Building a Web3 identity solution
TL;DR:
The European Blockchain Sandbox has completed its second cohort, with IOTA Foundation’s Tokenized Know Your Customer solution featuring IDnow, walt.id and Bloom Wallet. The Sandbox provided important lessons about compliant and privacy-preserving identity authentication in Web3, including the use of off-chain authentication, soulbound tokens, and GDPR-aligned wallet and node practices.
We have confirmed our participation in the European Blockchain Sandboxa three-year initiative from the European Commission that gives innovative distributed ledger projects the opportunity to test their solutions with regulators across Europe. Twenty projects are selected to participate each year, and the IOTA Foundation was part of the second cohort, which ran from June 2024 to March 2025.
Our contribution focused on the Tokenized Know Your Customer (KYC) solutiondeveloped together with IDnow, walt.id, AndBloom wallet. This proof-of-concept solution allows users to verify their identity off-chain and receive a tokenized proof in their wallet. This allows dApps, exchanges and other services to confirm eligibility requirements (such as age verification) without exposing sensitive data on-chain.
The closure of the sandbox is marked by that of the European Commission Best practice report for the second cohort. The report shares recommendations and best practices from the program, offer valuable guidance for anyone developing DLT solutions and navigating their regulatory implications.
Top Sandbox Tips: Share Customer Data
An important focus in the Sandbox was how Anti-money laundering (AML) and KYC In practice, rules apply. Regulators emphasized that crypto asset exchanges and other service providers have a legal obligation to know the identities of their users. This is why our Tokenized KYC Solution enables the entity responsible for conducting a KYC check to access verified personal data from the identity verification provider (in our case IDnow). Similarly, authorities such as the police can request personal data linked to a specific non-transferable (soulbound) token.
To make customer onboarding More easily, companies can sometimes reuse KYC data that another entity has already collected. But the rules for doing this vary across Europe. In some countries, data can only be shared between the same category of entities, while broader sharing requires special approval from national authorities. Fortunately the next one Anti-Money Laundering Regulation (AMLR) is expected to harmonize these rules regarding the use of customer information collected by other entities.
Key Sandbox Takeaways: Soulbound Tokens
The report also highlighted key lessons on this self-hosted wallets, KYC, and how data is classified on public DLTs without permission such as IOTA. In our Tokenized KYC solution, only soul-bound tokens are registered on-chain. These tokens do not contain any personal data themselves, but prove that the KYC process has been completed, with the underlying KYC data stored securely off-chain. The Sandbox noted that such tokens can still be treated as pseudonymised personal data, meaning the GDPR applies. Because this classification may evolve due to new case law and guidelines, continued evaluation is required. To minimize data protection risks, our solution takes a data protection by design approach, limiting the amount and type of data shared across the chain. This follows the principle of data protection by design.
Key Sandbox Points: Wallet providers and node operators
Another important topic in the Sandbox was how wallet providers and node operators are classified under GDPR.
- The report concludes that self-hosted wallet providers are not considered data controllers or processors if the wallet runs exclusively on the user’s device, without relying on an external backend. In our Tokenized KYC solution, verified identity data remains off-chain with IDnow, while the user-hosted wallet only contains a soul-bound KYC attestation. This design is consistent with GDPR guidelines: responsibility for personal data lies with the entities that actually access or use it – for example IDnow for authentication and off-chain data storage and, where applicable, an integrating service such as a dApp or exchange when it lawfully accesses or uses the data.
- The GDPR classification of node operators needs careful nuance. As we recently noted about the findings of the European Data Protection Board European Data Protection Council Guidelines for personal data in blockchains, nodes perform only technical functions; they neither determine nor control the purposes of data processing. Treating them as controllers would misrepresent their role and impose disproportionate obligations. Our Tokenized KYC solution strengthens this distinction. Verified identity data remains outside the chain at IDnow, while the chain only registers a non-transferable KYC certificate without personal characteristics. Nodes simply pass or validate this pseudonymized attestation and never have access to the identity dataset. Even if such attestations qualify as personal data, the design minimizes exposure in the chain and ensures that responsibility lies with the entities that actually process identity information. This provides a workable path to meet AML/KYC requirements while respecting rel=”noreferrer”>Money transfer regulation and the Anti-Money Laundering Regulation require entities such as cryptoasset exchanges to maintain data about the user of a self-hosted wallet and to identify the owner of the self-hosted wallet. At the same time, dApps and DeFi operators are increasingly looking for ways to enable compliant identity checks without compromising privacy and security. There is an increasing need for on-chain identification tools to ensure smooth and compliant interactions in Web3 ecosystems.
Our proof-of-concept Tokenized KYC solution brings together all the necessary steps in one easy-to-use tool:
- A trusted party witnesses an identification process and tokenizes it as a soul-bound token, allowing dApps and other entities to have confidence in the identification process without revealing the actual personally identifiable information.
- The soulbound token can be used for on-chain processes, enabling Web3-native interactions.
- The trusted party may release the identity information if requested by an authorized party (e.g., law enforcement).
- The trusted party can also revoke the token if an invalidation is necessary (for example, watchlist changes).
Following the completion of this project, the re-based IOTA Mainnet was launched with a new architecture based on the Move Virtual Machine. To support use cases like the Tokenized KYC solution, we have the IOTA trust frameworka set of composable infrastructure components, each designed with privacy, compliance, and usability in mind.