GDPR, CCPA and CCPR are standards that we generally comply with by default if we continue to use a sovereign architecture
ISO 27001 is a general standard we will mostly comply with technical requirements by default of the application, but need additional monitoring and employee training to fulfil. Having this standard would give clients more confidence.
eiDas is a digital signature format that we want to support (but don't support yet)
QES is a digital signature standard that we will support if we support eiDas
SSI is a W3C standard we already support
WebID is an alternative standard that only makes sense to support if a client requests that
OCR-MZR - Is a way of reading passports. It requires significant AI and is therefore a very non-privacy preserving way of reading it passport. There is also a lot of work into doing this so it makes more sense to use 1/3 party service.
NFC passports - Reads data directly from a chip on the phone, and only requires minimal third-party involvement. It also takes a lot of work to set up so probably it makes more sense for us to use a third-party service
CIAM - Is a general term to encompass identity management, which we are doing some of
SSO - Is a mechanism we already support in the app
MFA - Is 1/2 built mechanism we already support (only PIN and biometrics, not document/liveness)
Acceptance criteria
Standards and concepts