Arweave, Akord and GDPR compliance

Arweave

Arweave is a new blockchain protocol creating for the first time truly permanent serverless data storage. This technology is still largely reserved for a more tech savvy user thatโ€™s comfortable with the various technical processes required to use it.

From a GDPR standpoint, Arweave provides in its technical documentation, a transaction format (ANS-106) the possibility for people to let miners know not to store certain data on grounds of privacy, regulation, copyright, etcโ€ฆ

Privacy and private data processing are very much at the heart of Arweaveโ€™s business. As its CEO, Sam Williams, stated in an interview in 2022: "It's the node's responsibility, both morally and legally, to abide by the laws of their land, and the network allows them to do that."

Akord

Akord is a protocol developed by Zero Knowledge Collective. The protocol offers a digital storage space on the Arweave blockchain and a means for its users to publish their digital files to the Permaweb.

One of the main objectives of the Akord application is to democratise the use of the Arweave blockchain, giving back control of the data fully owned by its users. The app offers digital vaults with a simple UX making Arweave accessible to a broad range of users.

This digital vault service can be qualified as automated processing of personal data, insofar as its management is based on computerised operations and the content of this storage space is, by nature, dependent on the case, linked to an identifiable physical person (the user).

In the following sections, we will discuss how Akord meets the various GDPR requirements.

How Akord works towards full GDPR compliance

The following sections will provide examples on how Akord manages to minimize the risks when processing personal data based on the Arweave blockchain and thus meet GPDR requirements.

Regarding recipients

Unlike the data stored in public vaults, the documents imported into the encrypted vaults, can only be consulted by the user concerned and the persons he or she has specially authorised and invited into the vault (who are themselves subject to an authentication mechanism).

In practice, the data is encrypted with a key, controlled only by the user, and protected by cryptographic mechanisms making it incomprehensible to unauthorised third parties. The transfer of data on the blockchain is protected by advanced cryptography.

Processed data

In its capacity as provider of the digital vault service, Akord is required to process data enabling users to be identified with certainty and the associated data necessary for the operation of its service.

As soon as Akord defines the means and purposes for the implementation of these two processing operations (cryptographic commitment, encrypted key in particular), it assumes the role of data controller and is therefore subject to the obligations of GDPR.

Access to the encrypted digital vaults is strictly limited to the user, and it is therefore technically impossible for Akord to determine in advance the nature of the documents that a user will decide to store in his or her private space. Furthermore, Akord is not technically capable of accessing the contents of a vault, nor its possible backups.

Data stored by users in their encrypted vaults are in principle excluded from the scope of GDPR (and they are not processed by Akord). The same applies to the automatic retrieval of digital documents, because these documents are not used by Akord but only entered into a digital vault.

Last updated