Technical description of Strong Verification, data processing and storage
Overview of the Strong Verification process
When you initiate Strong Verification the following flow happens:
1. We call an Application Programming Interface (API) for the Iris ID application to initiate a biometric passport
read. Iris ID is a trusted third party application developed by Iris Development AB, a Swedish company.
2. When you read the Machine Readable Zone (MRZ) on your passport, this is used to authenticate with your passport's
chip. The passport then responds to the application with the information stored on the chip.
3. Your data is temporarily uploaded to Iris ID so that it can be cryptographically verified and sent back to our
backend server. As per the Privacy policy, Iris Development AB does not store the biometric data from your passport
for longer than 24 hours.
4. Once our backend server is notified that you have completed scanning your passport, we retrieve the data from Iris
ID, encrypt the most sensitive parts, and store it in the database.
What data is processed and stored, and where?
There are three relevant ways in which your data is processed and stored.
We use a trusted third party application, Iris ID by Iris Development AB, to complete the reading of biometric data. As
per their Privacy policy, Iris Development AB does not store the biometric data from your passport for longer than 24
hours.
When you complete Strong Verification, the following data is generally retrieved: names, country/nationality, sex, date
of birth, passport number, passport expiry date, issuer and issuing country, and passport portrait. This data is
encrypted with an asymmetric keypair in such a way that the server can no longer decrypt or read it. There is still a
mechanism for this data to be decrypted and retrieved manually if need be.
The following information is stored on the server for continued verification purposes: nationality, sex, date of birth,
passport expiry date, and the last three digits of the passport number.
Finally, the following "minimal data" is stored for all successful verifications: passport nationality, passport expiry
date, and the last three digits of the passport number.
You can delete your biometric data, and the data required for continued verification from the server at any time in
Strong Verification settings. However, the following minimal data consisting of the passport nationality, expiry date,
and the last three digits of the passport number cannot be removed. This data is used to guarantee that individuals who
have been banned from the platform cannot delete their data and create a new account, then verify it again. We believe
this is an appropriate compromise between providing a safe platform for our users, while not storing sensitive personal
information beyond what you wish to share with the platform and other users.
Who has access to the decryption keys to the encrypted data, under what circumstances will this data be used?
The Board of Directors of Couchers, Inc., the 501(c)(3) non-profit operating Couchers.org has the discretion to decide
who has access to the decryption keys to the data. The data is only used for verification and if we ever need to
collaborate with a criminal investigation.
Currently only Aapeli Vuorinen (co-founder and tech lead) has access to the decryption keys.
.png)