Storage locations

No sensitive data, including PII, will ever be stored on publicly accessible servers. User compliance data is stored in two main locations:

• Basis Theory: Given how crucial security is to us, we have partnered with an expert in the field to encrypt and store users’ information and documents. Basis Theory is a trusted partner of many financial institutions and fintechs, and their core mission resonates well with ours, centred around privacy and security. Basis Theory is:

  • PCI Level 1 Compliant

  • SOC 2 Type II Certified

  • HIPAA Compliant

  • ISO 27001 Certified

  The high-value data in our system is stored in a vault in the form of undecipherable tokens. Basis Theory uses strong cryptography with industry-standard key-management processes (KMS) and procedures.

  The data itself is stored on the cloud. Basis Theory follows cloud-native security best practices, implementing continuous code delivery, system, and network monitoring and scanning. Servers are operated by Azure, in the following regions: East US 2 - Virginia, Central US - Iowa, plus some global networking and edge resources.

• Compliance Partners: Raw compliance data and records generated by compliance checks are securely stored by the Compliance Partner used for the verification. Keyring reviews the policies of each provider to ensure they meet the required security standards.

  • ComplyCube: Compliance data is securely handled and stored under ISO standards with strict information security policies (more information here).

  • Shufti Pro: Compliance data is transmitted over Secure Sockets Layer (SSL) and stored in SSAE-compliant and ISO-certified data centres across the globe for our secure data backups with either AES 128-bit, AES 256-bit or 448-bit Blowfish encryption.

Outside of these storage locations, no sensitive information or PII is stored in the clear. Anonymised data points are stored in:

• User’s local computer (browser).

• AWS (Dynamo DB): Our servers are located in West US 2 and Oregon.

• On-chain: Ethereum, other blockchains to come.

Data retention

Given Keyring Network is used for regulatory compliance purposes, it is obligated to keep a record of all user compliance data for several years. While this requirement varies across jurisdictions, Keyring’s base policy is to store the records for 10 years.

Compliance Partners read and process the data in accordance with their privacy policies. For user safety, Keyring triggers document deletion from our compliance vendors. After deletion, minimised information without raw documentation stays with compliance vendors that conduct continuous AML screening.