At One Identity, we’re empowering digital world using the digital credential, where identity is the key to claim ownership. We enable people to access digital services easily, securely and quickly. The information we collect is purely to enable digital identity and credentials.
To provide our One Identity Services, we need to collect certain information from clients or users. The list of information and action required is clearly spelled out in our applications and services documentation.
In some circumstances, we may also collect device identifiers, IP addresses, timestamps of when the information was submitted and device used to submit that information to help us to determine whether we are permitted to provide our applications and services in the country in which the user is located and perform analytics on our services stability. In no circumstances, the information will be used for sales and marketing activity.
Sometimes, we receive information we don’t need to provide our One Identity Services. For example, instead of a photo of their identity document, a user might upload a completely unrelated image. When this happens, we seek to delete this data.
Clients are organizations or developers that utilize our applications or services to verify identity, issue digital credential and requesting or exchanging proof of ownership. For identity verification, we will provide the result to our client, and issue a digital credential if the verification passes our checks. The client then decides how they want to proceed with the result and the issued digital credential, within or outside the scope of our applications and services.
Users are individuals whose we verify their identity on behalf of our clients, issue a digital credential to them or facilitate the proof of ownership exchange.
Data providers are used to providing additional information to carry out specific checks. For example, if we need to verify if an individual is in the sanctioned list, we might ask for additional information from the appropriate governmental body.
To issue a digital identity, our client may request for information or documentation. Though our One Identity Services allow a document to be uploaded, we strongly encourage our client to utilize third-party mechanism to store and manage the required documents. Our document storage facility is primarily used for clients and users to upload documents related to Identity Verification in our services.
The information collected from our clients and users is primarily used as input to One Identity Services. The collected information may be used to further develop the One Identity Services capabilities, train our program to automatically recognize specific patterns and extract key information in documents, perform facial verification and test One Identity Services accuracy and stability.
We use information to provide and maintain our One Identity Services on behalf of clients and users on the basis the respective party has consented to the processing or otherwise requested One Identity Services, the client as a legitimate or lawful reason for requesting One Identity Services or the processing is necessary to carry out a task in the public interest or for reasons of substantial public interest.
Besides sharing information with clients, users and data providers, we also share information with external parties that are performing tasks on our behalf (including our affiliates) and with other companies, organizations, government bodies, and individuals where we have a legitimate legal reason for doing so (for example, in connection with any merger or acquisition) or where we have been instructed to share the information on behalf of our clients.
Whenever legally possible, we seek to protect the information by imposing privacy and security agreement on the recipient of the information. This is particularly important in cases where the recipient is located in a country that has different or lesser privacy laws than those of the country where the information was originally collected. In some cases, however, it’s not possible for us to do so — for example, when we have a legal obligation to disclose information to a government authority and that government authority isn’t willing to enter into such contractual safeguards.
Not all information is available for usage and the amount of information we can share with our clients, users and data providers is depending on the type of information. Information that we can share with our clients, users and data providers is limited to information and documents provided for identity verification and system related information. Digital credential and private/personal information associated with the credential is stored in an encrypted wallet which only the owner has access to the wallet and ability to grant the sharing of the information and digital credential.
One Identity takes appropriate administrative, physical, technical and organizational measures designed to help protect information about users from loss, theft, misuse and unauthorized access, disclosure, alteration, and destruction.
However, access to the wallet, digital credential, and personal/private information is only possible by our client or user who possess the security token (“wallet token”). The security token is unique to each user and we don’t store the security token. Shall client or user lose the security token, access to the wallet and information stored will be denied and we won’t be able to recover the security token, wallet, and information. Client or user will need to undergo the same process to obtain the identity digital credential and other digital credentials.
If you think you have identified a security vulnerability or bug in our One Identity Services, please report it to the One Identity security team at [email protected]
Our data storage is divided into private information, system-related information and public information. For private information such as digital credential and the personal information associated with the credential, it’s stored in a secure wallet encrypted using passcode provided by the users’ or clients. The physical wallet file is stored in the secure cloud servers and only the respective user/client has access to the content in the wallet file.
For system related information and uploaded documentation, it’s stored in our secure cloud server in a combination of plain text and encrypted form, depending on the nature and sensitivity of the information.
For public information which is system related i.e. schema, credential definition, etc, it’s stored in a public blockchain node maintained by us.
As when we are instructed by our client to remove the collected information, we delete your wallet file and uploaded documents. Private or public system related information will be preserved as it’s not user-identifiable. For the user that has the same request, please make that request directly to the client that empowering your utilization.
Where we have a legitimate legal reason, we may also store information for longer than described above – for example, where we are under a binding legal order not to destroy information.
As One Identity provides its Services on behalf of its clients, we will not disclose any information related to the services pursuant to a government or law enforcement request unless there is a binding legal order to do so or our client has consented to the disclosure. Further, the amount of information that we can disclose is limited to uploaded documents, system-related information and encrypted, physical wallet file. We won’t be able to provide access to the content in the wallet file unless affected clients or users consented to the disclosure by providing the security token to decrypt the wallet or law enforcement body decrypt the wallet file through any means beyond our control and involvement.
If you would like more information about how One Identity collects and uses information, please contact us at [email protected]