ID2020 Certification Mark Application Form
The ID2020 Certification Mark is an initiative by the ID2020 Alliance to create a trustmark for digital identities that meet our technical requirements. Our Certification Mark draws upon the efforts of several organizations, including and most notably ThingsCon and their Trustable Technology Mark. We were tremendously inspired by their effort to develop a "badge of honor" for companies and organizations designing technology with user privacy and rights top-of-mind.

The development of the ID2020 Certification Mark was supported by our Technical Advisory Committee, a group that comprises many of the world's foremost experts on digital identity and its underlying technologies. The Certification Mark is based on our Technical Requirements, a living document that can be found here, and which is regularly updated by our experts to reflect the changing landscape of digital identity. Just like our technical requirements, we also intend for our application form to be updated over time. We invite you to contribute to our mission to improve lives through digital identity by adding your voice to the conversation. Please contact us at info@id2020.org with any questions or comments.

How does this form work?
The Certification Mark application form consists of 50 questions across 7 focus areas: applicability, identification and verification, authentication, privacy and control, attestations and trust, interoperability, and recovery and redress. Our Certification Mark is concerned with these seven, as well as an eighth: openness. While openness is not an explicit category in our application, it is present throughout and helps us better understand a system. If most elements in an applicant’s stack are open, then we view it as trustworthy-until-proven-otherwise. If not, then we approach it with an assumption of untrustworthiness.

Our experts will review your answers and may follow up with you. Once our questions are fully answered, the final results will be published in full online under a Creative Commons (by) license, on ID2020.org. Publishing this information is part of the ID2020 Certification Mark requirements.

Notes for filling out this application:
All questions follow the format YES/NO/NOT APPLICABLE:
-If the answer is YES please explain what that means concretely for your context and provide all available evidence for the claim (i.e.: for questions of usability, please note whether or not there has been user testing) in the space provided adjacent "other."
-If the answer is a partial yes, please mark NO and explain what that means concretely for your context in the space provided adjacent "other."
-If the answer is NOT APPLICABLE, please explain why in the space provided adjacent "other."

Please keep answers concise. Providing links is fine if they are meaningful. As a guideline, make this as clear and easy to understand as possible. Where layman’s terms are possible, please use them. We are
aware that digital identity is a term comprising many technologies and processes. If clarification is needed, please reach out to us at info@id2020.org

Our team will get back to you shortly with either a final decision or follow-up questions. In the meantime, please feel free to get in touch at info@id2020.org
Email address *
Company/organization responsible for the digital identity to be certified?
Your answer
Which country is the company/organization based in?
Your answer
Do you have the authority to legally bind the company/organization?
Street Address?
Your answer
Describe what the technology/process/system is, including whether this is an application for an identity provider or a relying party:
Your answer
Website:
Your answer
Applicability
Can all aspects of the identity lifecycle be performed online and offline?
Can the equipment be used in rugged environments over a protracted duration?
Is the digital identity cost effective across all aspects of the identity lifecycle?
Is the digital identity easy to use, or does it require only minimal user education, even for individuals with little to no digital literacy, literacy, or numeracy?
Does the identity lifecycle support the use of a pseudonymous identity?
Does the identity lifecycle comply with the principle of data minimization?
Identification & Verification
Can identification and verification be performed at reasonable speed?
Can identification and identity proofing be performed with multiple sources of verification?
Does each source of verification correspond to an assurance level?
If no sources of verification are available, can the entire identity lifecycle performed?
Are multiple devices, smart phones or other means of identification and verification available to relying parties?
Authentication
Can authentication be performed at reasonable speed?
Can authentication be performed with multiple sources of verification?
If no sources of verification are available, can authentication be performed?
Are multiple devices, smart phones or other means of authentication available to users?
Privacy & Control
Does the user have granular control over the sharing of personal data?
Are privacy-by-design practices built into all aspects of the identity lifecycle?
Is there a published privacy policy?
Can users easily revoke consent?
Do you provide users with evidence that their revocations have taken immediate effect?
Can users easily view their personal data, including consent, revocation of consent, and sharing with all parties?
Can users easily export their personal data, including consent, revocation of consent, and sharing with all parties?
Can users easily obtain information about how their personal data is stored and processed?
Can users easily obtain information about requests to view their personal data?
Can custodianship/guardianship be exercised for applicable users?
Can custodian/guardian be decoupled from a user’s profile?
Are controls in place to defend against viewing, deleting, or modifying personal data not consented to by the user?
Are processes in place to detect attempts to view, delete, or modify personal data?
Are attempts (successful or failed) to view, delete, or modify personal data disclosed to users?
Can users redress attempts to view, delete, or modify personal data not consented to by them?
Are security-by-design practices employed across all aspects of the identity lifecycle?
Are all parties (including trust anchors and relying parties) prevented from viewing an individual's personal data?
Do you offer the same access protocols and privacy and security protections for all users regardless of all attributes including citizenship, income level, race, ethnicity, gender, sexuality, affiliation with a particular social group, etc.?
Are users able to modify personal data across all parties (including trust anchors and relying parties) once recorded?
Are users able to delete personal data across all parties (including trust anchors and relying parties) once recorded?
Are all aspects of the identity lifecycle compliant, in letter and spirit, with the European Union's General Data Protection Regulation?
Attestations & Trust
Do all aspects of the identity lifecycle support the storage and management of attestations from multiple organizations?
Are there processes in place to evidence that attestations are genuine, have not been tampered with, pertain to the individual in question, and remain consented to by the user?
Can users and relying parties easily access evidence that attestations are genuine and have not been tampered with?
Can users and relying parties easily access information about how identity proofing was performed?
Can all aspects of the identity lifecycle be performed without point to point trust agreements across parties?
Does the system comply with a trust framework? If so, which?
Are all elements of the technical stack open source under a recognized license? If so, which?
Does the system provide open APIs for access to data to enable integration with other identity system components and/or vendors?
Can third-party developers build on top of your solution through open licensing, open source, or an API?
Can all elements required to perform the full identity lifecycle be functionally replaced by a third-party?
Can data be easily exported in machine-readable format to facilitate vendor transfer?
Recovery & Redress
Does the system support secure recovery if personal data is modified or deleted?
Does the system support the modification of inaccurate personal data?
Does the system support at least one key custodian in a recovery scheme?
A copy of your responses will be emailed to the address you provided.
Submit
Never submit passwords through Google Forms.
reCAPTCHA
This form was created inside of Identity 2020. Report Abuse - Terms of Service