Shared Responsibility Model for Digital Credential Verification

Digital credential verification requires a partnership between platform providers and users. Vidos operates under a shared responsibility framework tailored for digital credentials and decentralized identity, clearly delineating what the platform handles and what customers must manage to ensure security, compliance, and operational transparency.

Understanding Shared Responsibility

Vidos’ shared responsibility model recognizes that security and operational success require both parties to fulfill distinct roles. The platform cannot secure everything alone, and customers cannot manage their credential verification workflows without a secure, reliable foundation.

The principle is simple: Vidos secures the platform foundation so customers can focus on their business logic. Customers control their policies and configurations to ensure the platform serves their specific needs.

What Vidos Handles: The Platform

Vidos is responsible for the infrastructure, security, and standards compliance that enables credential verification at scale.

Platform Infrastructure & Operations

Provisioning and Running Services: Vidos provisions and operates all services in a secure cloud environment.
Regional Isolation: All data processing and storage remains within the customer’s selected region. Vidos does not transfer data between regions without your explicit authorization.
Regional Redundancy & SLAs: Vidos provides service level agreements and maintains regional redundancy to ensure high availability.

Regional data sovereignty is a foundational commitment. Whether your organization requires data to remain in Europe for GDPR compliance, in a specific geographic region for data residency, Vidos is engineered to respect these boundaries.

Security & Data Management

Encryption: Data is encrypted at rest and in transit using industry-standard cryptographic methods.
Security Patches: Vidos applies security patches proactively and maintains a secure infrastructure against unauthorized access
Access Controls: Multi-layered access controls protect services and data from unauthorized use.
Audit & Usage Logging: Vidos makes audit logs for all management operations (configuration changes) and usage logs for service activity available, providing transparency and supporting compliance requirements.

Policy Execution & Management

Executing Configured Policies: Vidos executes service and configuration policies you define, consistently across all services.
Authenticated Access with Fine-Grained Permissions: All access to Vidos services requires authentication, whether through the Gateway service or direct service endpoints. Fine-grained permissions ensure each client can perform only the authorized operations defined in your configured policies.
Service-to-Service Communication: Internal communication between Vidos services uses secure service roles, ensuring secure service usage.

Standards & Compliance Excellence

Standards-Based Implementation: Vidos implements specifications from recognised standards bodies including the International Organization for Standards (ISO), OpenID Foundation (OIDF), World Wide Web Consortium (W3C), Decentralized Identity Foundation (DIF), European Telecommunications Standards Institute (ETSI), and Internet Engineering Task Force (IETF).
Credential Format & Protocol Support: Broad support for credential formats and protocols ensures interoperability with credential issuers, holder wallets, and relying parties.
Interoperability Testing: Vidos participates in conformance testing and interoperability programmes to validate real-world functionality across wallet implementations and issuers.
Continuous Standards Review: Vidos actively monitors evolving standards and compliance frameworks, ensuring the platform stays current with industry best practices

Compliance & Certification

Management System Certifications: Vidos maintains ISO 27001 (information security) and ISO 9001 (quality management) certifications, independently audited annually.
Regulatory Alignment: Vidos tracks and maintains alignment with applicable regulatory frameworks including eIDAS 2.0 and UK DIATF requirements.
Trust Framework Certification: Vidos is certified under the UK Digital Identity and Attributes Trust Framework as an Orchestration Service Provider, Component Service Provider, and Attribute Service Provider.
Security Incident Management: Vidos maintains documented incident response procedures and commits to notifying affected customers of security incidents in accordance with contractual and regulatory requirements.

What Customers Control: The Configuration

Your organization controls the verification configuration and business rules that make credential verification work for your specific use cases.

Service Configuration & Deployment

Choosing Services: You decide which Vidos services to deploy based on your verification requirements (Authorizer, Resolver, Verifier, Validator, or Gateway).
Regional Selection: You select the geographic region where your services and data will be processed.
Deployment Repeatability: Use the Vidos Terraform provider to maintain version control, infrastructure-as-code practices, and repeatable deployments.

Policy Management

Policy Definition: You define and customize policies to match your specific business requirements and verification rules.
Policy Hardening: Vidos provides policies to facilitate service and configuration management. You are responsible for tailoring policies to align with your organisation’s specific risk tolerance, compliance requirements, and operational needs.
defaults to align with your organization’s risk tolerance and compliance requirements.

Operational Responsibility

Configuration Issues: Vidos provides documentation and configuration defaults. You are responsible for identifying and resolving service misconfigurations or policy errors. Support can provide guidance, but diagnosis and remediation remain your responsibility.
Service Customization: All Vidos services are fully customizable through policy configuration. It is your responsibility to configure each service to match your specific verification requirements, security posture, and compliance needs.

Real-World Example: Mobile Driving License Verification

Consider an organization that wants to verify mobile driving licenses (mDL) issued by transportation authorities for online age verification or identity confirmation.

Vidos is responsible for:

Running verification services in the your selected geographic region
Encrypting all data in transit and at rest
Making audit logs of all credential verification events available
Staying compliant with W3C standards for digital credentials
Providing high availability and regional redundancy

The organization is responsible for:

Deploying services their preferred region in a repeatable methodology, e.g. via Terraform
Defining verification policies for different credential types (driver’s license, passport, credentials, etc.)
Creating and maintaining a trust list of approved issuers (government agencies, authorized vendors)
Hardening policies to match security classification levels and compliance requirements
Monitoring usage and costs
Updating policies as requirements change

Both parties working together create a secure, compliant, and flexible verification infrastructure.

Benefits of This Model

For Vidos

Focus on platform reliability, security, and standards compliance
Clear scope boundaries eliminate ambiguity
Resources directed toward infrastructure excellence rather than customer-specific business logic

For Customers

Full Control: Your verification logic reflects your business rules, not platform constraints.
Standards-Based Interoperability: Services follow open standards and specifications, ensuring your verification workflows remain interoperable across issuers, holders, and relying parties. You’re never locked into proprietary implementations.
Flexibility: Your policies, defined in configuration, remain portable and transferable.
Auditability: Infrastructure-as-code practices enable version control and compliance tracking.

For Both

Clarity: Clear responsibility boundaries enable faster problem resolution
Transparency: Each party understands their role and what to expect
Aligned Incentives: Both parties benefit from secure, reliable verification
Trust: The model builds confidence that security is handled seriously