At SOBA Network, the security of your data and the privacy of your users are the foundations of our platform. We are committed to maintaining the highest standards of information security through rigorous technical and organizational measures aligned with EU regulatory expectations.
1. Industry-Leading Compliance & Attestations
We validate our security posture through continuous adherence to global and European standards:
- SOC 2 Type II & ISO/IEC 27001 (Information Security Management)
- GDPR & UK GDPR Compliant
- EU AI Act Ready: Categorizing our biometric verification as a “High-Risk” AI system and applying the required data governance and transparency protocols.
- UKDIATF (UK Digital Identity and Attributes Trust Framework)
2. Technical Security & Privacy Engineering
SOBA Network leverages Multi-Party Computation (MPC) to provide a mathematical guarantee of privacy that exceeds traditional encryption.
- Semi-Honest (Passive) MPC Model: Our protocol operates under a semi-honest security model. This ensures that while nodes follow the protocol, the data remains mathematically fragmented. No single node—or even a subset of nodes—can reconstruct the original biometric input.
- Pseudonymization & Data Minimization: Under GDPR Article 4(5), we classify processed data as pseudonymized. By using MPC, we ensure that raw biometric templates are never stored. Instead, we store non-descriptive mathematical shards, satisfying the “Privacy by Design” requirement of GDPR Article 25.
- The MPC Advantage: Unlike traditional centralized databases, our decentralized “sharding” means there is no central honey-pot for hackers. Even a partial network compromise yields no usable personal data.
3. EU Data Sovereignty & Localization
To comply with the “Schrems II” ruling and EU data transfer requirements:
- EEA Data Residency: For EU-based clients, all MPC nodes and backup fragments are hosted within the European Economic Area (EEA) using localized Azure regions (e.g., Germany West Central or France Central).
- International Data Transfers: Any cross-border data flows are governed by Standard Contractual Clauses (SCCs) and rigorous Transfer Impact Assessments (TIAs).
4. Algorithmic Transparency & Human Oversight (EU AI Act)
As our network involves biometric identity verification, we adhere to the transparency requirements of the EU AI Act:
- Automated Decision-Making (Art. 22 GDPR): Users are informed of the logic involved in the biometric match. We provide a clear path for human intervention if a user contests an automated verification result.
- Bias Mitigation: We perform regular audits on our matching algorithms to ensure equitable performance across different demographics, preventing algorithmic discrimination.
5. Resilience, Incident Response & NIS2 Compliance
In alignment with the NIS2 Directive for digital service providers:
- Incident Reporting: We maintain a 72-hour notification protocol for “significant incidents” to the relevant National Competent Authority and affected clients.
- Disaster Recovery: Daily encrypted backups are stored in the EEA with 90-day retention and quarterly “cold-site” restoration tests.
6. Logical Access & Sub-processor Management
- Zero-Trust Architecture: Access to production environments is restricted via MFA and Just-In-Time (JIT) provisioning.
- Sub-processor Transparency: We maintain a publicly available list of sub-processors. All third-party vendors undergo a Data Protection Addendum (DPA) review and security risk assessment before integration.
- Right to Erasure (Right to be Forgotten): Our MPC architecture supports the cryptographic deletion of shards, ensuring that once a user requests deletion, their “identity” is mathematically unrecoverable across the network.
7. Organizational & Physical Safeguards
- DPO Oversight: Our designated Data Protection Officer (DPO) conducts annual Data Protection Impact Assessments (DPIAs) for all high-risk processing activities.
- Security Training: Mandatory bi-annual security awareness training for all staff, including specific modules on GDPR and social engineering.
At SOBA Network, the security of your data and the privacy of your users are the foundations of our platform. We are committed to maintaining the highest standards of information security through rigorous technical and organizational measures.
Below is an overview of our security framework. For specific inquiries or more detailed documentation, please contact us at info@SOBA.Network.
1. Industry-Leading Compliance & Attestations
We validate our security posture through continuous adherence to global standards, ensuring your organization meets its own regulatory requirements. SOBA Network is fully compliant with:
- SOC 2 Type II
- GDPR (General Data Protection Regulation)
- UKDIATF (UK Digital Identity and Attributes Trust Framework)
2. Technical Security & Infrastructure
SOBA Network leverages advanced Multi-Party Computation (MPC) to handle sensitive user data in use and at rest, providing a mathematical guarantee of privacy that goes beyond traditional encryption.
- Malicious Adversarial Mode: Our protocol is specifically designed to operate under a “malicious adversarial” security model. Unlike simpler models that assume nodes will follow the rules, this rigorous standard ensures that the privacy and integrity of personal data are maintained even if a node (or group of nodes) deviates from the protocol or acts with malicious intent.
- Anonymization of Personal Data: By utilizing MPC, personal data is never processed or stored in a centralized, readable format. Instead, data is mathematically fragmented across independent nodes. This architectural choice enables the complete anonymization of personal data, as no single entity—including SOBA Network—possesses the “key” to reconstruct or identify the original biometric information.
- Decentralized Verification: This approach ensures that verification processes (such as Proof of Humanhood) occur in a zero-knowledge environment. Organizations can confirm a user’s authenticity without ever coming into contact with the user’s raw personal or biometric identifiers.
We also utilize industry-standard encryption and resilient infrastructure to protect all data at rest and in transit.
- Data Encryption: All data is encrypted at rest using AES-256 and in transit via TLS 1.2+.
- Secure Connectivity: We employ secure protocols (HTTPS) and encrypted network connections (VPN, IPSEC) for all data transfers.
- Continuous Testing: Our systems undergo regular vulnerability assessments and external penetration testing to proactively identify and mitigate risks.
- System Integrity: We maintain up-to-date antivirus, anti-malware, and firewall protections across all networks and devices.
3. Resilience and Data Recovery
Our backup and disaster recovery protocols ensure that your data remains available and resilient against physical or technical incidents.
- Daily Backups: We perform full daily backups of all production systems, stored securely and encrypted within AZURE servers.
- Integrity Verification: Our engineering teams periodically test restoration procedures to ensure backup validity.
- Retention: We maintain a default backup retention period of 90 days.
4. Logical Access Controls
We enforce strict “least privilege” access to ensure that personal data is only handled by authorized personnel.
- Identity Management: All system access requires Multi-Factor Authentication (MFA/2FA) and adheres to a complex password policy.
- Access Auditing: We maintain comprehensive logs of processing operations, which are available to customers upon request through our support team.
- Device Security: Work devices are managed by SOBA Network and configured to automatically lock after 10 minutes of inactivity.
- Network Isolation: Guest access is restricted to dedicated wireless networks, completely isolated from internal production systems.
5. Organizational & Physical Safeguards
Security is woven into our company culture through rigorous training and physical oversight.
- Expert Oversight: Our dedicated Data Protection Officer (DPO) monitors and audits our overall compliance
- Employee Training: All staff undergo regular training on data protection, information security, and incident response.
- Physical Security: Our offices are secured via personalized 2FA access, perimeter controls, and on-site camera surveillance.
- Visitor Protocols: All guests must be signed in, wear identification badges, and remain accompanied by a SOBA Network employee at all times.
