Flow of Data: KYC Proof of Personhood

Human ID’s Proof of Personhood via KYC consists of the following components:

User agent (UI)
Human ID server
ID verification provider
Verifier

The flow of data is outlined in the following sequence diagram. Please refer to notes for detailed explanations for relevant parts.

Sequence Diagram

The interaction between User/User agent, Human ID server, IDV Provider, and Verifier spans three main phases:

Phase 1: Initiate ID Verification

User visits /gov-id endpoint
Human ID server creates a session
User makes payment
Server verifies payment and saves transaction hash

Phase 2: Complete ID Verification

Server requests IDV session from provider (Veriff, Onfido, or Facetec)
User submits selfie and identity document
IDV provider returns session result
Result is encrypted client-side
Ciphertext is stored on server

Phase 3: Proof of ID Uniqueness

User generates zero-knowledge proof for uniqueness
Verifier validates the ZKP
Soul-bound token is issued to specified address and chain

Issuance and Proving

Sections 1 and 2 in the sequence diagram constitute issuance, where the user’s private credentials are issued.

Section 3 is proving, where the user proves facts about their issued credentials.

Notes on Handling of User Data by IDV Providers

Following data are requested by IDV providers as photo and/or video stream during the verification process:

Selfie (photo, video stream)
One of the following documents:
- Passport
- Driver License
- Identity Card

Supported IDV Providers

Veriff

Outlines compliances (GDPR, etc.)
Documents data collection, retention, and deletion controls
Provides subprocessor list

Onfido

Maintains privacy policy with compliance certifications
Details collection, processing, security, and storage practices
ISO 27001 certified

Facetec

Has separate site and SDK privacy policies
Encrypts data sent to servers and siloes information without PII storage
Provides GDPR compliance details for EU residents

Notes on Client-Side Encryption of IDV Session Result

IDV provider returns the session result to user.

With Human Wallet: Result is encrypted on client-side using a derivative of the PRF.

With Other Wallets: Result is encrypted with key derived from hash(userSignature(aConstantMessage)) to generate ciphertext.

Notes on Ciphertext and Storage

Only encrypted ciphertext (non-PII) is stored in Human ID database:


{
  "_id": {
    "$oid": "676d..."
  },
  "holoUserId": "f111...",
  "encryptedGovIdCreds": {
    "ciphertext": "0x...",
    "iv": "0x...",
    "_id": {
      "$oid": "676d..."
    }
  },
  "__v": {
    "$numberInt": "0"
  }
}

Notes on Verifier and SBT Issuance

The user submits a zero-knowledge proof of uniqueness to the verifier server. Upon verification, a soulbound token is issued containing the circuit ID, issuer address, expiry, actionNullifier, and ZK proof.