How Civic Anchor earns the right to verify someone.

Architectural commitments

Six commitments we can defend in writing

• No raw biometrics on our infrastructure

  Capture is on-device. The capture device hashes the live biometric and discards the source frame. We persist only the hash, the user's DID, and the partner-signed evidence VC.

• POPIA Operator under written s55 agreements

  Every partner institution executes a written Operator agreement before any enrollment. Tier-1 partners (telco / bank) sign bilateral MSAs; Tier-2/3 nodes sign the standard template. No agreement, no enrollment.

• Per-jurisdiction regulator framework

  Civic Anchor is jurisdiction-portable by design. Each user carries an active ResidencyAnchorVC; the resolver respects the user's active jurisdiction's DPA framework, not the requester's.

• In-region data residency

  ZA-jurisdictioned users live on infrastructure pinned to af-south-1 (cpt1). Cross-border data flows happen only via the dual-attestation transfer protocol (PRD W8 / M3.7), never silently.

• Tamper-evident audit log

  Every verification event writes to a hash-chained system audit log (M1.5 SCH-3). Operators, auditors, and the user themselves can verify chain continuity. The audit log is the source of truth in disputes.

• Cross-store collusion detection

  Same-face cross-store enrollments within 72 hours trigger structural alerts (M2.4 RIC-4). Per-agent and per-institution enrollment bursts trigger statistical alerts (M2.4 RIC-5). Anomalies surface to the compliance dashboard.