Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
thesiti92 4 hours ago

with all this talk about persona/discord sending identities to the dhs and everything, what steps do you guys take to keep identity information private?

rosasalberto 4 hours ago | parent [-]

I don't have the full context on the Persona/Discord story yet, but our philosophy is that identity providers should be a shield, not a source of risk.

We address this by building privacy-preserving architectures that minimize the data footprint. First, we offer secure, long-term retention so companies don't have to store sensitive PII on their own servers—which are often managed by teams who aren't cybersecurity specialists.

Second, and more importantly, we provide granular data control. Our customers can select exactly which fields they need to keep (e.g., just Name, DOB, and Country) and set the system to automatically purge sensitive assets like ID photos immediately after verification. It’s about ensuring that only the absolute minimum amount of data necessary ever exists in the system.

d1dd40135cfdc5c 4 hours ago | parent [-]

(I want to emphasize that my intention is not to criticize Didit negatively. Rather, I aim to offer constructive feedback.)

IMO, you should spend a lot of time working on your privacy policy. I have identified a few points of concern that you should work on:

1. Your policy is immensely vague. "legally stipulated periods of conservation" means nothing. There are no references to which laws are being referenced, and there are no references to specific timeframes. Concrete detail is most needed here.

2. Under section 4, there is no mention of response timeframes (GDPR mandates 30 days), no indication of what to include in a request, and no acknowledgement of the right to escalate if Didit fails to respond.

3. You mention processing biometric data in passing and note consent as the legal basis. For special category data under GDPR Article 9, this deserves substantially more transparency -- what biometric data, how it is stored, whether it is retained after identity verification, and what happens if consent is withdrawn. One sentence is not adequate.

4. "Didit will have adopted appropriate data protection safeguards in advance" is very vague. You should specify the transfer mechanism and actually identify which third countries are involved.

5. Your legitimate interest claim for contact persons (section 2b) is asserted without any balancing test explanation, which is technically required under the GDPR.

Your information security policy is purely a mission statement. It is only a list of things you intend to do, without any explanation about how you either currently or will implement these things.

For example, "align with the highest standards of security" -- which standards? ISO 27001? SOC 2? NIST? "achieve the fully satisfactory resolution of incidents" -- what constitutes "satisfactory"? What is your incident response process?

If you intend to take data security and privacy seriously, both documents must be improved greatly before I as a consumer would consider handing my data over to this service.

rosasalberto an hour ago | parent [-]

thanks for the feedback! definitively we can improve there!