Building a Web3 ID solution
TL;DR:
The European Blockchain Sandbox has concluded its second cohort featuring the IOTA Foundation’s tokenized Know Your Customer solution with IDnow, walt.id and Bloom Wallet. The sandbox provided important lessons on identity validation for compliance and privacy protection in Web3, including the use of off-chain validation, Soulbound tokens, and GDPR-compliant wallet and node practices.
Completed participation. European blockchain sandboxa three-year initiative by the European Commission, will give innovative distributed ledger projects the opportunity to test their solutions with regulators across Europe. Each year, 20 projects were selected to participate, and IOTA Foundation was part of the second group, which ran from June 2024 to March 2025.
Our contribution is Tokenized know-your-customer (KYC) solutionCo-developed with IDnow, walt id, andbloom wallet. This proof-of-concept solution allows users to verify their identity off-chain and receive tokenized proof in their wallet. This allows dApps, exchanges, and other services to check eligibility requirements (such as age verification) without exposing sensitive data on-chain.
The end of the sandbox will be marked by the European Commission. Best practice report For the second cohort. Share report Recommendations and best practices Provided by the program Valuable guidance for anyone developing DLT solutions and circumventing their regulatory implications.
Sandbox key: sharing customer data
The main focus in the sandbox was on how to: Anti-money laundering (AML) and KYC The rules actually apply. The regulator stressed that crypto exchanges and other service providers have a legal obligation to know the identities of their users. Therefore, our tokenized KYC solution allows organizations responsible for performing KYC checks to access verified personal data from an identity verification provider, in this case IDnow. Similarly, authorities such as the police can request personal data linked to certain non-transferable (soul-bound) tokens.
to make Customer onboarding More simply, companies may be able to reuse KYC data already collected by another organization. However, the rules for doing this vary across Europe. In some countries, data can only be shared between entities in the same category, while broader sharing requires special approval from national authorities. Fortunately, the upcoming Anti-money laundering regulations (AMLR) is expected to harmonize these rules regarding the use of customer information collected by other organizations.
Sandbox Key Points: Soulbound Tokens
The report also highlighted key lessons on: How to classify data in self-hosted wallets, KYC, and public permissionless DLT Like IOTA. In our tokenized KYC solution, only soul-bound tokens are recorded on-chain. These tokens do not contain personal data per se, but prove that the KYC process has been completed, as the underlying KYC data is securely stored off-chain. Sandbox noted that such tokens may still be treated as pseudonymized personal data, which means that the GDPR applies. This classification may evolve with new case law and guidelines and therefore requires continuous review. To minimize data protection risks, our solution follows a data protection-by-design approach by limiting the amount and type of data shared on-chain. This follows the principle of data protection by design.
Sandbox key points: wallet providers and node operators
Another important topic in the sandbox was how wallet providers and node operators are classified under the GDPR.
- The report concludes: Self-hosted wallet provider Not considered a data controller or processor When the wallet runs solely on the user’s device without relying on an external backend. With our tokenized KYC solution, verified identity data remains off-chain with IDnow, but users’ self-hosted wallets only hold the KYC certificate bound to their soul. This design is in line with GDPR guidance. Responsibility for personal data rests with the person actually accessing or using the data. For example, IDnow for verification and off-chain data storage, and where applicable, integration services such as dApps and Exchange to legally request or use the data.
- GDPR classification node operator Careful nuance is required. As we recently commented on the European Data Protection Board, European Data Protection Board Guidelines For personal data in the blockchain, nodes only perform technical functions. We do not determine or control the purposes of data processing. Treating them as managers misrepresents their role and imposes disproportionate duties on them. Our tokenized KYC solution reinforces this difference. Verified identity data remains off-chain in IDnow, but only non-transferable KYC certificates with no personal attributes are recorded on-chain. The node only relays or verifies this pseudonymized certificate and does not access the identity dataset. Even if such certificates qualify as personal data, this design minimizes on-chain exposure and ensures that responsibility rests with the entity actually processing the identity information. This provides a viable path to meet AML/KYC requirements while respecting rel=”noreferrer”>.Fund transfer regulations and anti-money laundering regulations require entities such as cryptocurrency exchanges to maintain data about users of self-hosted wallets and to identify the owners of self-hosted wallets. At the same time, dApps and DeFi operators are increasingly looking for ways to enable compliant identity checks without compromising privacy and security. There is a growing need for on-chain identification tools to ensure smooth and compliant interactions in the Web3 ecosystem..
Our proof-of-concept tokenized KYC solution combines all the necessary steps into one easy-to-use tool.
- By having a trusted party witness the identity verification process and tokenizing it as a soul-bound token, dApps and other entities can have confidence in the identity verification process without revealing their actual personal identity.
- Soulbound tokens can be used for on-chain processes and enable Web3 native interactions.
- Trusted parties may reveal their identity if requested to do so by an authorized party (such as law enforcement).
- Trusted parties can also revoke tokens if invalidation is required (such as watchlist changes).
After the completion of this project, a rebased IOTA mainnet was launched with a new architecture based on Move Virtual Machine. To support use cases like tokenized KYC solutions, we IOTA Trust Frameworka suite of configurable infrastructure components, each developed with privacy, compliance, and ease of use in mind.
