Implementation Overview

Executive Summary

Trust ID provides enterprise-grade, self-sovereign identity verification that lets users store, control, and selectively share their data with brands and sites they trust. Built on an invisible, self-custodial blockchain identity infrastructure, Trust ID enables seamless identity creation, verifiable credential issuance, and storage of verification events for age, citizenship, and KYC/AML workflows — achieving 99%+ user conversion rates without seed phrases or onboarding friction.

For CMOs and CDOs: Trust ID identifies users from first interaction, reduces clicks to transaction, and enables recognition across brands and partners. For CISOs and security teams: zero-knowledge proofs, quantum-resistant encryption, GDPR/eIDAS alignment, and automated audit trails minimize custody risks while enabling global scalability across fintech, media, retail, and healthcare verticals.

Designed for regulatory scrutiny, the system ensures non-custodial digital identities (legal opinion by Zuber Lawler LLP), end-to-end data encryption, and instant scalability.

System Architecture – Zero Trust By Design

The Trust ID backend follows a microservices-based, API Gateway pattern with queued applications for document processing, integrated with MetaKeep's decentralized physical infrastructure network (DePIN). The system relies on a backend, digital identity and frontend API to interact and provides an SDK in multiple languages to allow users to build their apps and integrations their way.

Decentralized Identity Framework

The Trust ID system leverages a private open source blockchain-based infrastructure (Besu Hyperledger) developed under Apache 2.0 and written in Java to provide secure, user-controlled identity management with integrated programmatic advertising and payment capabilities. Each user receives a unique Decentralized Identifier (DID) stored on-chain, ensuring portability and verifiability across platforms. The Trust ID Digital Identity utilizes a proprietary cloud-based decentralized Hardware Security Module (dHSM) with local private key management to store verifiable credentials such as age verification and KYC documentation.

The architecture incorporates quantum-resistant lattice-based encryption and zero-knowledge proofs, delivering future-proof privacy for both identity and financial transactions. Credentials are designed with 120-year longevity guarantees, featuring unlosable keys and programmable expiration logic. The system is supported by DePIN (Decentralized Physical Infrastructure Network) infrastructure, enabling globally compliant, scalable self-sovereign identity (SSI) and interoperable payment rails.

Advanced Cryptographic Foundation

Trust ID employs enterprise-grade cryptographic protocols and compliance frameworks:

Quantum-Resistant Cryptography

Kyber (ML-KEM): NIST-approved post-quantum key encapsulation mechanism providing resistance against future quantum computing threats through Module-Lattice-Based cryptography

Privacy-Preserving Technologies

zk-SNARK: Zero-knowledge proofs enabling anonymous verification without revealing underlying data, supporting Web3 identity standards with enhanced privacy protection

EdDSA (RFC 8032): Efficient digital signature algorithm ensuring data integrity and authenticity in decentralized environments (Digital Identity)

Poseidon Hash: High-performance cryptographic hashing for privacy-preserving computations (Digital Identity)

Baby Jub Jub Elliptical Curve: Supports secure document signing, zero-knowledge proofs, public-key encryption, proxy encryption, and homomorphic encryption capabilities (Digital Identity)

Compliance and Security Standards

The technology stack aligns with rigorous security and regulatory frameworks:

ISO 27001: Information security management with strengthened identity verification, audit logging, and reduced impersonation risks

NIST 800-53: U.S. government-grade security controls with enhanced identification, authentication, and granular traceability

PCI-DSS: Multi-factor authentication, OTP-based 2FA, and KYC/KYB capabilities for credit card data protection

Key Differentiators

Security and Privacy

• Zero central data storage architecture resulting in near-zero breach risk.
• Cross-platform, reusable credentials that increase conversions and enable personalization.
• Enterprise-grade regulatory compliance across GDPR, CCPA, and HIPAA frameworks.

Advanced Capabilities

• Integrated digital identity rails supporting loyalty programs, payments, and programmatic commerce.
• AI-ready infrastructure providing verified credentials for autonomous agents, enabling secure and auditable AI interactions.
• Verified, persistent identity that reduces bot-driven consent noise, advertising waste, and attribution errors compared to legacy consent tools.

Key Architectural Layers:

This zero-trust design verifies every request with device posture, IP reputation, and behavior analysis.

Core Components

Interaction levels

Technology Stack

Reference architecture stack

No specific vendor lock-in noted; scalable cloud (sandbox/prod servers).

Security & Privacy

Trust ID Security:

Data Handling: Backend-only API integration; frontend uses own API. No direct browser exposure.

Encryption: End-to-end for apps/documents; tamper-evident audit logs.

Access: Dynamic RBAC/ABAC via IAM; consent UI/revocation.

MetaKeep Security:

Hardware: FIPS 140-2 L3 HSM/TEE; distributed keys prevent insider threats.

Crypto: Quantum-resistant; zero-knowledge (platform never sees keys).

Model: Self-custody – user controls only; 100% uptime since 2022.

Privacy Features:

Minimal data retention (24h Temp apps auto-delete).

Consent manager for data use.

GDPR-aligned: Archive visibility controls.

Chief Security Officer Notes:

Military-grade, non-custodial; withstands quantum attacks; guardian protocol for key ejection to Ledger/MetaMask.

Compliance & Regulations

Regulatory Alignment:

KYC/AML: Trust ID for ID verification; DBS checks integration.

EU/UK: eIDAS potential via API; GDPR via consent/DSAR support.

Global: No MTL/PSP needed (non-custodial); operates 195+ countries.

Standards: FIPS, USPTO patents; legal opinions for self-custody.

Chief Compliance Officer Notes:

Automated compliance checks, audit reporting.

0.00% chargeback rate; unstoppable infra.

Insurance (FDIC-inspired) for key loss/theft.

Chief Privacy Officer Notes:

Privacy-by-design; user consent logged; data minimization.

Risks & Mitigation

Chief Data Officer Notes: Segregated stores; metadata harvesting compliant with IDS/GAIA-X schemas.

Integration & APIs

Trust ID APIs:

RAW: HTTP/JSON for direct backend calls.

JS: High-level methods (login, retrieveContainer).

Endpoints: Protected with Nginx and API gateway; sandbox/prod servers.

Trust ID Wallet APIs:

Single SDK: Digital Identity gen/sign in 5 mins; multi-chain gasless.

api.retrieveDocumentContainer(id)
  .then(app => metakeep.sign(app.verifiedTx));
  

Chief Information Officer Notes

Backend-focused; no frontend direct integration; Notion SDK examples for apps/Offer Engine.

SDK Overview

Trust ID provides a developer-first SDK that abstracts identity creation, consent, verification workflows, and digital identity operations behind a simple, consistent interface. The SDK is designed to support rapid integration while preserving Trust ID’s zero-trust, non-custodial architecture.

The SDK can be used in web, backend, and mobile contexts, and is the recommended integration path for most implementations. It handles authentication flows, lifecycle state transitions, and secure handoff to digital identity operations without exposing private keys or sensitive credentials to the client.

When to use the SDK

• Frontend or mobile integrations requiring fast deployment
• Standard login, consent, and verification flows
• Multi-chain, gasless digital identity operations
• Teams that want managed security defaults and lifecycle handling

When to use RAW APIs instead

• Highly customized backend-only workflows
• Legacy systems with strict integration constraints
• Internal tooling or batch processing pipelines

Vendor Dependencies

User Lifecycle

Signals

Interaction levels

Users progress through distinct phases based on their verification status.

Anonymous User

A user who has opened the Trust ID widget but has not started the verification process. They may have accepted, rejected, or clicked data preferences, but have not entered their phone number or email. Anonymous users are tracked via a temporary anonymous ID until they authenticate.

Unverified User

A user who has entered their phone number (or email after failed phone attempts) but has NOT submitted the OTP code. These users have never successfully authenticated and have no login timestamp on record.

Verified User

A user who has submitted the OTP code they received and successfully logged in at least once. This is equivalent to "Trust ID Verified" in the dashboard.

Credential Verified User

A verified user who has completed additional verification to be issued a credential. Supported credential types include Document Verification and Proof Of Age.

User States

Trust ID Verified

A user who has completed OTP (one-time password) verification, meaning they have successfully logged in at least once. Verification is confirmed when the user's last_login_at timestamp is set.

New ID

A user who has started the Trust ID verification process within the specified date range. This includes users who may not have completed verification yet—only that they initiated the flow.

Returning User

A Trust ID Verified user who has returned to interact with the platform after their initial session.

Calculation by period:

30/90 days: User was verified before the selected time range AND has at least one session within the range

All time: User has 2 or more total sessions

Active Account

A user who has interacted with Trust ID within the specified time range (has at least one session).

Inactive Account

A user who has not interacted with Trust ID within the specified time range (no sessions in period).

Consent

A user's response to our legal consent prompt. Users can either accept or reject. We record anonymous user consents, but analytics are only performed on Trust ID Verified users.

Withdrawn Consent

A user who initially accepted the consent prompt but later rejected it. This is distinct from a simple rejection—it indicates a change of mind after prior acceptance.

Repeat Consent Eliminated (RCE)

The estimated number of consent prompts not shown to returning Trust ID Verified users because the system recognized them from a previous session.

Calculation: returning_users × 1.5

Total Consent Clicks Saved (TCCS)

The estimated total number of user clicks saved through Trust ID's streamlined consent handling.

Calculation:

Non-age-gated brands: accepted_consents × 1.5

Age-gated brands: accepted_consents × 8 (includes age verification flow)

Cross-Domain & Portability

A Trust ID Verified user who has interacted with 2 or more domains within the Tracer brand ecosystem. This includes brands that are subsidiaries of the same parent organization.

Syndicated User Overlap

A dashboard visualization showing user overlap and cross-domain activity between brands. Displays which users have visited multiple brands within the Tracer ecosystem.

Pre-Fill

When a user leverages their stored identity information to auto-complete form fields (partially or fully) on a Tracer brand ecosystem site.

Pre-Fill Eligible User

A Trust ID Verified user who has at least one piece of personal information stored that could be used for form auto-fill. Eligible fields include: name, email, phone, age, gender, and location.

Pre-Fill Signal

A specific identity attribute that can be used for form auto-fill. Each signal is either populated or empty depending on whether the user has provided that information.

Currently supported signals:

Persona Match

A match between a Trust ID Verified user and our 3rd-party persona data store. This data was collected with user consent outside of our system. When a match is found, we can legally indicate that additional information is available for that user.

User Level

The method or context through which a user interacted with Trust ID.

Trust ID Script

A single-line JavaScript snippet required to install the Trust ID verification flow and consent prompt on a website. The Trust ID Chrome extension can overlay and preview sites with active Trust ID snippets for testing purposes.

Age Gate

An additional verification step required by law for age-restricted products (alcohol, cannabis, etc.). Users must verify their age via DOB entry or credential check before proceeding.

Age Verified User

A user who has completed age verification through a credential check.

Age Gates Eliminated

The count of sessions where a returning age-verified user was automatically recognized and skipped the age gate prompt.

Session Tracking

Anonymous Session

A session created when an unauthenticated user opens the Trust ID widget. A temporary anonymous ID is generated and stored until the user authenticates, at which point it is linked to their user account and removed.

Authenticated Session

A session for a logged-in user. All events are recorded directly against the user ID with no anonymous tracking.

APPENDIX: Trust ID Taxonomy

A comprehensive glossary of terms and definitions used throughout the Trust ID platform and analytics dashboard.