docs/governance/frameworks/trust-framework.md

# Trust Framework Policy (TFP)

**Version:** 1.0  
**Date:** November 10, 2025  
**Status:** Draft

---

## Overview

This Trust Framework Policy (TFP) defines the trust posture, Levels of Assurance (LOA), and assurance events for the Decentralized Sovereign Body (DSB) identity system.

## Trust Posture

The DSB operates as an **Assured Identity Provider** with defined Levels of Assurance (LOA 1-3) and assurance events (onboard, renew, recover).

## Levels of Assurance (LOA)

### LOA 1 - Basic Identity Verification

**Description:** Basic identity verification with minimal evidence requirements.

**Requirements:**
* Email verification
* Self-declared identity information
* Optional: Social media verification

**Use Cases:**
* Honorary membership
* Basic service access
* Community participation

**Evidence:**
* Email verification
* Self-declared information

### LOA 2 - Enhanced Identity Verification

**Description:** Enhanced identity verification with document check and liveness verification.

**Requirements:**
* Government-issued identity document (passport, national ID, driver's license)
* Document authenticity verification
* Liveness check (selfie with document)
* Sanctions screening
* PEP screening

**Use Cases:**
* eResidency
* Service roles
* Professional orders

**Evidence:**
* Document verification
* Liveness check
* Sanctions screen
* Address attestation (optional)

### LOA 3 - Highest Level Verification

**Description:** Highest level verification with in-person or video interview.

**Requirements:**
* All LOA 2 requirements
* Video interview with trained interviewer
* Multi-source corroboration
* Background attestations
* Oath ceremony
* Service contribution verification

**Use Cases:**
* eCitizenship
* Governance roles
* Public offices
* Honors

**Evidence:**
* Video interview
* Sponsorship
* Residency tenure
* Background attestations
* Oath ceremony

## Assurance Events

### Onboarding

**Process:**
1. Application submission
2. Identity verification (LOA-appropriate)
3. KYC/AML screening
4. Risk assessment
5. Approval/rejection
6. Credential issuance

**Timeline:**
* LOA 1: < 24 hours
* LOA 2: < 48 hours (median)
* LOA 3: < 7 days

### Renewal

**Process:**
1. Renewal application
2. Identity re-verification (LOA-appropriate)
3. Status check (good standing, compliance)
4. Credential renewal

**Timeline:**
* LOA 1: < 24 hours
* LOA 2: < 48 hours
* LOA 3: < 7 days

### Recovery

**Process:**
1. Recovery request
2. Identity verification
3. Security checks
4. Credential recovery or re-issuance

**Timeline:**
* LOA 1: < 24 hours
* LOA 2: < 48 hours
* LOA 3: < 7 days

## Incident Handling

### Security Incidents

**Classification:**
* **Critical:** Key compromise, data breach, systemic fraud
* **High:** Individual credential compromise, unauthorized access
* **Medium:** Suspicious activity, policy violations
* **Low:** Minor issues, false positives

**Response:**
1. Immediate containment
2. Investigation
3. Remediation
4. Notification (if required)
5. Post-incident review

### Credential Compromise

**Process:**
1. Immediate revocation
2. Investigation
3. Re-issuance (if appropriate)
4. Security enhancements

## Audit

### Internal Audit

**Frequency:** Quarterly

**Scope:**
* Identity verification procedures
* Credential issuance processes
* Security controls
* Compliance with policies

### External Audit

**Frequency:** Annually

**Scope:**
* PKI infrastructure
* Issuance processes
* Privacy compliance
* Security posture

## Compliance

### Privacy

* GDPR compliance
* Data minimization
* Purpose limitation
* Individual rights

### Security

* ISO 27001 alignment
* SOC 2 Type II (future)
* Penetration testing
* Bug bounty program

### Legal

* KYC/AML compliance
* Sanctions screening
* Data protection
* Consumer protection

---

## Revision History

| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 1.0 | 2025-11-10 | CISO | Initial draft |

---

## Approval

**CISO:** _________________ Date: _________

**Founding Council:** _________________ Date: _________

**External Reviewer:** _________________ Date: _________
feat(eresidency): Complete eResidency service implementation - Implement credential revocation endpoint with proper database integration - Fix database row mapping (snake_case to camelCase) for eResidency applications - Add missing imports (getRiskAssessmentEngine, VeriffKYCProvider, ComplyAdvantageSanctionsProvider) - Fix environment variable type checking for Veriff and ComplyAdvantage providers - Add required 'message' field to notification service calls - Fix risk assessment type mismatches - Update audit logging to use 'verified' action type (supported by schema) - Resolve all TypeScript errors and unused variable warnings - Add TypeScript ignore comments for placeholder implementations - Temporarily disable security/detect-non-literal-regexp rule due to ESLint 9 compatibility - Service now builds successfully with no linter errors All core functionality implemented: - Application submission and management - KYC integration (Veriff placeholder) - Sanctions screening (ComplyAdvantage placeholder) - Risk assessment engine - Credential issuance and revocation - Reviewer console - Status endpoints - Auto-issuance service 2025-11-10 19:43:02 -08:00			`# Trust Framework Policy (TFP)`

			`Version: 1.0`
			`Date: November 10, 2025`
			`Status: Draft`

			`---`

			`## Overview`

			`This Trust Framework Policy (TFP) defines the trust posture, Levels of Assurance (LOA), and assurance events for the Decentralized Sovereign Body (DSB) identity system.`

			`## Trust Posture`

			`The DSB operates as an Assured Identity Provider with defined Levels of Assurance (LOA 1-3) and assurance events (onboard, renew, recover).`

			`## Levels of Assurance (LOA)`

			`### LOA 1 - Basic Identity Verification`

			`Description: Basic identity verification with minimal evidence requirements.`

			`Requirements:`
			`* Email verification`
			`* Self-declared identity information`
			`* Optional: Social media verification`

			`Use Cases:`
			`* Honorary membership`
			`* Basic service access`
			`* Community participation`

			`Evidence:`
			`* Email verification`
			`* Self-declared information`

			`### LOA 2 - Enhanced Identity Verification`

			`Description: Enhanced identity verification with document check and liveness verification.`

			`Requirements:`
			`* Government-issued identity document (passport, national ID, driver's license)`
			`* Document authenticity verification`
			`* Liveness check (selfie with document)`
			`* Sanctions screening`
			`* PEP screening`

			`Use Cases:`
			`* eResidency`
			`* Service roles`
			`* Professional orders`

			`Evidence:`
			`* Document verification`
			`* Liveness check`
			`* Sanctions screen`
			`* Address attestation (optional)`

			`### LOA 3 - Highest Level Verification`

			`Description: Highest level verification with in-person or video interview.`

			`Requirements:`
			`* All LOA 2 requirements`
			`* Video interview with trained interviewer`
			`* Multi-source corroboration`
			`* Background attestations`
			`* Oath ceremony`
			`* Service contribution verification`

			`Use Cases:`
			`* eCitizenship`
			`* Governance roles`
			`* Public offices`
			`* Honors`

			`Evidence:`
			`* Video interview`
			`* Sponsorship`
			`* Residency tenure`
			`* Background attestations`
			`* Oath ceremony`

			`## Assurance Events`

			`### Onboarding`

			`Process:`
			`1. Application submission`
			`2. Identity verification (LOA-appropriate)`
			`3. KYC/AML screening`
			`4. Risk assessment`
			`5. Approval/rejection`
			`6. Credential issuance`

			`Timeline:`
			`* LOA 1: < 24 hours`
			`* LOA 2: < 48 hours (median)`
			`* LOA 3: < 7 days`

			`### Renewal`

			`Process:`
			`1. Renewal application`
			`2. Identity re-verification (LOA-appropriate)`
			`3. Status check (good standing, compliance)`
			`4. Credential renewal`

			`Timeline:`
			`* LOA 1: < 24 hours`
			`* LOA 2: < 48 hours`
			`* LOA 3: < 7 days`

			`### Recovery`

			`Process:`
			`1. Recovery request`
			`2. Identity verification`
			`3. Security checks`
			`4. Credential recovery or re-issuance`

			`Timeline:`
			`* LOA 1: < 24 hours`
			`* LOA 2: < 48 hours`
			`* LOA 3: < 7 days`

			`## Incident Handling`

			`### Security Incidents`

			`Classification:`
			`* Critical: Key compromise, data breach, systemic fraud`
			`* High: Individual credential compromise, unauthorized access`
			`* Medium: Suspicious activity, policy violations`
			`* Low: Minor issues, false positives`

			`Response:`
			`1. Immediate containment`
			`2. Investigation`
			`3. Remediation`
			`4. Notification (if required)`
			`5. Post-incident review`

			`### Credential Compromise`

			`Process:`
			`1. Immediate revocation`
			`2. Investigation`
			`3. Re-issuance (if appropriate)`
			`4. Security enhancements`

			`## Audit`

			`### Internal Audit`

			`Frequency: Quarterly`

			`Scope:`
			`* Identity verification procedures`
			`* Credential issuance processes`
			`* Security controls`
			`* Compliance with policies`

			`### External Audit`

			`Frequency: Annually`

			`Scope:`
			`* PKI infrastructure`
			`* Issuance processes`
			`* Privacy compliance`
			`* Security posture`

			`## Compliance`

			`### Privacy`

			`* GDPR compliance`
			`* Data minimization`
			`* Purpose limitation`
			`* Individual rights`

			`### Security`

			`* ISO 27001 alignment`
			`* SOC 2 Type II (future)`
			`* Penetration testing`
			`* Bug bounty program`

			`### Legal`

			`* KYC/AML compliance`
			`* Sanctions screening`
			`* Data protection`
			`* Consumer protection`

			`---`

			`## Revision History`

			`\| Version \| Date \| Author \| Changes \|`
			`\|---------\|------\|--------\|---------\|`
			`\| 1.0 \| 2025-11-10 \| CISO \| Initial draft \|`

			`---`

			`## Approval`

			`CISO: _________________ Date: _________`

			`Founding Council: _________________ Date: _________`

			`External Reviewer: _________________ Date: _________`