8. Security and Privacy

Principles: privacy by default; device-first feature extraction; minimal disclosure; revocability; verifiable processes via GAEA Certification and VCs; regional compliance and minimal retention.

Data classes: A (high sensitivity): wearable physiology and raw voice — default on-device only. B (medium): on-device emotional features/summaries; session-level EMOCOORDS. C (low): task metadata, evaluation metrics, anonymized usage statistics. D (public): public documents, certification standards, audit abstracts.

Consent: one-time with fine-grained reuse; rotating anonymous device IDs; minimal persona disclosure; restrictions for minors/sensitive scenarios; human-in-the-loop for finance, medical, and public matters.

Lifecycle: on-device preprocessing, liveness and anomaly filtering, explicit consent → TLS1.3+ transport with certificate pinning → partitioned encrypted storage (A/B with KMS/HSM) → least-privilege temporary tokens; immutable audit logs → region-specific TTL; revocation triggers removal and model stop; data portability; provenance and version tracking; model/data unlearning support.

Device/edge/cloud security: secure boot/firmware, anti-tamper, staged OTA; wearables upload features/summaries only; edge aggregation with rate limit and isolation; cloud RBAC/ABAC, zero trust, key rotation, hash-chained audit; SDK sandbox with least privilege and behavioral auditing.

Privacy technology and verifiable execution: ZK proofs for sensitive compute, certification, and settlement abstracts with selective disclosure; FL + DP; TEE with remote attestation; exploration of ZKML; VC for EC grades, validity, boundaries, and CRLs.

Licensing and revocation: LAT/MLN objects for dataset/model licensing with expiry and revocation; machine-verifiable policies for subject/place/object/time/purpose; unified CRL queries; immediate stop and removal on withdrawal.

Model security: poisoning/backflow defenses; robustness evaluation with adversarial sets; anti-exfiltration and anti-inference controls (response compression, confidence clipping, output perturbation, rate limits); policy guardrails.

Audit and transparency: end-to-end logs; third-party audits; public dashboards for EC distributions, CRL rates, revocation SLAs, and privacy incidents (de-identified). Incident response uses P0–P3 levels. Data subject rights SLAs cover access/export, correction/restriction, deletion/withdrawal, and appeals. Compliance mapping includes GDPR/CCPA/PIPL/PDPA/UK GDPR.

Data subject requests (SLAs & verification)

Request type

Response time

Completion deadline

Verification method

Notes

Data deletion

Acknowledge within T+72h

Complete within T+14 days

VC proof / audit logs

Emergency fast-track available

Model unlearning

Schedule within T+72h

Complete within T+30 days

Differential impact assessment

Impact report receipt

Access & portability

Immediate / <=72h

Immediate / <=7 days

Portable format

API / download link

Withdraw consent

Takes effect immediately

Complete within <=24h

Key revocation / policy

Gradual propagation

Region / regulation compliance mapping

Region / law

Data residency

Cross-border mechanism

Data subject rights

Retention

Legal basis

EU / GDPR

In-EEA

SCC / DPA

Access / rectification / erasure / portability

Shortest necessary

Legitimate interests / consent

US / CCPA / CPRA

In-state preferred

DPA / Terms of service

Notice / opt-out of sale

Shortest necessary

Contract / consent

China / PIPL & CSL

In-country storage

Security assessment

Access / rectification / erasure

Shortest necessary

Statutory / consent

Singapore / PDPA

Local-preferred

Transfer agreement

Access / rectification

Shortest necessary

Consent / legitimate interests

UK / UK GDPR

In-UK

IDTA / SCC

Access / erasure / restriction of processing

Shortest necessary

Legitimate interests

Previous7. TokenomicsNext9. Ecosystem & Roadmap

Last updated