document type, CID, encryption parameters, timestamps).
- No file names, file sizes, or document contents are stored on-chain.
- Institutions can verify attestations on-chain without accessing the underlying documents.
Purpose Limitation
- Access requests must specify a purpose, which is displayed to the user.
- Access grants are time-limited and specific to a document type.
- The on-chain audit trail records the stated purpose for each access grant.
Consent
- All document sharing requires explicit user consent via wallet signature.
- Consent is granular: per document, per institution, with specified duration and purpose.
- Consent can be revoked at any time through access revocation.
Institutional Obligations
Institutions integrating with the Document Vault are expected to:
| Obligation | Description |
|---|---|
| No persistent storage | Decrypted documents should not be stored beyond the access window |
| Purpose limitation | Documents should be used only for the stated purpose in the access request |
| Access logging | Institutions should maintain their own audit logs of document access |
| Breach notification | Institutions should notify Hadinet and affected users of any data breach involving vault documents |
Audit Trail
The on-chain audit trail provides an immutable record of all vault operations:
| Event | Recorded On-Chain | Visible To |
|---|---|---|
| Document upload | Type, attestation type, timestamp | User, public (non-PII) |
| Document deletion | Deletion flag, timestamp | User, public |
| Access grant | Institution DID, expiration, access type | User, institution, public |
| Access revocation | Institution DID, revocation timestamp | User, institution, public |
Audit Log Access
- Users can view their complete audit log in the vault interface.
- Institutions can view audit entries related to their own access requests.
Cross-Border Compliance
For cross-border document verification:
- Data transfer: Encrypted documents do not constitute a data transfer under most frameworks, since the ciphertext is not personal data without the decryption key.
- TEE processing: Decryption occurs inside the TEE, which can be specified to meet data localization requirements.
- Attestation portability: On-chain attestations are globally accessible and verifiable, enabling cross-border verification.
Compliance Best Practices for Institutions
- Request only what you need: Use attestation verification (on-chain only) when possible, rather than requesting document access.
- Set minimum access durations: Request the shortest access window that meets your business need.
- Implement proper data handling: Ensure decrypted documents are processed in secure environments and not persisted.
- Maintain audit logs: Keep your own records of all access requests, approvals, and document retrievals.
- Report issues promptly: Notify Hadinet of any compliance concerns or data breach incidents.