What is Violet and a VioletID?

• Violet is a highly customizable compliance and identity management tool provided by DeFi Labs GmbH. Violet was formed to create best-in-class anti-money laundering, privacy-preserving compliance credentials for use in decentralized finance, crypto more broadly, and web3 use cases. Violet is committed to user privacy and aims to balance legitimate governmental interests with privacy protection.

• Your VioletID provides a standardized method to issue compliance credentials and map smart-contract access controls on the Ethereum mainnet and EVM-compatible chains. VioletID achieves this purpose in a way that allows integrated partners to fulfill traditional legal compliance requirements like Know Your Customer (KYC), Know Your Business Customer (KYB), sanctions checks, and anti-money laundering (AML) rules in an on-chain verifiable way while preserving your privacy in a way that regulators will accept today. Indeed, Violet’s compliance program was the backbone for Mauve’s VASP registration approval. The specific compliance checks that Violet supports are expected to grow over time, and you will be able to opt-in for additional checks in order to access different products and services that need the extra verification.

• Before signing up with a new service or engaging in a transaction using a smart contract that requires you to have a VioletID, you should confirm your understanding of the checks that Violet will be required to perform and whether the service or transaction may require independent access to your data (e.g., in the future, permissioned token issuers may require your data to satisfy their regulatory reporting requirements if you opt to hold their tokens). We will not access your data for any reason other than what is disclosed in our Privacy Notice.

How does Violet confirm my compliance before a transaction?

• Violet relies on Ethereum Access Token (EAT) integration to provide real-time compliance checks in connection with a transaction authorization. EAT gating provides the ability for users and protocols to accept virtually any signal via an EAT due to its composability without disclosing the user’s underlying personal information to the service unless required by law for regulatory reasons. The EAT is issued from Violet’s backend and passed client side where it is added to the user’s transaction, thereby embedding the EAT on-chain. The EAT is then verified by the relevant protocol calling Violet’s verification smart contract. If you have already obtained an EAT and completed the required compliance checks within the last 24 hours, then you’re able to proceed without additional screening as part of an ongoing session. This session-based approach avoids unnecessary authorization delays and checks.

Where can I use my VioletID?

• Today, for non-US users, you can immediately access Mauve, a non-custodial exchange where every user has to have a VioletID in order to swap tokens or provide liquidity to a pool. Relying on Violet, Mauve gives you a place to exchange your tokens without taking unnecessary counterparty or sanctions risk and without having to trust an intermediary with custody of your tokens.

• VioletID also functions as a proof of humanity / personhood, meaning there can only be one you. We foresee an incredible number of use cases where you need to prove your identity, or an aspect of your identity, to use a service – you’d be able to use your VioletID to meet that requirement in a programmatic, privacy protective way.

Who is DeFi Labs?

• DeFi Labs is the parent entity behind Violet and Mauve. DeFi Labs is a German limited liability company, headquartered in Berlin.

What happens with my identity data during verification?

• Your data is processed via our verification partner Persona (for individuals) or SumSub (for businesses). We (DeFi Labs) take custody of the data, and no individual user’s personal information is retained by our enrollment partners long term. At this time, KYB data for business users is retained by SumSub. Our Privacy Notice explains in detail what is collected, how it’s stored, how we will (and more importantly, won’t) use your personal data, and your rights.

What sanctions and AML checks does Violet run?

• Violet built its compliance program in direct consultation with Mauve to ensure that Mauve is able to satisfy existing, traditional finance anti-money laundering requirements. Violet thus requires a full know your customer (via Persona) or know your business customer (via SumSub) check of every person or business who wants to obtain a VioletID. For individuals, this process requires you to provide standard KYC information including self-reported permanent address along with documentary proof (e.g., a utility bill), as well as geolocation information tied to an IP address – this geolocation confirmation is necessary for sanctions compliance. Violet does not currently allow users to enroll while using a VPN or Tor under our Terms of Use, and we will block your access when detected. A liveness check also is required to ensure that Violet has a reasonable belief that we know the true identity of our registrants, which is a guarantee a service like Mauve needs to meet its legal obligations. You will also enroll a second factor through Authenticator to ensure that the wallet you registered with us remains in your possession at the time of a transaction requiring your VioletID. For business users, the process is similar but with increased checks around beneficial owners (down to the 10% level), directors and executive officers, and confirmation of company details like shareholders and confirmation of company registration. The KYB process is manual at the start, and we appreciate your patience as we get you onboarded! Initial sanctions checks are run by Persona or SumSub. You may request a manual review by emailing compliance@violet.co if you are unable to successfully navigate the automated enrollment process, but certain issues (e.g., unreadable identity documents) cannot be resolved manually.

• Violet uses TRM Labs to screen your wallet at the time of enrollment to ensure that your on-chain activity has not resulted in sanctions violations or other behavior indicative of money laundering that would not be permitted on Mauve. Violet took great care, in consultation with Mauve, about what risk tolerance is appropriate for a self-custody wallet, recognizing that compliance and regulation is new to the industry. Violet has adopted a custom approach that ultimately relies on aggregated risk scores attributed to “Ownership,” “Counterparty,” and “Indirect” risk totals generated by the blockchain analytics screening. The permissible “Ownership” risk score (i.e., the risk is directly tied to activity by the wallet) is lower than the permissible “Counterparty” risk score (i.e., the risk is tied to a third-party wallet that your wallet directly interacted with) and the “Indirect” risk score (i.e., the risk is tied to a third-party wallet that is more attenuated from your wallet). Violet also has adopted specific “percentage of funds” scores for many of the identified risk categories (e.g., extortion & blackmail, investment fraud, violent extremism, scams). Where the overall percentage of funds transacted from a wallet is significant (e.g., greater than 15% of all in-bound funds are attributed to a certain risk category), then Violet will view you as a greater money laundering risk. Importantly, the inverse is also true: where a tiny amount of funds (e.g., .01% or less of all in-bound funds) are attributable to an indirect risk category, Violet will reduce the ordinary risk score for that category to “1” because you likely have not, in fact, engaged in an activity that materially increases your money laundering risk profile. Violet has also adopted specific rules designed to detect flags for Tornado Cash-related sanctions issues and to discount those risk scores appropriately due to the Tornado Cash dusting that was beyond your control. All told, Violet does not currently expect most users who have acted in good faith, consistent with prior norms in crypto, to have an issue with enrollment due to the blockchain analytics screen. As always, we are committed to being transparent about our approach, and we are equally committed to working with Mauve to revise the details of this implementation if initial registration does not proceed as anticipated and false positives are high.

• Violet runs ongoing anti-money laundering and sanctions checks against your personal information as well as a blockchain analytics check before any transaction requiring your VioletID. ComplyAdvantage checks your off-chain personal information against reputable and relevant government sanctions, warnings, PEP lists, and adverse media lists that have been specifically identified by Violet and Mauve as relevant to the provision of Mauve’s service. ComplyAdvantage will alert Violet’s compliance team if there is a significant change to your risk profile (e.g., you now appear to be listed on the OFAC sanctions list or are on a most-wanted list). Violet will manually review these flags to determine if the alert is a false positive. If the ComplyAdvantage alert is accurate, Violet will update your verifiable credentials as required based on the type of alert, which may result in you being unable to use Mauve or in the elimination of your VioletID. Before any transaction, if no check has been done in the past 24 hours, Violet will rescreen your wallet using TRM Labs’ analytics tool. If there has been a change to your on-chain risk score that is material, then the transaction will fail and no transactions will be possible. Violet’s compliance team will confirm whether the updated risk score is correct and determine the necessary action, which may include the inability to use Mauve or the elimination of your VioletID.

How is my personal data stored and protected?

• All personal data is encrypted on our backend and stored with AWS. AWS does not have access to plaintext (i.e., unencrypted) data. We made this choice to minimize the risk of data leakage and to impose as much protection as possible over your personal information. Decryption is secured by an internal permissioning system to ensure only explicitly designated parties are allowed access to your personal data and only for the specific reasons set out in our Privacy Notice. All access to your data is recorded in an audit log – no one at Violet can access your data without there being a record that will be retained for at least 5 years as part of Violet’s data retention policy.

• Our Privacy Notice and documentation is as transparent as possible about what data is collected, stored, and who can access it. We intend to provide you access to a self-service portal in the near future, where you will always be able to view the data stored by Violet after completing your registration on the VioletID app. You will also be able to add additional information as necessary to obtain unique credentials for certain use cases (e.g., accredited investor status in order to acquire and hold permissioned tokens).

• To be clear: Violet does not use your data for our own purposes – we do not and will not provide it to other third parties for any reason other than provision of the services you asked us to provide or in response to a compulsory legal demand. You can review how strictly we handle legal information demands in our policy. It’s your data, not ours, and our goal is to reduce even our access to it over time. We published a blog post on our general data protection and privacy philosophy that is available here. Our Privacy Notice controls if there is any difference between the blog post and the Notice.

What is the blB01 asset?

• blB01 stands for Backed IB01 $ Treasury Bond 0-1yr (bIB01), you can find out more about this asset on https://assets.backed.fi/products/bib01.