Legal and compliance

1. User identity data

Field	Detail
Data	NFC implant UID (SHA-256 hash), user-assigned name, avatar
Purpose	User identification and account management
Legal basis	Contract performance
Recipients	None
Retention	Until account deletion
Security	UID stored as SHA-256 hash, HTTPS in transit, database encrypted at rest

2. Saved credentials

Field	Detail
Data	Website URL, username, encrypted password, type (Personal/Professional)
Purpose	Password management and auto-fill
Legal basis	Contract performance
Recipients	None. User-initiated sharing between SkinID accounts only.
Retention	Until credential or account deletion
Security	AES-256-GCM encryption, per-user derived keys (HKDF-SHA256)

3. FIDO2 passkeys

Field	Detail
Data	Relying party ID, credential ID, encrypted private key, public key, user name, sign-in count
Purpose	Passwordless authentication
Legal basis	Contract performance
Recipients	Public key shared with the relying party during registration
Retention	Until passkey or account deletion
Security	Private keys encrypted with AES-256-GCM, per-user derived keys

4. Autofill profile

Field	Detail
Data	Name, date of birth, gender, emails, phones, addresses, usernames, company, job title
Purpose	Auto-filling registration forms
Legal basis	Contract performance
Recipients	None. Data injected into forms locally in the browser.
Retention	Until profile or account deletion
Security	Encrypted as a single AES-256-GCM blob with per-user key

5. Activity log

Field	Detail
Data	Action type, detail text, timestamp
Purpose	Security monitoring
Legal basis	Legitimate interest (security)
Retention	12 months

6. Trusted devices

Field	Detail
Data	Device name, IP address, platform, device ID, timestamps
Purpose	NFC bridge management
Legal basis	Contract performance
Retention	Until device removal or account deletion

7. Authentication tokens

Field	Detail
Data	SHA-256 hash of token, prefix, creation date, last used date
Purpose	Session management
Security	Raw tokens never stored. Only hashes persisted.

Technical and organizational measures

• All data encrypted at rest (AES-256-GCM with per-user keys)
• All communications encrypted in transit (HTTPS with TLS certificate pinning)
• Per-user data isolation at the database level
• CSRF protection, rate limiting
• Daily automated backups (30-day retention)
• Server hosted by Infomaniak, Switzerland
• No third-party analytics, tracking, or data sharing

1. Definition

A personal data breach is any security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

2. Detection

• Unusual server access patterns
• Unexpected database queries or exports
• User reports of unauthorized activity
• Security researcher disclosures
• Monitoring alerts (failed authentication spikes, rate limiting triggers)

3. Assessment (within 24 hours)

• What data was affected?
• How many users are affected?
• Is the data encrypted? Was the master key compromised?
• Is the breach ongoing or contained?
• What is the risk to affected users?

4. Containment (immediately)

• Revoke all active authentication tokens
• Rotate the master encryption key if compromised
• Block unauthorized access vectors
• Take the server offline if necessary
• Preserve evidence

5. Notification to the FDPIC

As soon as possible (within 72 hours) via databreach.edoeb.admin.ch. The notification includes: nature of the breach, data affected, number of users, consequences, and measures taken.

6. Notification to affected users

Required if the breach poses a high risk to users. Users are notified via the management panel and any available contact information. The notification explains what happened, what data was affected, what the user should do, and what SkinID has done.

7. Post-incident review

Within 2 weeks: document the timeline, identify root cause, implement corrective measures, update procedures.

Contact

FDPIC: www.edoeb.admin.ch
Breach notification: databreach.edoeb.admin.ch

1. Description

SkinID is a Swiss authentication platform that uses a subdermal NFC cryptographic implant as a universal identity key. Users scan their hand to authenticate across digital and physical environments.

Data processed

• NFC implant UID (SHA-256 hash)
• Encrypted website credentials (passwords)
• Encrypted FIDO2 private keys
• Encrypted autofill profile (name, contacts, addresses)
• Activity logs, device information, sharing relationships

Data flows

User's implant → NFC reader → SkinID app/extension → HTTPS → SkinID server (Switzerland). No data flows outside Switzerland. No third-party APIs receive user data.

2. Necessity and proportionality

Each data category serves a specific functional purpose (authentication, password management, form auto-fill). No email, phone, or real name is required. SkinID collects significantly less personal data than comparable services. Data collection is proportionate.

3. Risk assessment

Risk	Likelihood	Impact
Server compromise (database only)	Low	Low (data encrypted)
Server compromise (database + master key)	Very low	High
Stolen authentication token	Low	Medium
NFC implant cloning (DESFire EV3)	Very low	Medium
Cross-user data access	Very low	High
Data loss	Low	Medium

4. Mitigation measures

Measure	Status
AES-256-GCM encryption with per-user keys	Implemented
Master key stored separately from database	Implemented
SHA-256 token hashing	Implemented
Auto-lock after inactivity	Implemented
Per-user data isolation	Implemented
Daily automated backups	Implemented
DESFire EV3 AES-128 mutual authentication	Implemented
Migrate to implant-derived encryption keys	Planned
Encrypt activity log entries	Planned

5. Conclusion

The processing is necessary and proportionate. Identified risks are mitigated by technical and organizational measures. Residual risk level: LOW. The primary residual risk (server-side master key) is accepted for the current phase and will be addressed by migrating to implant-derived encryption keys.

This assessment is reviewed annually, when significant changes are made, or after any security incident.