Third Party Sharing Policy

Version 1.01, 28th April 2020

We are very delighted that you have shown interest in our enterprise. Data protection is of a particularly high priority for the management of Blockchain HELIX AG.

Your personal data (“User Data”) is processed in the context of the agreement entered into between you and us through our Terms and Conditions regarding the use of helix id. This Data includes, for example, your name, your address, your email address and further information about you. In terms of this document, ‘processing’ means any operation or set of operations which is performed on User Data or on sets of User Data, whether or not by automated means, and in accordance with the  Article 4 (2) GDPR definition.

The following provides you with information on the sharing of your User Data with Third Parties in the context of the helix id app.

Sharing User Data with third parties 

We may share your User Data with Third Parties who provide Functionalities through and on behalf of our Platform.

We have Service Providers that complete processing on our behalf in order to successfully verify and process your User Data. These are all necessary for the functioning of helix id. We do not allow them to use your User Data for their own purposes. We permit them to process your User Data only for specified purposes and in accordance with our instructions. We have taken appropriate security and privacy measures to protect your User Data in line with our policies and the GDPR.

We may share your User Data with Third Parties if we are under a duty to disclose or share your User Data in order to comply with any legal obligation, or to protect the rights, property or safety of our site, our Users, and others. Where your User Data is shared with Third Parties, we will seek to share the minimum amount necessary. We only share User Data that you have agreed to and anonymise all User Data where necessary.

Our Service Providers 

Our Service Providers are joint controllers of this User Data, and their User Data collection, use and sharing practices are also governed by their privacy policies. Please take time to review their policies; linked below.

Authada

AUTHADA offers pioneering digital solutions for legally secure identification in real time. Authada is currently not processing any User Data at this point in time.  They have their Data stored in a Data Center in Germany. This Data is only retained according to applicable legally-binding retention periods. Please find the Authada Privacy Policy here.

City Network

City Network is a leading global public cloud provider. They store our company’s Data according to the GDPR through delivering public, compliant and private clouds based on OpenStack.

City Network only processes data in regards to resource allocation and consumption as well as operational data for cloud operations in their service layers. They do not process data in relation to the platform and there is no personal data in their service layers. The data that is processed on behalf of Blockchain HELIX is completed in the region where the virtual machines are deployed. This data is typically retained for 14 days, but no longer than 90 days. No encryption is used for the operational data. Please find the City Network Privacy Policy here.

evan.network

evan.network provides the ability to time-stamp and secure the verification of an identity on helix id. It is generally possible to store all kinds of Data on evan.network, including User Data. Once the verification of a User’s identity has taken place, this transaction is then transmitted to a public permissed blockchain that time stamps and records this. This increases the trust of the verification and allows the companies involved in the platform to audit.  It is ensured through legal agreements that all Data on evan.network are processed in the European Union or under European law, respectively.

Transaction Data is stored directly in the blockchain. Therefore, they will not be deleted until deletion of the entire blockchain. Additionally, it is possible to store payload data on the IPFS, a distributed file storage system. User Data stored in the IPFS can be deleted at any time, similar to a “normal” database. In general, evan will and can never delete Data from evan.network by itself – users of evan.network are responsible themselves for the handling of their or their Users’ Data. Please find the evan.network Privacy Policy here.

Seal One

Seal One provides encryption services for helix id (including signature services). This is completed by the Third Party encrypting the transactions made by the User with their public key. This makes sure that when this encryption is sent to the User through the SealOne gateway, the User can then decrypt this message with the private key, check the order (what the transaction says), and then if User agrees with the order, they can use their private key to sign the hash and then use the SealOne gateway to send the message back to the Third Party. This means that the Third Party can then create a hash of the final transaction to have a verified, secure audit trail.

Every transaction will be recorded by SealOne for security purposes. Additionally, there is only one account per device which makes it difficult to track the different users who are accessing the account when there is more than one account. In order to circumvent this, instead of the helix id accounts being limited to one SealOne account, Users would be able to access different SealOne accounts with the different devices to use helix id. As they act as a gateway they do not hold or process any User Data or use encryption. Please find the Seal One Privacy Policy here.

Veriff

Veriff is a verification service provider. Our User Data is protected by applying a deterministic lifecycle to it. In the course of lifecycle, Data will be moved from one tier to others to allow protecting it in the most optimal ways while keeping in mind the access requirements and risks in each tier. Security best practices (encryption, vulnerability management, patching, threat monitoring, security information and event management) and access on a need-to-know basis are supporting each tier. Please find the Veriff Privacy Policy here.

Data security

All Data stored with us or at any processors are protected using current security standards against unauthorised access, loss and modification. Rudimentary technical and organisational security precautions are taken for this with standards that at least match legal requirements.

Your rights and opportunities to lodge complaints

(1) Under certain circumstances, you have the following rights that you may assert against us with respect to the User Data relating to you:

• Request access to your User Data. This enables you to receive a copy of the personal information we hold about you and to check that we are collecting and using it lawfully.
• Request correction of the User Data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your User Data. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to use it. You also have the right to ask us to delete or remove your User Data where you have exercised your right to object to processing (see below).
• Object to processing of your User Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
• Request the restriction of collecting and using your User Data. This enables you to ask us to suspend the usage of User Data about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the data portability of your User Data to another party.
• Right to withdraw the consent. In circumstances where you have provided your consent to the collection, processing and transfer of your User Data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.

You can exercise your above rights by sending an e-mail to our data protection officer: office@blockchain-helix.com

You are also free to lodge a complaint with the supervisory authority. To lodge a complaint with the supervisory authorities, please contact the data protection authority of your country of location or the German data protection authority (Federal Commissioner for Data Protection and Freedom of Information).

Controller

The controller responsible for the processing of data in terms of Data Protection law is:

Blockchain HELIX AG
Münchener Strasse 45
60329 Frankfurt am Main
Germany
Email: office@blockchain-helix.com

Please feel free to also contact our customer service with any general questions on helix id at:

Telephone: +49 69 91314845
Email: support@blockchain-helix.com