- 1. PURPOSE
- 2 CORE PRINCIPLES
- 2.2 Openness and Interoperability
- 2.3 Accountability
- 2.3 Transparency
- 2.4 Sustainability
- 2.5 Collective Best Interest
- 2.6 Decentralization by Design
- 2.7 Inclusive by Design
- 2.8 Privacy by Design
- 2.9 Security by Design
- 2.10 Data Protection by Design and Default
The ZADA Governance Framework (ZGF) serves as the constitution for the ZADA Ecosystem.
1. PURPOSE #
The purpose of the ZADA Network is to enable a secure exchange of personal data and identities inline with the concept of self-sovereign identity and serves as the foundation for the ZADA Ecosystem.
The purpose of the ZADA Ecosystem is to create a Web of Trust — a decentralized platform of trust interconnecting Identity Owners and the Things they control.
The purpose of the ZADA Ecosystem Governance Framework (ZEGF) is to define the business, legal, and technical policies for the ZADA Ecosystem.
The purpose of the ZADA Ecosystem Governance Board is to administer governance for the ZADA Ecosystem on behalf of all Identity Owners.
2 CORE PRINCIPLES #
The following principles guide the development of policies in the ZEGF.
2.1 Self-Sovereignty #
Individuals are endowed with and possess an inalienable right to be Identity Owners with the ability to permanently control one or more Self-Sovereign Identities without reliance on any external administrative authority.
- An Identity Owner alone shall determine which Identity Data describe its Identities.
- With regard to managing its own Identity Data, an Identity Owner alone shall determine
how and for what purpose(s) it is processed.
- An Identity Owner alone shall determine who has access to its Identity Data.
- An Identity Owner’s Identity Data shall be portable as determined by the Identity Owner and enabled via Open Standards.
- An Identity Owner alone shall have the right to Delegate control of these functions.
2.2 Openness and Interoperability #
The ZADA Ecosystem shall be based on Open Standards and avoid mechanisms that would prevent Identity Owners from having interoperability or portability of their Identity Data in the ZADA Ecosystem across borders and sectors.
2.3 Accountability #
Identity Owners shall be accountable to each other for conformance to the purpose, principles, and policies of the ZADA Governance Framework. All ZADA Entities shall be responsible for, and be able to demonstrate compliance with any other requirements of applicable law. Nothing in the ZADA Governance Framework shall require a ZADA Entity to breach applicable law in order for it to perform its obligations under the ZADA Governance Framework.
2.3 Transparency #
The ZADA Ecosystem shall practice Open Governance, and the Stewards shall operate with full openness and transparency to the greatest extent feasible consistent with the principles herein.
2.4 Sustainability #
ZADA Infrastructure shall be designed and operated to be technically, economically, socially, and environmentally sustainable for the long term.
2.5 Collective Best Interest #
The ZADA Ecosystem shall act in the collective best interests of all Identity Owners and shall not favor the interests of any single Identity Owner or group of Identity Owners over the interests of the ZADA Ecosystem as a whole. Note that at present the ZADA Governance Framework has no self-enforcing distributed mechanism that neutralises differences of interest among different stakeholders participating in the network, therefore this is the responsibility of the ZADA Board of Trustees.
2.6 Decentralization by Design #
1 General #
ZADA Infrastructure shall be decentralized to the greatest extent possible consistent with the other principles herein. As the business, legal, and technical limitations of decentralization may change over time, the ZADA Ecosystem shall continuously examine all points of control, decision, and governance to seek ongoing conformance with this principle.
2 Diffuse Trust #
ZADA Ecosystem shall not concentrate power in any single Individual, Organization, Jurisdiction, Industry Sector, or other special interest to the detriment of the Network as a whole. Diffuse Trust shall take into account all forms of diversity among Identity Owners.
3 Web of Trust #
ZADA Ecosystem shall be designed to not favor any single root of trust, but empower any ZADA Entity to serve as a root of trust and enable all ZADA Entities to participate in any number of interwoven Trust Communities.
4 Censorship Resistance #
ZADA Ecosystem shall be designed to resist censorship of any Entity while remaining compliant with all applicable laws.
5 High Availability #
ZADA Ecosystem shall be designed and implemented to maximize availability of the ZADA Network.
6 No Single Point of Failure #
ZADA Ecosystem shall be designed and implemented to not have any single point of failure.
7 Regenerative #
ZADA Ecosystem shall be designed so that failed components can be quickly and easily replaced by other components.
8 Distributive #
ZADA Ecosystem shall be designed and implemented such that authority is vested, functions performed, and resources used by the smallest or most local part of the ZADA Ecosystem that includes all relevant and affected parties.
9 Innovation at the Edge #
The continued development of the ZADA Ecosystem shall encourage innovation to take place among the members of the ZADA Ecosystem most directly involved or impacted.
2.7 Inclusive by Design #
1 General #
The design, governance, and operation of ZADA Ecosystem shall follow the principles of Inclusive Design to serve the widest possible community of Identity Owners.
2 Identity for All #
Consistent with the United Nations Sustainable Development Goal 16.9, the ZADA Ecosystem shall promote peaceful and inclusive societies for sustainable development; enable access to justice for all; and facilitate effective, accountable, and inclusive institutions at all levels by being accessible to, and inclusive of all Identity Owners without discrimination and with accommodation for physical, economic, or other limitations of Identity Owners to the greatest extent feasible.
3 People-Centered Design #
ZADA Ecosystem Developers shall put people at the heart of the design process and enable them to control their own user experience.
4 Design for Difference #
ZADA Ecosystem Developers shall strive to understand differences in capabilities and preferences across all potential members of the ZADA Ecosystem and provide adaptable solutions to meet the needs of all potential members.
5 Test Across Contexts #
ZADA Ecosystem Developers shall test ZADA Ecosystem solutions for use in different Identity Owner environments and contexts.
6 Offer Choice #
ZADA Ecosystem Developers shall design flexibility by offering a choice of ways to achieve the same outcome.
7 Maintain Consistent Experience #
ZADA Ecosystem Developers shall design comparable experiences for all of their user communities that use consistent design elements and language.
2.8 Privacy by Design #
1 General #
The design, governance, and operation of ZADA Ecosystem shall follow the Seven Foundational Principles of Privacy by Design to the greatest extent possible consistent with the other principles herein. These principles can be summarized as:
- Proactive not Reactive; Preventative not Remedial
- Privacy as the Default Setting
- Privacy Embedded into Design
- Full Functionality—Positive-Sum, not Zero-Sum
- End-to-End Security—Full Lifecycle Protection
- Visibility and Transparency—Keep it Open
- Respect for User Privacy—Keep it User-Centric
2.9 Security by Design #
1 General #
The design, governance, and operation of ZADA Ecosystem shall follow the principles of Security by Design to the greatest extent feasible consistent with the other principles herein.
2 System Diversity #
The process and policies for selecting Stewards shall optimize availability and security by maximizing diversity of hosting locations, environments, networks, and systems.
3 Secure Defaults #
The default configuration settings and user experience of the applications using ZADA Ecosystem shall enforce strong protection by default, including encryption by default.
4 Least Privilege #
Access and authorization of the applications, Agents, and network services that use and comprise ZADA Ecosystem shall subscribe to the concept of least privilege.
5 Auditability #
Transactions in ZADA Ecosystem and actions of application using ZADA Ecosystem that require auditing shall be immutably logged, in a tamper-evident way, and be available to verify processing.
6 Secure Failure #
Applications using ZADA Infrastructure shall be designed to take an exception or error path that will not create a security weakness exploitable by bad actors.
2.10 Data Protection by Design and Default #
1 General #
ZADA Entities, in the processing of personal data, shall adhere to the following data protection principles to the greatest extent feasible consistent with the other principles herein.
2 Lawfulness, Fairness, and Transparency #
Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the Individual.
3 Purpose Limitation #
Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes, shall not be considered incompatible with the original processing purposes.
4 Data Minimization #
Personal data must be relevant and limited to that which is necessary in relation to the purposes for which it is being processed.
5 Accuracy #
Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that where personal data is inaccurate it is erased or rectified without delay.
6 Storage Limitation #
Personal data must be kept in a form which permits identification of Individuals for no longer than the duration necessary for the purposes for which the personal data is being processed.
7 Integrity and Confidentiality #
Personal data must be processed in a manner that provides appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (i.e., information security).