Sieve GovCONTACT →
02 · Compliance

Compliance across jurisdictions

Sieve is engineered under privacy-by-design and security-by-design: data minimization (token return instead of PII), AES-256 end-to-end encryption, Zero-Knowledge Proofs and revocable consent. By construction, the architecture meets the principal data-protection, identity, anti-money-laundering and electronic-signature standards of the jurisdictions in which our partners operate. This page summarizes the framework per region.

Sieve Compliance Pack (PDF)

Single document for procurement teams — FAQ answers, jurisdictional pillars and glossary.

Download pack

Cross-cutting principles

  • Data minimization. The platform returns an approval token (match: yes/no). PII is never written to a Sieve database at rest.
  • Non-custodial. Tri-partite sharding makes biometric material unreconstructable without a live biovital match — there is no honeypot to leak.
  • Lawful processing. The partner agency or operator acts as the Data Controller; Sieve operates strictly as Data Processor / Operator under a binding DPA.
  • Transparency. Every artifact is anchored to an append-only Merkle log and verifiable by hash, without exposing PII.
  • Revocable consent. The holder can revoke a grant at any time; downstream systems receive the revocation event.

United States 🇺🇸

  • ESIGN Act (15 U.S.C. §7001) and UETA — biovital e-signatures meet the federal and state requirements for enforceable electronic records and signatures, with face + GPS + timestamp + immutable log.
  • HIPAA — for health-sector deployments, Sieve operates as a Business Associate under a HIPAA-compliant BAA, processing PHI strictly under instruction.
  • CCPA / CPRA (California) — supports right-to-know, right-to-delete and opt-out via the revocable consent surface.
  • BIPA (Illinois) and analogous state biometric laws — addressed by the non-custodial architecture: no biometric identifier is stored in reconstructable form.
  • OFAC sanctions — real-time screening against OFAC SDN, sectoral and consolidated lists in the verification pipeline.
  • NIST 800-63-3 IAL2/AAL2 — alignment with federal digital identity guidelines for identity proofing and authenticator assurance.
  • SOC 2 Type II — control environment for security, availability and confidentiality.

European Union 🇪🇺

  • GDPR (Regulation 2016/679) — lawful bases, data subject rights, DPIA support, processor commitments and Standard Contractual Clauses for any cross-border transfer.
  • eIDAS 2 (Regulation 910/2014, as amended) — interoperability with the EU Digital Identity Wallet model and qualified electronic signature flows.
  • AI Act (Regulation 2024/1689) — biometric processing operated under controller instruction, with human oversight and risk classification handled by the agency deploying Sieve.
  • NIS2 Directive — security controls aligned to essential-entity obligations for partners operating critical infrastructure.
  • ePrivacy — cookie-free verification surface; the SDK does not set tracking cookies.

United Kingdom 🇬🇧

  • UK GDPR + Data Protection Act 2018 — full alignment with the UK data-protection regime; SCCs / UK IDTA for transfers.
  • Electronic Communications Act 2000 — electronic signatures and records.
  • DSIT Digital Identity & Attributes Trust Framework — identity proofing and authentication aligned to the UK DIATF profile.

Brazil 🇧🇷

  • LGPD (Lei nº 13.709/2018) — papéis de Controlador (parceiro público) e Operador (Sieve), tratamento mínimo, base legal definida e suporte aos direitos do titular.
  • Marco Civil da Internet (Lei nº 12.965/2014) — privacidade, proteção de registros e inviolabilidade dos dados do cidadão.
  • MP 2.200-2/2001 e Lei 14.063/2020 — assinatura eletrônica avançada e qualificada com prova biovital e log imutável.
  • Lei das Estatais (Lei nº 13.303/2016, art. 28, §3º, II) — base jurídica para contratação direta por singularidade tecnológica, na linha do TCU (Acórdão 2488/2020-Plenário).
  • BCB / Open Finance — integração com o ecossistema regulado por meio de tokens de aprovação, sem custódia de dados sensíveis.
  • BNMP/CNJ, Sinesp e Interpol — escudo soberano: cruzamento em tempo real por FaceScan com bases de mandados, desaparecidos e listas de difusão.

International — AML/CFT and identity

  • FATF Recommendations — KYC, KYB, AML, PEP, UBO and sanctions screening across 190+ countries.
  • FATF Digital ID Guidance — non-face-to-face identity proofing aligned with the FATF reliability framework.
  • ICAO 9303 (MRZ/NFC e-Passport) — passport reading and validation for border and e-Visa use cases.
  • ISO/IEC 27001 — information security management.
  • ISO/IEC 27701 — privacy information management extension.
  • ISO/IEC 29115 — entity authentication assurance framework.
  • ISO/IEC 30107-3 — presentation attack detection (PAD) for biometric systems.

Asia-Pacific 🌏

  • PDPA (Singapore) and equivalents in Malaysia, Thailand and the Philippines — controller/processor model with data-minimization defaults.
  • APPI (Japan) — cross-border transfer rules supported via SCC-equivalent commitments.
  • Privacy Act 1988 (Australia) + APPs — operated under partner-controller instruction.
  • DPDPA 2023 (India) — consent-first processing aligned with the Indian data-protection regime.

Middle East & Africa 🌍

  • UAE PDPL (Federal Decree-Law 45/2021) and DIFC / ADGM data-protection regimes — controller-instructed processing with cross-border transfer safeguards.
  • KSA PDPL — alignment with Saudi data-protection requirements; in-country deployment supported.
  • South Africa POPIA — operator commitments under the South African framework.
  • African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) — alignment with continental principles.

Frequently asked compliance questions

Compliance glossary

Working definitions drawn from the Sieve whitepaper and executive summaries. Use these when reviewing the DPA, MIP, or the Contrato de Parceria Estratégica.

Biovital
Proprietary liveness signal binding a verification to a real, present, uncoerced human — combining face, micro-motion, rPPG pulse, GPS and timestamp.
Biovital Token
Single-use cryptographic token produced from a fresh live capture; required to reconstruct sharded material.
Tri-partite Sharding
Shamir Secret Sharing (GF(256)) split across device, protocol and partner/guardian. No party holds a reconstructable template.
Sovereign ID (SIDI)
Non-custodial sovereign identity architecture in which the citizen, not the platform, controls the identity surface.
Data Faucet
User-facing consent surface for issuing, scoping and revoking grants to relying parties.
Approval Token
Yes/no match artifact returned to the relying party in place of PII.
Zero-Knowledge Claim
Cryptographic assertion (e.g. “age ≥ 18”) that proves a fact without revealing the underlying attribute.
Data Controller / Controlador
Entity that determines purpose and means of processing — under GDPR / LGPD this is the partner agency.
Data Processor / Operador
Entity that processes data on the Controller’s instruction — Sieve’s role under DPA.
DPA
Data Processing Agreement governing the Controller-Processor relationship.
SCC / UK IDTA
EU Standard Contractual Clauses and the UK International Data Transfer Agreement, used to lawfully transfer personal data across borders.
ESIGN / UETA
U.S. federal and state legal framework recognizing electronic records and signatures.
eIDAS
EU Regulation 910/2014 governing electronic identification, authentication and trust services.
BIPA
Illinois Biometric Information Privacy Act — strict regulation of biometric identifier collection and storage.
LGPD
Lei Geral de Proteção de Dados (Lei nº 13.709/2018) — the Brazilian general data-protection law.
Marco Civil da Internet
Lei nº 12.965/2014 — Brazilian internet bill of rights covering privacy and record protection.
MP 2.200-2/2001 + Lei 14.063/2020
Brazilian framework for advanced and qualified electronic signatures.
Lei das Estatais
Lei nº 13.303/2016 — governs Brazilian state-owned enterprises; Art. 28 §3º II grounds direct contracting for technologically unique objects.
MIP
Manifestação de Interesse Privado — formal private-sector proposal mechanism used to initiate a strategic partnership with a public entity.
FATF Recommendations
Global standards on AML/CFT, KYC, PEP, UBO and sanctions screening across 190+ jurisdictions.
OFAC SDN
U.S. Treasury Office of Foreign Assets Control Specially Designated Nationals list — primary U.S. sanctions screening source.
NIST 800-63-3 IAL2/AAL2
U.S. federal digital identity guidelines for identity-proofing and authenticator assurance levels.
ISO/IEC 27001 / 27701 / 29115 / 30107-3
International standards for information security management, privacy management, entity-authentication assurance and biometric presentation-attack detection.
ICAO 9303
International civil aviation standard for machine-readable travel documents (MRZ / NFC e-Passport).
Merkle Anchoring
Append-only cryptographic log used to anchor and verify artifacts by hash without exposing PII.

Data roles

The partner agency acts as Data Controller (public purpose, defined finality). Sieve operates strictly as Data Processor / Operator, returning approval tokens — never PII at rest. The relationship is governed by a binding Data Processing Agreement with incident-notification SLAs, audit-trail access and sub-processor disclosure.

Certifications and audit

Sieve maintains its security and privacy program against the controls listed above. Specific certification status, scope statements and audit reports are shared under NDA on request via gov@mysieve.com.