In August 2024, we announced a bold commitment: to become a dataless identity provider and delete all user data from our servers by the end of Q2 2025. Now that we’ve reached the halfway point, we’re excited to share an update on our progress, the milestones we’ve achieved, and the critical work that lies ahead.
A Look Back: What We’ve Accomplished So Far
Over the past few months, we’ve made significant strides toward our dataless goal. A key achievement has been the deletion of more than 362,000 user records, equivalent to one-third of our user base.
Deleting data from our servers while ensuring user privacy, complying with regulations, and servicing our clients represents a major effort. Fractal ID has served more than 250 clients since 2017, and we are working with them to ensure they can comply with their legal requirements while deleting user data from our systems.
What’s Next: The Path Ahead
Our efforts are far from over. By the end of January 2025, we aim to have deleted 470,000 additional user records. These records pertain to unique users who were onboarded to clients who no longer maintain contracts with Fractal ID.
Because of our clients’ AML compliance requirements, in some instances we are unable to fully erase all data. In these situations, we will still be removing all data from our system, but we will be storing the encrypted data at rest in a secure cold storage solution (an S3 Glacier with 3 operators, each with different keys that must collaborate for writing, reading, and decrypting data). This data will not be accessed unless it is required by the pertinent authorities. We will fully erase all data as soon as compliance requirements allow us to (usually within 5 years).
Strengthening Security Along the Way
As part of our journey toward becoming dataless, we’ve also prioritized enhancing the security of our systems. A dataless approach not only reduces the risk of breaches but also demands robust internal controls. In addition to regular key rotation and enhanced MFA across all systems, we have implemented two additional data security measures:
- IP and Time Gating Mechanisms: Limiting system access based on approved IP addresses and specific time windows to minimize vulnerabilities.
- Automated Data Deletion: Implementing an automated process to delete user records from our internal back-office systems within two weeks of onboarding completion.
These measures reinforce our commitment to privacy, security, and operational excellence as we continue our transformative journey.
Looking Forward: Our Commitment to Become a Dataless Verification Provider
Becoming a dataless organization is not just a technical challenge—it’s a redefinition of how we operate and how we prioritize user privacy. Every step we take reinforces our commitment to transparency, security, and responsibility.
We look forward to sharing further updates as we continue this journey and invite our partners, clients, and users to join us in supporting a future where privacy and data minimization are not just ideals but standards of excellence.
Fractal ID