Data Lifecycle
Industry Leading Security with Complete Data Control
Data isn't alive?
The purpose of Proofenance is to gather and present relevant, sensitive information about a person. Proofenance completely understands that this is a worrying concept, with the long history of data breaches from poorly designed and maintained company systems.
A piece of information on its own doesn't carry much risk, however a collection of different pieces attributable to a real person absolutely does. When these pieces are kept in the same place, behind the same security methods, a data breach target is formed.
The data collection is commercially useful just once—at the Point of Sale. After this, the data will be archived for a length of time to satisfy any auditing or reporting requirements, or until an eviction request.
Evicting the data collection from Proofenance's systems will remove all traces from Proofenance's archive, but leave the individual disbursed pieces of information with their original sources.
This collection and eventual disbursement of information represents the Proofenance data lifecycle.
Data Lifecycle Principles
Our approach to data management ensures security, compliance, and complete control over sensitive information.
Moment of Sale Assembly
Data is assembled only when required at the moment of sale, minimizing existance of the complete data set.
Time-Limited Storage
Information is stored only for the time required to satisfy auditing or reporting requirements.
Complete Eviction
All traces are removed from Proofenance systems when the data is no longer required, or on request.
Authorised Access Only
Only authorised individuals can view sensitive data during applicable times in the lifecycle.
Who has access?
Access is role-based and logged. Only authorised staff can view customer and sale data during the parts of the lifecycle where your policy allows it. The platform is built on AWS using Well-Architected principles for security, reliability, and operational review.
If you would like to know more about our data security, we are proud to be able to share how we follow AWS Well-Architected principles—just get in touch us and we can show you around our stack.
Secure by design
Every layer is there to keep identity and payment data where it belongs.
Encryption & access controls
Encryption and access controls aligned to financial services expectations, with design reviews as the product evolves.
Data protection by design
We treat ID and source-of-funds material as highly sensitive, with minimisation and clear roles for who can see what, when.
Secure infrastructure
Multi-vendor hosting spreads risk across providers so we are not dependent on a single cloud, with logging and operational hardening for regulated workloads.
Dedicated hardware
Sensitive processing runs on dedicated compute, giving us full control over our environment where identity data is handled.
Strong resilience
Redundancy, failover, and recovery are built in so a single failure does not take compliance workflows offline when a sale is in progress.
Audit trail
Key compliance actions and evidence are tied to the purchase so you can show what happened in a real sale.
Ongoing security work
We monitor, review, and improve controls over time, with materials you can share with your board or bank.
UK & EU data choices
Hosting and retention choices that match your risk profile across the jurisdictions you sell in.
GDPR by design
Privacy principles are built into how we collect, store, and retain identity and payment data.
ISO 27001 aligned
Security management practices aligned to ISO 27001, with controls you can discuss with your MLRO or bank.
24/7 security operations
Monitoring and incident response run around the clock so issues are caught and handled without waiting for office hours.
Security you can read and share
If your MLRO, bank, or client asks how data is held, we want you to have a clear place to point.
Contact us