Skip to main content

PII Access Control

Overview

Zyphe implements a robust role-based access control (RBAC) system for Personally Identifiable Information (PII) to protect sensitive customer data from unauthorized access and potential data exfiltration. This advanced security feature ensures that PII is only accessible to authorized personnel under controlled conditions.

Problem Statement

In traditional KYC/KYB systems, all organization members with dashboard access typically have unrestricted access to customer PII. This creates several security risks:

  • Insider Threat: Internal actors with legitimate access could exfiltrate large volumes of sensitive customer data
  • Over-Privileged Access: Users with no legitimate need to view PII have unrestricted access
  • Compliance Risk: Broad PII access makes it difficult to meet data minimization principles required by GDPR, CCPA, and other privacy regulations
  • Audit Trail Challenges: Without granular controls, it's difficult to track who accessed what data and when

Recent high-profile security incidents in the fintech space have demonstrated that insider-led data breaches pose a significant risk to organizations handling sensitive customer information.

Solution: Role-Based PII Access

Zyphe implements a multi-tier role system that provides granular control over PII access based on legitimate business needs:

Role Hierarchy

Role Descriptions

Organization Admin

Purpose: Designated for organizational leaders and administrators who require unrestricted access to PII for overall management, strategic oversight, and administrative functions.

Access Level:

  • Full PII access (permanent, no time restrictions)
  • ✅ All customer verification data
  • ✅ Document images and extracted data
  • ✅ Biometric verification results
  • ✅ All metadata and audit logs
  • ✅ Organization configuration and settings

Security Considerations:

  • This role should be assigned to senior management and key organizational stakeholders
  • Organizations are responsible for securing these credentials
  • All access by Organization Admins is logged for audit trail purposes

Typical Use Cases:

  • Organization-wide policy enforcement
  • Administrative configuration
  • Emergency access when needed

Compliance User

Purpose: Designated for compliance officers, security investigators, and auditors who require unrestricted access to PII for regulatory compliance and security investigations.

Access Level:

  • Full PII access (permanent, no time restrictions)
  • ✅ All customer verification data
  • ✅ Document images and extracted data
  • ✅ Biometric verification results
  • ✅ All metadata and audit logs

Security Considerations:

  • This role should be assigned sparingly and only to personnel with a legitimate compliance or security function
  • Organizations are responsible for securing these credentials
  • All access by Compliance users is logged for audit trail purposes
  • Recommended: Implement additional authentication factors (MFA) for Compliance role access

Typical Use Cases:

  • Regulatory audit responses
  • Security incident investigations
  • Compliance reporting

Customer Support User

Purpose: For customer support staff who occasionally need to view PII for customer assistance, dispute resolution, or operational issues.

Access Level:

  • Temporary PII access (24-48 hours after activation)
  • ✅ Full PII during access window
  • ⏱️ After timeout: Same access as Organization User (custom data + status only)
  • 🔄 Can request temporary access renewal

Access Activation:

  1. Support agent navigates to a verification session requiring PII access
  2. System prompts agent to activate temporary PII access
  3. Agent confirms the activation (logged with reason/ticket number)
  4. PII access granted for configured duration (default: 48 hours)
  5. After timeout, agent automatically reverts to limited access

What's Visible:

During active access window:

  • Full name, date of birth, nationality
  • Document numbers (passport, ID card, driver's license)
  • Address information
  • Phone numbers and email addresses
  • Document images (front, back, selfie)
  • Biometric match scores
  • All verification results and risk scores

After access timeout:

  • Verification session ID
  • Verification status (approved, rejected, pending)
  • Custom data fields (organization-defined metadata)
  • Timestamps and workflow progression

Organization User

Purpose: For team members who need to monitor verification workflows and operational metrics without requiring access to sensitive PII.

Access Level:

  • ❌ No PII access
  • ✅ Verification session status
  • ✅ Custom data fields (organization-defined)
  • ✅ Workflow state and progression
  • ✅ Risk scores and decision outcomes (without underlying PII)

What's Visible:

  • Verification session ID
  • Status: pending, approved, rejected, expired
  • Custom data (e.g., internal reference numbers, tags, categories)
  • Verification timestamps
  • Risk level indicators
  • Document types verified (without document details)
  • Verification method used

Typical Use Cases:

  • Monitoring verification queue and throughput
  • Tracking verification status for workflow integrations
  • Generating reports on verification completion rates
  • Managing custom metadata and tags
  • Viewing high-level risk assessments

Data Access by Role

Organization Admin and Compliance User have permanent, unrestricted access to all PII fields including:

  • Full personal information (name, date of birth, nationality)
  • Complete document details (numbers, issuing countries, expiry dates)
  • Contact information (email, phone)
  • Address details
  • Biometric match scores and verification results
  • AML risk scores

Customer Support User (Within Access Window) has the same access as Organization Admin and Compliance User when temporary access is active.

Customer Support User (After Timeout) and Organization User can only view:

  • Verification session ID and status
  • Custom data fields
  • Timestamps and workflow progression
  • High-level verification outcomes (passed/failed)

PII fields are not displayed for unauthorized users.

Dashboard Behavior

FeatureOrganization AdminCompliance UserCustomer Support (Active)Customer Support (Expired)Org User
View verification status
View custom data
View PII fields
View document images
Access audit logs
Activate PII accessN/AN/A
Manage organization

System Integration

Webhook Considerations

Webhook payloads respect PII access controls based on the organization's configuration:

  • Option 1: Webhooks never include PII (recommended for security)
  • Option 2: Webhooks include session ID only; PII must be accessed separately (subject to role permissions)
  • Option 3: Webhooks include PII only for organizations with specific configuration (not recommended)

Best Practices

For Organizations

  1. Assign Admin Roles Carefully: Only assign Organization Admin and Compliance roles to appropriate personnel
  2. Secure Admin Credentials: Use strong authentication methods for Organization Admin and Compliance users
  3. Regular Access Reviews: Periodically review who has elevated roles
  4. Monitor Access Patterns: Set up alerts for unusual PII access patterns
  5. Document Justifications: Require ticket numbers or justifications when Customer Support activates PII access
  6. Principle of Least Privilege: Default to Org User role; grant Customer Support only when needed
  7. Configure Appropriate Timeouts: Adjust PII access duration based on your operational needs

For Developers

  1. Never Cache PII: Don't store PII in client-side storage or logs
  2. Check Access on Every Request: Don't assume access from a previous request
  3. Handle Missing PII Gracefully: UI should work when PII fields are not present
  4. Display Access Status: Show users their current PII access status and expiry time
  5. Implement Access Request Flow: Provide clear UI for Customer Support to request PII access
  6. Test All Roles: Ensure your application works for all four role types

Support

For questions or issues related to PII access controls: