Verifiables publishes two complementary policies: a company policy covering our general activities, and an application policy detailing data processing by our services.
1. Purpose
This privacy policy describes the commitments of Renaissance SAS (hereinafter "Verifiables", "we", "our", "us") regarding the protection of personal data, in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter "GDPR") and French Law No. 78-17 of 6 January 1978 (Loi Informatique et Libertés).
This policy applies to all personal data processing carried out by Verifiables in the course of its activities, namely:
•processing carried out as data controller, for its own needs (sales management, customer relations, recruitment, website);
•processing carried out as data processor on behalf of its clients, in the context of providing digital trust services.
A separate privacy policy covers the Verifiables applications and services (verification, issuance, API, ...).
2. About Us
Verifiables is a French company specialising in digital identity and verifiable documents. We develop a trust infrastructure compliant with the European eIDAS 2 framework and the regulation on the European Digital Identity Wallet (EUDI Wallet).
Our services include:
•a verification infrastructure for electronic attestations (OID4VP), both online and via proximity (BLE/NFC);
•a secured document verification service including cryptographic verification, scan extraction, and OCR comparison;
•an issuance infrastructure for electronic attestations of attributes (EAA), compliant with OID4VCI, SD-JWT, and mdoc/mDL standards;
•APIs and SDKs for businesses to integrate issuance and verification services.
•Personal data: any information relating to an identified or identifiable natural person.
•Data controller: the natural or legal person that determines the purposes and means of the processing.
•Data processor: the natural or legal person that processes personal data on behalf of the data controller.
•Processing: any operation applied to personal data (collection, recording, storage, consultation, disclosure, erasure, etc.).
•Data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
•Client: a legal entity in a contractual relationship with Verifiables.
•Electronic attestation: a cryptographically verifiable digital document, as defined under the eIDAS 2 regulation (EAA, QEAA, PID).
4. Processing as Data Controller
4.1 Purposes and Legal Bases
Purpose
Categories of Data
Legal Basis
Retention Period
Commercial relationship management
Name, email, phone, role, company of client and prospect contacts
Performance of a contract / Legitimate interest (B2B prospecting)
Duration of the relationship + 3 years
Client contract management
Identification data, billing data, contractual history
Performance of a contract / Legal obligation (accounting)
Duration of the contract + 5 years (accounting obligation)
Recruitment
CV, cover letter, candidate identification data
Consent / Legitimate interest
2 years from last contact
Human resources management
Identification data, contractual data, employee administrative data
Performance of the employment contract / Legal obligation
Duration of contract + applicable statutory periods
Website and communications
Browsing data (via cookies), email address (newsletter)
Consent
Browsing data: 13 months; Newsletter: until withdrawal of consent
Customer support
Name, email, content of exchanges
Performance of a contract
Duration of the relationship + 1 year
Security and fraud prevention
Access logs, IP addresses
Legitimate interest
1 year
4.2 Principles Applied
Verifiables applies the following principles to all its processing activities:
•Minimisation: we only collect data strictly necessary for each purpose.
•Storage limitation: data is kept only for the required duration, then deleted or anonymised.
•Accuracy: we implement measures to keep data up to date.
•Transparency: data subjects are informed about the processing that concerns them.
5. Processing as Data Processor
When providing its digital trust services, Verifiables acts as a data processor within the meaning of Article 28 of the GDPR on behalf of its clients (data controllers).
5.1 Our Commitments as Data Processor
Verifiables commits to:
•process personal data only on documented instructions from the client data controller;
•ensure the confidentiality of the data and that its employees are bound by confidentiality obligations;
•implement appropriate technical and organisational security measures (see section 7);
•not engage any sub-processor without the prior written authorisation of the client;
•assist the client in handling data subject rights requests and, where applicable, in carrying out Data Protection Impact Assessments (DPIAs);
•notify the client without undue delay of any personal data breach;
•submit to compliance audits carried out or mandated by the client;
•delete or return all personal data at the end of the service, at the client's choice.
5.2 Records of Processing Activities
In accordance with Article 30 of the GDPR, Verifiables maintains a record of categories of processing activities carried out on behalf of its clients. This record is available upon request (see section 13).
6. Data Recipients
Personal data may be shared with the following categories of recipients:
•Authorised personnel of Verifiables, within the limits of their duties;
•Technical sub-processors providing services essential to our infrastructure (hosting, monitoring, support), bound by strict contractual obligations;
•Competent authorities, where disclosure is required by law or in the context of legal proceedings;
•Partners, where processing requires cooperation with trusted third parties (e.g., KYC providers), subject to appropriate safeguards.
Verifiables commits to sharing data only with recipients that provide sufficient data protection guarantees.
The list of our sub-processors is available upon request (see section 13).
7. Data Security
Data security is central to our activity as a digital trust service provider. Verifiables implements state-of-the-art technical and organisational security measures, including:
•Encryption of data in transit (TLS 1.2+) and at rest;
•Strict access control based on the principle of least privilege, with multi-factor authentication (Passkey/WebAuthn);
•Continuous monitoring of infrastructure and intrusion detection;
•Encrypted and redundant backups, hosted within the European Union;
•Regular penetration testing by independent third parties;
•Ongoing security awareness training for all employees;
•Cryptographic key management in compliance with eIDAS 2 ecosystem requirements.
Our Information Security Policy (PSSI) is based on ISO 27001 and ETSI EN 319 401 standards.
8. International Data Transfers
Personal data is hosted and processed within the European Union.
9. Data Breaches
In the event of a personal data breach, Verifiables commits to:
•detect the incident as quickly as possible through its monitoring tools;
•contain the incident and implement immediate corrective measures;
•assess the risks to the rights and freedoms of data subjects;
•notify the CNIL within 72 hours of becoming aware of the breach, where it is likely to result in a risk to individuals;
•inform data subjects without undue delay where the breach is likely to result in a high risk;
•notify affected clients without undue delay when acting as data processor;
•document the incident (facts, effects, corrective measures) in accordance with GDPR requirements.
10. Data Retention
Retention periods are detailed in the table in section 4.1 for processing carried out as data controller.
For processing carried out as data processor, retention periods are determined by the client data controller and specified in the data processing agreement.
At the end of the retention period, data is:
•securely deleted, or
•irreversibly anonymised.
11. Data Subject Rights
Under the GDPR, any person whose data is processed by Verifiables as data controller has the following rights:
•Right of access (Art. 15): obtain confirmation of processing and a copy of the data;
•Right to rectification (Art. 16): request correction of inaccurate or incomplete data;
•Right to erasure (Art. 17): request deletion of data, subject to legal retention obligations;
•Right to restriction (Art. 18): request restriction of processing in certain cases;
•Right to data portability (Art. 20): receive data in a structured, commonly used format;
•Right to object (Art. 21): object to processing based on legitimate interest;
•Right to withdraw consent: withdraw consent at any time, without affecting the lawfulness of prior processing.
To exercise these rights, contact us at the address provided in section 13.
Verifiables commits to responding within one month of receiving the request. This period may be extended by two months in cases of complexity or high volume of requests.
If you disagree with how your request has been handled, you may lodge a complaint with the French Data Protection Authority (CNIL): www.cnil.fr.
12. Cookies
Our website uses cookies.
•Essential cookies: necessary for the website to function, they do not require your consent.
Verifiables does not use advertising cookies.
13. Contact
For any questions regarding this policy or to exercise your rights:
This policy is reviewed at least once a year or upon any significant change in our data processing activities. The date of the last update is indicated at the top of this document.
1. Introduction
This privacy policy describes how Renaissance SAS (hereinafter "Verifiables", "we", "our", "us") collects, uses, stores, and protects personal data in the context of the use of its applications and services, namely:
•the Verifiables Verifier (application for verifying electronic attestations and secured documents);
•the Verifiables Issuer (application for issuing electronic attestations and secured documents);
•the Verifiables API (programming interface for integrating issuance and verification services);
•the document verification service (verification of documents secured with barcodes);
•the Verifiables admin dashboard.
This policy is intended for end users of our applications and for clients integrating our services via API.
It supplements the Verifiables company privacy policy, which covers processing related to commercial relationships and internal activities.
2. Architecture and Core Principles
2.1 Decentralised Identity and Verifiable Documents
Our applications follow the sovereign identity paradigm and cryptographic document verification. This means:
•Verification without intermediary: verifying an electronic attestation or a secured document does not require contacting the issuer, thereby preserving the holder's privacy.
•Selective disclosure: the technologies we implement (SD-JWT, ISO 18013) enable revealing only the strictly necessary attributes during verification.
•Cryptographic verification: document authenticity and integrity are guaranteed by verifiable digital signatures, without requiring a central database.
2.2 Privacy by Design
Privacy protection is built into the design of our applications:
•Data minimisation: we only collect data strictly necessary for the service to function.
•No retention by default: data presented during verification is not retained, unless explicitly configured by the client.
•Systematic encryption: data exchanges between parties are encrypted.
•No traceability: Verifiables has no visibility over the detail of verifications performed by its clients with document holders.
3. Data Processed by Service
3.1 Verifiables Verifier
The verifier enables Verifiables clients to verify electronic attestations and secured documents through multiple channels.
Remote Verification (OID4VP)
Data Category
Description
Storage Location
Retention Period
Presented attestation data
Attributes selectively disclosed by the holder during verification
Memory (not persisted by default)
Duration of the verification session
Verification logs
Result (valid/invalid), timestamp, document type
Verifiables servers (EU)
Configurable by client, no limit by default
Verifier configuration
Verification parameters defined by the client (required attributes, trusted issuers)
Verifiables servers (EU)
Duration of contract
Proximity Verification (BLE/NFC)
Data Category
Description
Storage Location
Retention Period
Presented attestation data
Attributes exchanged via the ISO 18013-5 protocol
Verifier device memory
Duration of the session
Verification logs
Result, timestamp
Verifiables servers (EU)
Configurable by client, no limit by default
Important: by default, data presented during a verification is not retained by Verifiables. If a client configures retention of verified data, they are the data controller and must inform their own users accordingly. Note that under the protocols deployed by Verifiables, the intent to retain data is declared during the document request by the verifier and clearly displayed in the user's wallet interface. Each document presentation requires the user's explicit and selective consent.
3.2 Verifiables Issuer
The issuer enables Verifiables clients to issue verifiable electronic attestations (EAA) to digital wallets, via the OID4VCI protocol.
Data Category
Description
Storage Location
Retention Period
Source data for issuance
Attributes provided by the client data controller to build the attestation (identity, attributes, etc.)
Verifiables servers (EU), encrypted
Time needed for issuance, then deleted unless legally required
Issued attestations
Signed attestations in SD-JWT or mdoc/mDL (ISO 18013) format
Transmitted to the recipient's wallet — not retained by Verifiables after issuance
Not applicable
Signing certificates
Certificates and keys used to sign attestations on behalf of the client
Verifiables servers (EU), protected by hardware encryption
Duration of contract
Issuance logs
Timestamp, attestation type, client identifier (no personal data of the recipient)
Verifiables servers (EU)
Configurable by client, no limit by default
Issuer configuration
Attestation schemas, templates, issuer metadata
Verifiables servers (EU)
Duration of contract
Important: Verifiables acts as a technical processor on behalf of the client who initiates the issuance. The client is the data controller for personal data contained in the attestations. Verifiables does not retain the content of attestations after their transmission to the recipient's wallet.
3.3 Document Verification Service (VDS)
The service enables verification of French secured documents (invoices, proof of address, identity documents, etc.) bearing a VDS-type barcode compliant with the ANTS/AFNOR/ISO specification.
Data Category
Description
Storage Location
Retention Period
Barcode content
Data encoded in the barcode (identity, address, or other attributes depending on document type)
Memory (not persisted by default)
Duration of request processing
Document image (scan/comparison)
Image submitted for OCR extraction and comparison with barcode content
Memory only — no disk storage
Duration of request processing
Verification result
Signature validity, data integrity, OCR comparison result
Verifiables servers (EU)
Configurable by client, 90 days by default
Call logs
Timestamp, document type, response code (no personal data from the document)
Verifiables servers (EU)
Configurable by client, no limit by default
Specific guarantees for the document verification service:
•Document images submitted for scanning or comparison are processed exclusively in memory and are never stored on disk or in a database.
•Personal data contained in the cryptographic barcode (name, address, etc.) is not retained beyond the time needed to process the request.
•Cryptographic verification relies on certificates published by ANTS (Agence Nationale des Titres Sécurisés), the ISO standard, and the ETSI Trust Service List (TSL) standard.
•No copy of verified documents is retained by Verifiables.
3.4 Verifiables API and SDK
The API and SDK enable clients to integrate issuance (OID4VCI) and verification (OID4VP, documents, proximity) services into their own applications.
Data Category
Description
Storage Location
Retention Period
Secret API keys
Server-side client authentication identifiers, used for privileged operations
Verifiables servers (EU), encrypted
Duration of contract
Publishable API keys
Client-side identifiers (SDK, front-end applications), restricted by domain or application — cannot access sensitive data or perform privileged operations
Verifiables servers (EU)
Duration of contract
Data submitted for verification
Documents or barcodes submitted for verification
Memory (not persisted by default)
Duration of request processing
API call logs
Endpoint called, timestamp, response code, IP address
Verifiables servers (EU)
1 year
Usage statistics
Issuance and verification volumes, aggregated and anonymised
Verifiables servers (EU)
Duration of contract
Secret keys vs. publishable keys: Verifiables distinguishes two types of API keys. Secret keys are reserved for server-to-server communications and must never be exposed client-side. Publishable keys are designed to be embedded in the SDK and front-end applications; they are restricted by origin domain and only grant access to client-side verification operations, without being able to access sensitive data, configurations, or administration operations.
3.5 Admin Dashboard
Data Category
Description
Storage Location
Retention Period
Administrator account
Identifier, WebAuthn Passkey
Verifiables servers (EU)
Duration of contract
Administration logs
Actions performed, timestamp, IP address
Verifiables servers (EU)
1 year
Configuration
Attestation templates, data sources, API keys, trusted issuers
Verifiables servers (EU)
Duration of contract
4. Legal Bases for Processing
Processing
Legal Basis
Attestation issuance (issuer)
Performance of a contract
Attestation verification (OID4VP, proximity)
Performance of a contract / Legitimate interest of the verifier
Secured document verification
Performance of a contract
Hosting of certificates and signing keys
Performance of a contract
Connection and security logs
Legal obligation / Legitimate interest (security)
Aggregated usage statistics
Legitimate interest (service improvement)
Administrator authentication (WebAuthn)
Performance of a contract
5. Application Data Security
5.1 Data Protection at Rest
•Persisted data on our servers is encrypted at rest (aes-xts-plain64).
•Backups are encrypted and stored within the European Union.
•API keys and secrets are stored securely and never exposed in plaintext.
5.2 Data Protection in Transit
•All communications use TLS 1.2 as a minimum.
•Proximity exchanges (BLE/NFC) use the security protocols defined by ISO 18013-5 (mDL).
The OID4VP, OID4VCI, and ISO 18013 protocols require the use of certificates and cryptographic keys to sign attestations, verification requests, and protocol responses.
•Private signing keys are hosted in France and protected by combined hardware and software encryption mechanisms.
•Access to keys is strictly limited to automated cryptographic operations; no human operator has access to keys in plaintext.
•Keys are subject to rotation and revocation policies.
•Corresponding public certificates are exposed via standards-compliant endpoints (JWKS, issuer/verifier metadata) to enable third-party verification.
5.4 Authentication
•Admin dashboard: multi-factor authentication via Passkey (WebAuthn).
•API: authentication via secret API keys with rotation support.
•SDK: authentication via publishable keys, restricted by origin domain, granting access only to client-side verification operations.
•Cryptographic verification: trust chains (certificates, ETSI TSL lists) are verified on every operation.
5.5 Environment Segregation
Development, testing, and production environments are strictly separated. Development and testing environments use fictitious data.
6. Data Transfers
6.1 During Remote Verification
When a holder presents an attestation to a verifier (via the OID4VP protocol), the transfer occurs between the holder's wallet and the verification infrastructure. Only the attributes selected by the holder are transmitted.
6.2 During Document Verification
Data is submitted by the client via the API (document image or barcode content), processed in memory, and the result is returned to the client. No document data is retained.
6.3 During Attestation Issuance
When a client issues an attestation via the OID4VCI protocol, the data provided by the client is used to construct the signed attestation, which is delivered to the recipient's wallet. Source data is not retained beyond the issuance duration.
6.4 Hosting
All data processed by our servers is hosted within the European Union. No transfers outside the EU are made.
7. Data Recipients
In the context of operating its applications and services, data processed by Verifiables may be accessible to the following categories of recipients:
•Authorised personnel of Verifiables: employees who need access to data for operating, maintaining, and supporting the services, within the limits of their duties and under confidentiality obligations.
•Technical sub-processors: providers supplying services essential to the operation of the infrastructure (hosting, storage, compute), bound by strict contractual obligations compliant with Article 28 of the GDPR (see section 9).
•Competent authorities: judicial, administrative, or regulatory authorities, where disclosure of data is required by law or in the context of legal proceedings.
•Clients (data controllers): Verifiables clients access verification results and logs of their own operations via the API and admin dashboard.
•Third-party verifiers: during an attestation presentation (OID4VP or proximity), the verifier designated by the holder receives the selectively disclosed attributes. This transfer is initiated by the holder and requires their explicit consent.
Verifiables commits to sharing data only with recipients that provide sufficient data protection guarantees and to ensuring confidentiality throughout the processing chain.
8. Data Subject Rights
8.1 For End Users (Document Holders)
Individuals whose data is contained in verified documents have the rights provided under the GDPR. However, in most cases, Verifiables is not the data controller for such data:
•During verification, Verifiables acts as a technical processor on behalf of the client who initiated the verification. Data subject rights requests should be directed to the relevant client.
•Document verification and OID4VP verification data is not retained by default, which limits the scope of exercisable rights.
8.2 For Clients and Administrators
Clients and administrators have all GDPR rights for data that directly concerns them (account, logs, configuration):
•Right of access (Art. 15);
•Right to rectification (Art. 16);
•Right to erasure (Art. 17);
•Right to restriction (Art. 18);
•Right to data portability (Art. 20);
•Right to object (Art. 21).
To exercise these rights, contact us at the address provided in section 11.
Response time: one month, extendable to three months in complex cases.
If you disagree, you may lodge a complaint with the French Data Protection Authority (CNIL): www.cnil.fr.
9. Technical Sub-processors
Verifiables uses the following technical sub-processors to operate its services:
Sub-processor
Purpose
Data Location
Scaleway SAS (Paris, France)
Server infrastructure hosting, storage, compute services
European Union (France)
Each sub-processor is bound by a data processing agreement compliant with Article 28 of the GDPR. The up-to-date list is available upon request (see section 11).
10. Changes to This Policy
This policy is reviewed at least once a year or upon any significant change to our applications or processing activities.
Clients are informed of material changes via email or through the admin dashboard.
The date of the last update is indicated at the top of this document.
11. Contact
For any questions regarding this policy or to exercise your rights:
