KYC Passport

The KYC Passport is a powerful feature that enables organizations to securely share verified KYC data with their partner organizations. This eliminates the need for users to repeat the verification process when interacting with multiple entities within an ecosystem, while maintaining user privacy and consent.

Overview

With KYC Passport, a main organization can invite partner organizations to access KYC verification results from specific flows. Users provide consent once during the verification process, granting access to all approved partners. This creates a trusted ecosystem where verified identity data can be shared efficiently and securely.

Key Benefits

Seamless Partner Integration: Share KYC results with multiple partners without requiring repeated verification
User-Centric Consent: Users maintain control by providing explicit consent for data sharing
Time and Cost Efficiency: Reduces redundant verification processes across partner organizations
Secure Access Control: Cryptographic access grants ensure only authorized partners can access data
Flexible Partner Management: Invite existing organizations or allow new partners to join the platform

How It Works

When creating a KYC flow, organization admins can enable partner sharing:

Navigate to the flow creation or editing page
In the "Share Results" section, select "Invite Partner"
Enter the partner organization's email address and organization name
Multiple partners can be invited (e.g., SUB-ORG-A, SUB-ORG-B, SUB-ORG-C)
All future verification results from that flow will be available to invited partners (once they accept)

info

Partner invites only apply to verification results created after the invite is sent. Historical data is not automatically shared with newly invited partners.

2. Partner Organization Invitation Process

For New Organizations

When a partner organization that doesn't exist on the platform receives an invite:

They receive an email invitation with a secure invite link and verification code
Clicking the link directs them to the organization registration process
Upon successful registration, the invitation is automatically accepted
The new organization immediately gains access to shared flow results (from the invite creation date forward)

For Existing Organizations

When an existing organization receives an invite:

The admin receives the invitation via email and in-app notifications
The admin can review the invitation details, including:
- The inviting organization's name
- The flow name and type
- What data will be shared
The admin can choose to Accept or Reject the invitation
If accepted, the organization gains access to all flow results from the moment the invite was created
If rejected, no data is shared and the invitation is closed

User consent is central to the KYC Passport functionality. During the verification process:

When a user starts verification for a flow with partner sharing enabled
At the privacy consent step, they see a clear disclosure that includes:
- The main organization they're verifying with
- A complete list of all partner organizations that will receive their data
- The types of data that will be shared
The user must explicitly consent by checking the consent box to proceed
If consent is provided, verification continues and data is shared accordingly
If consent is declined, the user cannot proceed with verification

Important Consent Rules

No consent = No access: If a user does not consent, no access grants are created for any partner organizations
Invite timing matters: Partners invited after a user completes verification do not automatically receive access to that user's data
Consent is flow-specific: Users consent to share data for a specific flow and its invited partners at the time of verification

Access Grant Generation

The system uses cryptographic access grants to control data access. Here's how they're generated:

During User Verification

Access Grant Rules

Main Organization: Always receives an access grant when the user completes verification with consent
Accepted Partner Invites: If the partner has already accepted the invite, they receive an access grant immediately
Pending Partner Invites: An access grant is created and will become active when the partner accepts the invite
Rejected Partner Invites: No access grant is created
No Consent: If the user doesn't consent, no partner grants are created (only the main organization receives a grant)

Partner Invitation Lifecycle

Accepting an Invite (Existing Organization)

Accepting an Invite (New Organization)

Data Access for Partners

Main Organization Data Access

Partner Organization Data Access

Access Grant Differences

Main Organization: Access grants establish a connection between the organization and the verified document.
Partner Organizations: Access grants associate the invite with the verified document, ensuring it is linked to the invitee organization upon acceptance.

This ensures partners can only access data from the specific flow they were invited to, and only for users who completed verification after the invite was created (with proper consent).

Managing Partner Invites

Resending Invitations

If a partner hasn't responded to an invitation, the main organization can resend it:

Navigate to the flow's partner list
Find the pending invitation
Click "Resend Invite"
A new email with a fresh verification code is sent

Revoking Partner Access

Organization admins can revoke a partner's access at any time:

Navigate to the flow's partner list
Find the partner organization
Click "Revoke Access"
The partner immediately loses access to all shared data for that flow

warning

Revoking access is permanent. The partner organization will need to be invited again if access should be restored.

Security Considerations

The KYC Passport implements several security measures:

Invite Verification

Each invite includes a unique inviteId that acts as an access credential
Invites are secured with one-time passwords (OTP) sent via email
The OTP must be verified before an invite can be accepted or rejected
All invite transmissions occur over encrypted HTTPS connections

Access Control

Access grants use cryptographic derivation from the user's vault access grant
Partners can only access data they have explicit grants for
Access grants are immutable and auditable

Data Protection

All personal data remains encrypted in decentralized storage
Partners never receive raw access to the storage—only through access grants
Access grants can be revoked. The data access stays active until the regulatory obligations on data retention are met

User consent is explicitly linked to access grants via flow consents
The system verifies consent existence before creating or activating grants
Consent is flow-specific and includes the list of partners at verification time
Users maintain control over their data through the consent mechanism

Use Cases

Financial Services Ecosystem

A banking organization can share KYC data with:

Investment platforms
Credit providers
Insurance companies
Payment processors

Users complete KYC once with the main bank, and approved partners can access the verified data without requiring users to re-verify.

E-Commerce and Marketplaces

A marketplace can share verified seller identities with:

Payment gateway providers
Logistics partners
Regulatory bodies
Escrow services

Healthcare Networks

A healthcare provider can share verified patient identities with:

Specialist clinics
Pharmacies
Insurance providers
Laboratory services

Best Practices

For Main Organizations

Be transparent: Clearly communicate to users which partners will receive their data
Invite selectively: Only invite trusted partners who have a legitimate need for the data
Regular audits: Periodically review active partner invites and revoke unnecessary access
Partner vetting: Ensure partners meet your security and privacy standards before inviting them

For Partner Organizations

Accept promptly: Accept invitations in a timely manner to avoid delays
Data minimization: Only access data that is necessary for your operations
Secure storage: If caching partner data, ensure it's stored securely and encrypted
Compliance: Ensure your data handling practices comply with relevant regulations (GDPR, CCPA, etc.)

For Implementation

Test in sandbox: Always test the partner invite flow in the sandbox environment first
Monitor invites: Track invite acceptance rates and follow up on pending invites
Clear documentation: Provide partners with clear documentation about data access
Handle errors gracefully: Implement proper error handling for invite operations

Frequently Asked Questions

What happens if a user completes verification before a partner accepts the invite?

The access grant is created when the user completes verification (with consent). When the partner later accepts the invite, they gain immediate access to that data.

Can a partner access data from users who verified before they were invited?

No. Partners can only access data from users who completed verification after the invite was created. This ensures users have visibility into which partners their data will be shared with.

If a user doesn't consent, they cannot proceed with the verification. Alternatively, organizations can create separate flows without partner sharing for users who prefer not to share their data.

How many partners can be invited to a single flow?

There is no hard limit on the number of partners that can be invited to a flow. However, for user experience purposes, it's recommended to limit the list to partners that are essential for the user's journey.

Can partner access be temporary?

Yes. Organizations can revoke partner access at any time, effectively ending their ability to access the data. Currently, time-based expiration of invites or access grants must be managed manually.

Data Retention Obligations

If access is revoked, it stays available until the partner’s data retention duties are met.

What data do partners receive?

Partners receive the same KYC data that the main organization has access to for the specific flow, including:

Verified identity documents
Personal information (name, date of birth, address, etc.)
Verification results and status
Any additional data collected in the flow

The exact data depends on the flow configuration and document types verified.

Overview​

Key Benefits​

How It Works​

1. Creating a Flow with Partner Sharing​

2. Partner Organization Invitation Process​

For New Organizations​

For Existing Organizations​

3. User Consent and Privacy​

Access Grant Generation​

During User Verification​

Access Grant Rules​

Partner Invitation Lifecycle​

Accepting an Invite (Existing Organization)​

Accepting an Invite (New Organization)​

Data Access for Partners​

Main Organization Data Access​

Partner Organization Data Access​

Managing Partner Invites​

Resending Invitations​

Revoking Partner Access​

Security Considerations​

Invite Verification​

Access Control​

Data Protection​

Consent Management​

Use Cases​

Financial Services Ecosystem​

E-Commerce and Marketplaces​

Healthcare Networks​

Best Practices​

For Main Organizations​

For Partner Organizations​

For Implementation​

Frequently Asked Questions​

What happens if a user completes verification before a partner accepts the invite?​

Can a partner access data from users who verified before they were invited?​

What if a user doesn't consent to partner sharing?​

How many partners can be invited to a single flow?​

Can partner access be temporary?​

What data do partners receive?​