When a credential verification fails at 2 AM, who gets the call? When a compliance audit flags data residency concerns, whose problem is it? When a security incident involves credential misuse, who's accountable?
These aren't hypothetical questions. They're the real concerns keeping technical leaders awake as they evaluate digital credential verification platforms. And the answer, frustratingly, is often unclear.
Traditional identity verification models offered simple (if limiting) accountability: everything happened in-house, so everything was your problem. Cloud services introduced complexity: suddenly, you're sharing infrastructure with a provider, but who owns what?
Digital credentials amplify this challenge. You're not just verifying credentials, you're participating in a decentralised ecosystem involving issuers, holders, and verifiers across organisational boundaries. Standards bodies like W3C, OpenID Foundation (OIDF), DIF, IETF, ETSI, and ISO define how it should work. But when something goes wrong, finger-pointing begins.
What's missing is clarity.
The cloud computing industry solved this problem with the Shared Responsibility Model. Amazon Web Services popularised it: AWS secures the cloud infrastructure; customers secure their configurations and data within it. Clear boundaries eliminate ambiguity.
Vidos brings this proven approach to digital credential verification. We don't claim to do everything (we don't), and we don't expect you to manage everything (you shouldn't). Instead, we define exactly where our responsibility ends, and yours begins.
The result? Trust through transparency.
When you choose Vidos, here's what we are accountable for:
We provision and operate verification services in your chosen region, so your data stays where you put it. We don't transfer data between regions without your explicit authorisation. Europe for GDPR? Specific regions for data residency? We respect those boundaries because compliance isn't optional.
We maintain regional redundancy and SLAs, encrypt data at rest and in transit, and apply security patches proactively. We make audit logs for management operations (configuration changes) and usage logs for service activity available to support compliance and operational transparency. This is table stakes, and we own it completely.
We participate with standards bodies, including ISO, OIDF, W3C, DIF, and IETF, to implement specifications correctly. But specifications aren't enough. We continuously test with holder wallets and issuers across the ecosystem to ensure real-world interoperability.
When OpenID4VP evolves, when W3C publishes updates to the Verifiable Credentials Data Model, when ISO refines mDocs specifications, we monitor, implement, and test. Your platform stays current without your constant vigilance.
You define policies, and we execute them consistently across all services.
All access to Vidos services requires authentication with fine-grained permissions. Whether clients access through the Gateway or direct service endpoints, each request is validated against your configured policies. Service-to-service communication uses secure roles, ensuring each service performs only its intended function.
Shared responsibility means you control what matters most: your verification rules.
You choose which Vidos services to deploy. Authorizer for OpenID4VP workflows? Resolver for DID documents? Verifier for cryptographic proofs? Validator for schema compliance? All of them through Gateway? Your use case determines the architecture.
You select the geographic region for deployment, and we suggest you use our Terraform provider to take advantage of the infrastructure-as-code practices. Version control and deployment repeatability are your call.
We provide defaults to accelerate deployment, but needs vary by organisation. Government agencies have different requirements than private companies, and high-security applications demand tighter policies than convenience-focused services.
You harden policies beyond our defaults to match your risk tolerance and define verification rules to align with your business requirements. You decide which credential issuers to trust, including government agencies, certified providers, internal systems, or combinations.
Your verification logic reflects your business rules and reinforces your policies.
All Vidos services are fully customisable through policy configuration, and organisations retain the responsibility to configure each service to match verification requirements, security posture, and compliance needs.
Consider a rideshare company verifying drivers' ages using mobile driving licenses (mDL) issued by regional licensing authorities across the EU.
Vidos handles:
The rideshare company handles:
When driver onboarding fails at 2 AM, the accountability is clear. Infrastructure, encryption, or standards compliance sits with us. Policy configuration, trust list updates, or regional deployment is handled by your team. Clearly defined partnerships eliminate ambiguity and increase efficacy.
Clarity replaces confusion. When evaluating vendors, ask them: "Who's responsible for what?" Vague answers should concern you. Shared responsibility provides a framework for honest conversations about risk, compliance, and operational readiness.
Flexibility without chaos. You're not locked into our verification service. Standards-based interoperability ensures you're never trapped by proprietary implementations. Your workflows interoperate across issuers, holders, and relying parties because we follow the same standards.
Auditability when it matters. Infrastructure-as-code practices enable version control and compliance tracking. During audits, you demonstrate policy decisions with clear provenance, allowing regulators to see transparency, not black boxes.
Security through boundaries. Clear responsibility delineation enables faster problem resolution. Your security team knows what they control, your operations team knows what we maintain, and incident response follows defined escalation paths.
Trust through transparency. We document our responsibilities in detail, track our SLA commitments, and are up front about what we do and don’t handle, so there are no surprise accountabilities.
Aligned incentives for excellence. We focus resources on platform reliability, security, and standards compliance, empowering you to focus on business logic and policies, which you understand best. Both parties benefit from secure, reliable verification.
Evaluating digital credential verification platforms? Ask every vendor these three questions:
Vidos answers these questions with documentation, contracts, and operational transparency. We learned from cloud computing: ambiguity breeds risk, but clear boundaries build trust.
Digital credentials represent the future of identity verification. But that future only works when everyone understands their role and accepts their responsibility.
Read the documentation: Shared Responsibility Model for Digital Credential Verification
Talk to our team: Learn how Vidos' shared responsibility model aligns with your organisation's security posture and compliance requirements.
The question isn't whether digital credentials are the future. The question is whether you'll adopt them with clear accountability or uncertainty.
