Reference
Privacy & Security
Settla holds who you are and where money can reach you — data whose over-disclosure directly enables fraud. Privacy is not a feature here; it is the core safety property of the product.
The One Rule
Design tenets
- Privacy-by-default. New aliases and endpoints default to
unlisted; nothing is enumerable without explicit opt-in topublic. - Minimal disclosure. Resolution returns the least data a requester is entitled to — never more.
- Consent-based sharing.
consent_requiredendpoints are disclosed only under a valid grant. - Fail-closed. Unknown privacy → treated as
private; consent state unavailable → omit; scope ambiguity → deny. - Auditable & anti-correlation. Every disclosure-relevant action is recorded; the directory resists mapping and enumeration.
Privacy levels
Set per alias and per endpoint, independently. The effective disclosure is the intersection of both.
Note
public ≠ enumerable. Public means “resolvable given the identifier,” not “browsable.” There is no list-all surface at any level; the only discovery path is the opt-in public directory, which returns public aliases only.Minimal-disclosure engine
The disclosed set is computed as an intersection:
- endpoints owned by the identity,
- ∩ allowed by the endpoint's privacy level (never
private), - ∩ within the consumer's scope,
- ∩ covered by a valid, unexpired
ConsentGrantwhere required, - ∩ endpoint status is
active.
Even for entitled endpoints, only the minimal fields are projected:
crypto_wallet→ full public receive address.- bank / exchange / processor / merchant accounts →
last4+ token only, never the full number. - internal / future endpoints →
public_id+ type only.
Privacy invariants
These must never be violated:
- Default privacy is
unlisted; nothing is enumerable or listable. privateendpoints are never in any external disclosure set.consent_requireddiscloses only under a valid grant; uncertainty → omit.- Returned fields are the minimal entitled set; sensitive values stay tokenized.
- Not-found and not-permitted are indistinguishable in shape and timing.
- Revocation/expiry of consent takes effect on the next resolution.
- Erasure renders PII irrecoverable via crypto-erasure, while the permanent identity UUID and a non-PII tombstone persist.
- Every disclosure-relevant and rights action is audited.
Security posture
Data-subject rights
“Identity is permanent” is reconciled with erasure rights via tombstoning + crypto-erasure: the permanent UUID and a minimal non-PII record persist, but destroying the per-subject key renders the encrypted PII unreadable everywhere at once. Access, portability, rectification, and restriction (set private, revoke consent, suspend resolution) are all supported and audited.
Legal note