Privacy Policy

Real Frame Sagl ("Real Frame", "we", "us") provides trust infrastructure that lets organizations issue and verify W3C Verifiable Credentials. Our customers use a dashboard and API to issue credentials to their users ("Frame") and verify credentials that users present ("Gate"), using the open standards OID4VCI and OID4VP and interoperating with EUDI-compatible wallets.

This policy explains how we collect, use, store, share, and protect personal data when you use our services at realframe.ch. We comply with the Swiss Federal Act on Data Protection (revised FADP, in force since 1 September 2023) and, where it applies, the EU General Data Protection Regulation (GDPR). By using Real Frame, you acknowledge that you have read and understood this policy.

The entity responsible for the data described in this policy is:

For any privacy question or to exercise your rights, reach us through our contact page. We respond to every request.

Real Frame is business-to-business infrastructure. Our customers are organizations that use Real Frame to issue credentials to, and verify credentials from, their own end users. Under data protection law the same data can have different responsible parties depending on who decides the purpose of processing. Three roles apply:

• We are the controller for the personal data of the organizations and account administrators who sign up for Real Frame, and for operational data such as the billing relationship, usage, and audit logs. Using a vendor to carry out this processing does not change our role as controller.
• We are a processor for the personal data inside the credentials our customers issue and verify (the "credential subject" data). The issuing or verifying organization is the controller of that data; we process it only on their documented instructions, under a Data Processing Agreement.
• Our payment provider is an independent controller. When you pay, Stripe processes card and payment data under its own legal, fraud-prevention, and card-network obligations, not on our instructions. We never receive or store your full card number. See Stripe's privacy policy.

Real Frame is designed to avoid becoming a central store of identity data. This shapes how the platform handles credential data:

• Credentials are held in the user's wallet. When a credential is issued, it is delivered to and stored in the end user's EUDI-compatible wallet. We do not maintain a central repository of issued credentials.
• Sessions are not retained. The current platform does not persist issuance or verification session payloads. Subject data is processed transiently to mint a credential or to validate a presentation, then released.
• Verification is pass-through. When a credential is verified, the validation result and any disclosed claims are returned to the requesting organization; we do not keep a copy.

Credentials may contain sensitive identity data such as name, date of birth, or a national identifier. We treat all such data with corresponding care.

Account information

When you register an organization on Real Frame, we collect:

• Identity: the administrator's name and email, and the organization name.
• Credentials: your password is managed by our authentication provider and stored hashed; we never see or store plain-text passwords.
• API keys: we store only a strong one-way hash of the key, combined with a server-side secret, plus a short, non-secret prefix used to identify it. The full key is shown once, at creation, and never persisted in readable form.

Billing data

Subscriptions and payments are handled by Stripe (Checkout and Customer Portal). We do not store card numbers. We retain billing metadata such as plan, subscription status, and customer identifiers needed to manage your account.

Usage, audit, and technical data

• Audit and usage events: records of account- and security-relevant actions and aggregate issuance/verification counts, retained for a limited period (up to roughly 90 days) for security and troubleshooting.
• Technical data: IP address, device and browser type, and request logs, collected automatically to operate and secure the service.
• Support communications: the content of messages you send us through the contact page or by email.

When a customer issues or verifies credentials, the platform processes personal data the customer controls. We act as the customer's processor for this data, under a Data Processing Agreement. A copy of that agreement is available to customers on request.

• Issuance. The subject attributes provided by the customer, or held in the issuer's identity provider for built-in identity credentials, are used to mint a signed credential (SD-JWT VC or mdoc) that is delivered to the user's wallet. We do not retain a standing copy of the issued credential.
• Verification. The user's wallet presents a credential; our verifier checks the signature, validity, holder binding, revocation status, and trust chain, then returns the result and disclosed claims to the customer. We do not store the presented claims.
• Schemas. We store the credential schema definitions a customer creates (field structure and metadata), which configure how credentials are issued.
• Erasure and revocation. Credential status is managed with W3C Status List 2021. When an organization is deleted, the credentials it issued are revoked before its records are removed; any later verification of those credentials fails. Copies already in a user's wallet remain physically present but are rejected by verifiers that check status.

We do not use credential subject data for our own purposes, do not sell it, and do not use it to train models. If you are an end user whose credential was issued or verified through Real Frame, the relevant organization is your controller and first point of contact; we will support them in responding to your request.

As a controller, we process personal data to:

• Provide the service: authenticate you and manage your organization, API keys, schemas, and credential operations.
• Handle billing: manage subscriptions, payments, and renewals through Stripe.
• Secure the platform: detect and prevent fraud, abuse, and unauthorized access, enforce rate limits, and maintain audit trails.
• Communicate: send service notices, security alerts, and support responses.
• Improve and comply: analyze aggregated usage to improve the product and meet our legal obligations.

Under the GDPR (Art. 6) and the corresponding grounds in the Swiss FADP, we rely on:

• Contract (Art. 6(1)(b)): to provide the services you have subscribed to, including account, API, and credential operations.
• Legitimate interest (Art. 6(1)(f)): for platform security, fraud prevention, and product improvement, where these do not override your rights.
• Legal obligation (Art. 6(1)(c)): to comply with accounting, tax, and other applicable laws.
• Consent (Art. 6(1)(a)): where we ask for it, such as for non-essential communications. You may withdraw consent at any time.

Sub-processors. We rely on a small set of vetted providers that process personal data on our behalf and on our instructions, under contractual data protection obligations. They fall into the following categories:

• Cloud hosting and content delivery for the web application.
• Authentication and database hosting, located in Switzerland.
• Backend service hosting for our gateway, issuer, and verifier services, located in Switzerland.
• Email delivery for authentication and operational notices.
• Rate-limiting infrastructure, processing limited identifiers such as organization ID and IP address.

A current, named list of our sub-processors is available to customers on request and through our data processing agreement.

Issuance identity provider. We operate an identity provider as part of our issuer infrastructure. It holds the user attributes used to mint built-in identity credentials and is part of our own systems, not a third-party recipient of your data.

Trust registry. During verification, our verifier queries an EUDI trusted-issuer registry to confirm that a credential's issuer is trusted. This check concerns issuer identity; we do not send credential subject data to the registry.

Independent controller. Our payment provider, Stripe, processes payment and card data as an independent controller under its own legal, fraud-prevention, and card-network obligations, as described above. We never receive or store your full card number.

We do not sell, rent, or trade personal data. Beyond the providers and partners above, we disclose data only where required by law or valid legal process, or in connection with a merger or acquisition with prior notice to affected users.

Real Frame is based in Switzerland and hosts its core data infrastructure in Switzerland. Some providers, such as our payment provider, may process certain data abroad; where they do, we rely on an adequacy decision or Standard Contractual Clauses with the Swiss addendum, together with appropriate safeguards. Switzerland is recognized by the European Commission as providing an adequate level of data protection.

• Account data: retained while your account is active and deleted within 30 days of account closure.
• Credential subject data: processed transiently for issuance or verification and not stored as a standing copy. Issued credentials live in the user's wallet; on account deletion the related credentials are revoked.
• Audit and usage events: retained for a limited period, up to roughly 90 days.
• Billing records: retained as required by accounting law, typically up to 10 years under Swiss law.
• Technical logs: retained for a limited period for security and troubleshooting, then deleted or anonymized.

We apply technical and organizational measures appropriate to the sensitivity of credential infrastructure, including:

• encryption of data in transit (TLS);
• API keys stored only as strong one-way hashes combined with a server-side secret and verified in constant time; passwords stored hashed;
• credentials cryptographically signed with a private key held as a protected secret, which serves as the root of trust for issuance;
• strong encryption at rest where any sensitive field is ever persisted;
• database row-level security and least-privilege access for personnel;
• replay protection on credential presentations and fail-closed trust-chain checks;
• audit logging and monitoring of sensitive operations.

A current, detailed description of our technical and organizational measures, including the specific algorithms and parameters we use, is available to customers under our Data Processing Agreement.

No system is perfectly secure. Use a strong, unique password and keep your API keys confidential. Contact us immediately if you suspect unauthorized access.

Subject to Swiss and EU law, you have the right to access, rectify, erase, restrict, and port your personal data, to object to certain processing, and to withdraw consent. To exercise any of these rights, contact us through the contact page. We respond within 30 days.

If your data was processed inside a credential on a customer's behalf, direct your request to that organization; we will assist them as their processor, including by revoking credentials where required.

We use only essential cookies required for authentication and security, and we do not use advertising or cross-site tracking cookies. See our Cookie Policy for details.

Real Frame is a business product intended for organizations and users aged 18 or older. We do not knowingly collect personal data directly from minors. Where a customer issues credentials relating to minors, that customer is responsible for the appropriate legal basis and consents.

We may update this policy to reflect changes in our practices or the law. Material changes will be notified through the dashboard or by email. The "Last updated" date above reflects the latest revision.

You may lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC). If the GDPR applies to you, you may also complain to your local EU data protection authority.

For questions about this policy or your data, reach us through our contact page or by email at info [at] realframe [dot] me.