NexionLabsNexionLabs
  • Contact
LoginRequest Early Access
Legal & Compliance

Compliance without an ID warehouse.

Regulators, platforms, and courts increasingly ask not just for written policies, but for proof that you enforced them. Nexion gives you reusable evidence of checks—without requiring you to store ID copies for every user.

This page is for compliance, legal, risk, and policy teams—across consumer, crypto, and fintech—who need to understand how wallet-based Pass/Fail verification and policy receipts change their risk profile.

Contact SalesRead the Security & Trust brief
The Pressure

The "prove it" expectation

Laws, platform rules, and industry standards—covering areas like child safety, gambling, and crypto—are converging on the same demand: show that you actually checked age, location, and eligibility, not just a checkbox or self-declared data.

Penalties now include:

  • Fines and lawsuits when you can't demonstrate what you did at the time of access
  • Blocked distribution affecting product teams' ability to ship features
  • Investigation risk for legal and risk teams with limited enforcement evidence

At the same time, privacy regimes expect data minimisation and "data protection by design". Bulk-storing ID photos and full profiles might feel safe for enforcement, but it expands breach surface, retention obligations, and discovery scope—especially for high-profile crypto and financial products.

Nexion reconciles these pressures:

Strong, reusable evidence of enforcement, with less identity data under your direct control.
The Problem

Where today's approaches break

Today's Approach
Where It Breaks
Collect and store ID copies
Large breach surface, long retention timelines, and costly discovery when regulators or plaintiffs ask for evidence. You end up stewarding millions of documents you never wanted in the first place.
Self-certification checkboxes
Weak proof of enforcement; hard to defend when a regulator asks "how you actually verified" age or location, or when plaintiffs claim you should have done more.
Ad-hoc KYC widgets bolted on
Inconsistent user experience, fragmented vendor contracts, and no portable proof you can reuse across products or audits. Each app or exchange has a different, hard-to-explain enforcement story.

With Nexion

Each policy—such as "18+ to access this content" or "eligible to trade product X in region Y"—returns a Pass/Fail outcome and a signed policy receipt you can reuse across audits, teams, and products. You gain a consistent enforcement record without building a central identity warehouse.
The Solution

From logs to evidence: policy receipts

A policy receipt is a small, cryptographically signed record of a particular check. Instead of storing full identity profiles, you store evidence that a specific policy was evaluated for a specific verifier at a specific time—and what the decision was.

What a receipt contains

  • The policy or rule that ran (e.g., age >= 18 && residency == "EU")
  • The Pass/Fail decision
  • Timestamps and expiry
  • Identifiers for the issuer and verifier (e.g., DIDs or URLs)
  • A cryptographic signature (JWS) binding the record to the issuer

What a receipt does not contain

  • No full name, address, or document numbers
  • No full date of birth—only the fact that an age condition was met
  • No raw ID images or biometric samples
  • No central log of where else the user has proved policies

Example policy receipt

{
  "policy": "age>=18 && residency == \"EU\"",
  "decision": "pass",
  "issuer": "did:web:issuer.example",
  "verifier": "did:web:your-platform.example",
  "issued_at": "2025-11-16T14:32:18Z",
  "expires_at": "2025-11-16T14:37:18Z",
  "pii_included": "none",
  "receipt_jws": "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9..."
}

Enough to defend your decisions. Not enough to reconstruct a full identity profile.

Receipts drop into your existing logging and analytics systems. You can keep them for as long as your legal and regulatory obligations require—without turning those logs into an ID repository.
In Practice

Building your audit and enforcement story

Policy receipts help you answer a central question in investigations and audits: "What did you actually do at the time of access?"

Regulator inquiries

Demonstrate that a given feature or content category has been gated by a specific policy (e.g., "18+ in EU" or "KYC completed before first trade") since a specific date, with a record of decisions.

Platform policies

Show partners that you enforce age, region, and eligibility rules consistently across apps, brands, and chains, with a portable enforcement layer.

Civil litigation

Show that you had controls in place, that they ran at specific times, and what decisions they produced—without handing over a trove of ID documents.
Important: Nexion does not provide legal advice and cannot guarantee specific regulatory outcomes. But it does give your legal team a concrete, explainable mechanism for showing enforcement without centralising identity data.
Standards

How the model aligns with key frameworks

GDPR & data protection principles

  • Data minimisation: Identity attributes and documents live in the wallet; your systems keep only what each policy requires (a decision and a receipt)
  • Data protection by design and by default: Double-blind architecture limits any single party's view of who, where, and what
  • Storage limitation: You can design retention schedules around small receipts rather than large document archives

Wallet-based regulatory models

Nexion follows the same structural idea as the European Digital Identity (EUDI) wallet model: identity in the wallet; policies and decisions at the verifier.

That makes it easier to explain to regulators and partners already familiar with wallet-based frameworks, and to align your implementation with an emerging standard paradigm.

For technical details on data flows, encryption, and standards support, see the Privacy & Architecture and Security & Trust pages.

FAQ

Compliance FAQ

Do we still need to store ID documents?

In many cases you can enforce policies using Pass/Fail outcomes backed by policy receipts instead of keeping ID copies for every check. The underlying identity proof happens once when the credential is issued in the wallet. Your legal and privacy teams decide where you still need raw ID copies for edge cases or legacy requirements.

Who issues the credential?

Nexion issues the credential to the user's wallet after a high-assurance eKYC process using trusted identity providers. That credential can then be reused across sites that accept the same policies, so users do not repeat ID uploads on every product or exchange.

How long should we keep policy receipts?

Retention periods depend on your regulatory obligations, contractual commitments, and risk appetite. Nexion's model is designed so that receipts are much smaller and less sensitive than full ID copies, giving you more flexibility in defining retention and deletion policies. You should set those policies with your legal and privacy teams.

Want to walk through your specific regulatory landscape? Contact us →
NexionLabsNexionLabs

Next-generation identity infrastructure that keeps personal data private and compliance simple.

Explore

  • How It Works
  • Use Cases
  • Developers
  • Architecture
  • Compliance
  • Security & Trust

Legal

  • Privacy Policy
  • Terms of Use
  • Cookie Policy
  • Cookie Preferences

Contact

  • Contact Us

© 2025 NexionLabs. All rights reserved.

NexionLabsNexionLabs
  • Contact
LoginRequest Early Access