Become an enrollment node.
Civic Anchor expands trust through a distributed network of enrollment operators — from telcos and banks to spaza shops and NGOs. This guide covers every institution class, its trust weight, required evidence, and POPIA obligations.
What is a Civic Anchor operator?
An operator is a legal entity that enrolls natural persons into the Civic Anchor trust layer on behalf of Civic Anchor. Under POPIA s55, operators process personal information only on Civic Anchor's documented instructions, for the sole purpose of issuing a citizen's first Verifiable Credential and anchoring their Decentralised Identifier (DID).
Each enrollment is co-signed by the operator's HSM-issued institutional signing key. The key's trust weight flows into the enrollee's Civic Trust Score — a telco anchor carries more scoring weight than a spaza shop anchor, because the telco holds a regulator-issued licence. Enrollees who build anchors across diverse institution tiers receive a diversity multiplier bonus.
Operators do not retain raw biometrics, private keys, phone numbers in plaintext, or nationality data. The architecture is designed so that a full compromise of operator premises and devices cannot expose that class of personal information.
Tier 1 — Anchor nodes
High regulatory weight per enrollment. Regulator-issued licences or MoUs required. No two-person cosign requirement. Trust weights from 0.70 to 1.00.
| Class | Trust weight | Required evidence |
|---|---|---|
Telco Vodacom, MTN, Cell C, Telkom | 100% |
|
Bank Capitec, TymeBank, FNB, Standard Bank | 100% |
|
Government DHA, SARS, SARB (Year 3+) | 100% |
|
Retailer Registered retail outlets | 70% |
|
Employer (general) SME + enterprise employers | 80% |
|
Verifying Authority MIE, LexisNexis, AfriGIS, iFacts Bridge issuer for CriminalClearanceVC; holds delegated SAPS / ZRP CRC mandate. | 90% |
|
Tier 2 — Reach nodes
Already in front of the underserved population. Spaza shops, religious organisations, NGOs, unions, and stokvels. Per-node daily caps and the two-person cosign rule apply to the highest-collusion-risk classes.
| Class | Trust weight | Required evidence |
|---|---|---|
Informal retail Spaza shops, kiosks (~150k nationally) | 35% |
|
Religious organisation ZCC, Methodist, Catholic, SADC migrant churches 200/day cap applies to registered drive days only. | 50% |
|
NGO / PBO Scalabrini, Lawyers for Human Rights, Black Sash | 65% |
|
Trade union NUM, NUMSA, SADTU, COSATU affiliates | 55% |
|
Stokvel NSO-affiliated registered savings groups | 30% |
|
Tier 2b — Captive nodes
Workforce drives and platform onboarding. Employer HR records provide the paper trail that makes two-person cosign redundant. Seasonal-batch and onboarding-day caps can be configured per operator.
| Class | Trust weight | Required evidence |
|---|---|---|
Corporate employer Shoprite, PnP, Massmart, Premier, Tiger Brands | 80% |
|
Mining employer Sibanye, Anglo, Impala | 85% |
|
Agricultural employer ZZ2, Karsten, commercial farms | 70% |
|
Gig platform Bolt, Uber, Mr D, SweepSouth Enrollment must be offered as one option among others at worker onboarding; decline must not block platform access. | 60% |
|
Educational institution Universities, TVETs, registered learnerships | 65% |
|
Tier 3 — Compliance nodes
Legally entangled with identity. Refugee offices, border posts, postal services, SASSA pay-points, and health facilities. Slow to onboard; highest trust signal per enrollment. Government authorisation letter and MoU required.
| Class | Trust weight | Required evidence |
|---|---|---|
Refugee reception office DHA Refugee Reception (Marabastad, CT, Durban, Musina) Enrollment must be separated in time and space from the permit interview. | 95% |
|
Border post Beitbridge, Lebombo, Maseru Bridge, Oshoek | 90% |
|
Postal service SAPO branches | 75% |
|
Social grant office SASSA pay-points Enrollment must not be a condition of grant access. | 80% |
|
Health facility NHI-aligned clinics and hospitals | 75% |
|
Trade infrastructure
AfCFTA Trader Trust Passport and BusinessAnchorVC issuers. Customs authorities, port operators, trade-finance banks, freight forwarders, and AfCFTA-accredited origin certifiers. Available for SADC corridor deployments.
| Class | Trust weight | Required evidence |
|---|---|---|
Customs authority SARS, ZIMRA, BURS, TRA, ZRA | 100% |
|
Port authority Transnet, TAZARA, TPA (sea / air / land) | 95% |
|
Trade-finance bank Banks with explicit LC / SBLC / ECA mandate | 100% |
|
Freight forwarder SADC-licensed cross-border logistics intermediaries | 75% |
|
Origin certifier AfCFTA-accredited certificate-of-origin bodies | 90% |
|
Onboarding lifecycle
Every new institution starts at pending_evidence and advances through a gated approval chain before the first enrollment can be issued.
Submit evidence
Upload the required documents for your institution type. All required documents must carry accepted status before your application advances. Your institution account and signing key are locked in pending_evidence state.
Under review
A 2-of-2 platform-admin quorum reviews your evidence pack and confirms the legal entity behind your application. You will be contacted if additional information is needed. Status transitions to under_review.
POPIA agreement
Execute the POPIA s55 Operator Agreement (standard template or MSA for Tier-1 institutions). Your institution signing key is activated only after the agreement timestamp is recorded. Government nodes are exempt.
Approved — operational
Status is set to approved. Your agents can log in to the agent dashboard, receive a hardware security module, and begin enrollment sessions. Trust weight is applied per the class default in the Civic Score engine.
An institution whose evidence is insufficient transitions to rejected status. Enrollment and VC issuance remain blocked. The institution must resubmit a corrected evidence pack to re-enter the review queue.
Operational rules
Three policy modules govern every enrollment session. The tRPC layer enforces all three server-side before a signing key is authorised.
Two-person rule
Required for informal retail, religious organisations, and stokvels. Every enrollment must carry both the enrolling agent's device signature and a second cosign from a roving_supervisor or admin agent at the same institution. A missing cosign returns SUPERVISOR_COSIGN_REQUIRED.
Daily enrollment caps
A rolling 24-hour window cap applies per node. Class defaults: 50/day for informal retail, 200/day for religious organisations on registered drive days, 30/day for stokvels. All other types are uncapped by default. Per-row overrides are set by the platform admin on operator request. Exceeding the cap returns DAILY_CAP_EXCEEDED.
POPIA s55 agreement
Required for every institution class except government (sectoral statutes apply). Tier-1 institutions sign a bilateral MSA incorporating the s55 clauses. All other classes sign the standard template. Enrollment is blocked until the agreement timestamp is on file. Class-specific schedules apply to informal retail, religious orgs, NGOs, employers, gig platforms, and government-adjacent nodes.
Data minimisation guarantees
The architecture is designed so that even a complete compromise of operator premises and devices cannot expose the following. These constraints are CI-enforced in the codebase — not configuration choices.
Raw biometrics
Facial frames are processed in volatile memory of the Civic Anchor biometrics microservice and are never written to disk or transmitted to operator infrastructure. The operator receives only a pass/fail liveness result.
Private keys
The data subject's private keys live exclusively on their own device under WebAuthn. No operator device ever holds, sees, or transmits a holder private key.
Phone numbers in plaintext
Only the keyed HMAC of the verified phone number is retained by Civic Anchor. The plaintext is never transmitted to or stored by the operator.
Nationality and migration status
Civic Anchor's schema is structurally nationality-blind. The forbidden-columns lint rule prevents any migration or code from adding nationality, country of origin, asylum status, or refugee status fields.
Apply to become an enrollment node
To start the onboarding process, reach out with your institution name, type, and legal registration reference. The platform team will open your institution account, walk you through the evidence pack for your class, and issue a hardware security module for your first enrollment device.
Sandbox access, the full operator agreement template, and class-specific onboarding guides are provided under NDA after the initial qualification call.