Every day, an individual carries out tens of online transactions: from logging into social networks and opening bank accounts to signing electronic contracts. Alongside convenience, however, comes an ever-present risk: personal data belongs to users, but control lies in the hands of centralized storage systems.

In today’s prevailing digital service model, user identity is managed in the form of separate “accounts” on each platform. Users usually have only two choices: either click “accept” to provide all required information in order to use the service, or be denied access altogether.

Once permission has been granted, citizens find it extremely difficult to know how their data is being processed, which third parties it is shared with, or how long it is retained. In particular, the ability to revoke access after data is provided is almost nonexistent. As a result, personal data is copied and stored across multiple locations, turning users into targets of data leaks and information abuse.

Faced with this reality, advanced jurisdictions such as Singapore and the EU have shifted toward citizen-centric digital identity models. In Vietnam, the NDAKey solution developed based on the philosophy of Self-Sovereign Identity (SSI) is believed to fundamentally address this problem.

Proving information instead of submitting data

The most significant change introduced by NDAKey is the shift from a mindset of “collecting and storing data” to “verifying information when necessary.”

In traditional transactions, users are often required to submit images of their citizen ID cards or complete personal dossiers, the actions that carry the risk of unauthorized copying. 

With NDAKey, information is stored directly on personal devices in the form of Verifiable Credentials (VC). When verification is required, users do not need to resubmit full documents; instead, they present a suitable Verifiable Presentation (VP) that matches the specific context.

The NDAKey operating model consists of three parties: the Issuer, which is an authorized authority or organization responsible for issuing VCs and ensuring the reliability of source data; the Holder, namely the citizen who stores VCs in a digital identity wallet and retains full control over sharing decisions; and the Verifier, such as banks, insurance companies, or healthcare organizations, which only verify VPs and do not collect or store original data.

Nguyen Phu Dung, Chief Executive Officer of PILA Group JSC, commented: “This model returns control over data to citizens themselves. People decide which data is shared, with whom, and under what circumstances. This also reflects the spirit of the 2025 Personal Data Protection Law, under which all data processing activities must be based on clear and transparent consent.”

Ending the exposure of original data

The key mechanism protecting privacy of this solution is selective disclosure combined with Zero-Knowledge Proof (ZKP) technology.

This technology allows users to prove a specific attribute, such as meeting age requirements or holding appropriate qualifications, without revealing their underlying personal data. 

All information is end-to-end encrypted and stored directly on personal devices rather than in centralized systems, thereby safeguarding privacy and minimizing the risk of unauthorized copying or exploitation.

For organizations such as banks, insurance companies, or administrative agencies, applying this model helps shorten the paperwork process and reduces dependence on centralized data warehouses. When they do not have to store the original data of users, these units also can reduce operating costs and legal risks if a cybersecurity incident occurs.

In terms of infrastructure, this solution complies with international standards (W3C DID, ZKP) and operates on the NDAChain blockchain platform to ensure transparency. The system only records valid issuing and verifying organizations and absolutely does not store private data of citizens on the network.

With a nationwide implementation roadmap starting from 2026, NDAKey is expected to become a reliable digital identity infrastructure. When self-sovereign identity is popularized, every citizen can proactively manage their digital identity, and every organization can minimize data risks, moving toward the goal of protecting information for more than 100 million people sustainably.

Du Lam