ZevID

Status: in-progress reference implementation

ZevID's section is being written first as the reference implementation. Other product teams use this section as a worked example of how to fill out the template. Drafted by the ZevID team, reviewed by the DPO; will be marked complete once every linked file has substantive content beyond the template scaffolding.

Resolved by deployment owner (2026-05-15)

• Encryption keys in prod — FIELD_ENCRYPTION_KEY, PHONE_HASH_PEPPER, ADMIN_JWT_SECRET, JWT RS256 keys all set with strong values. Ops-only access.
• Hosting — AWS us-east-1 (database) + Zev-owned VPS in Ashburn, VA (NestJS app). Cloudflare R2 for file uploads. ZeptoMail for email. Termii for SMS. Better Stack for both Sentry-compatible exceptions and structured logs.
• Cron functionality — all crons functional as set up.
• Login-events retention — 90 days is the deliberate policy.
• KYC retention — 7 years post-account-deletion (CBN AML); implementation pending — see retention.md.
• Public products — zevpay, zevcommerce, zevcloud, zevworkspace. Other oauth_clients rows are internal / not-yet-launched. Per-product enrollment is consent-gated; no auto-creation.

Outstanding TODOs in this section

Search the section for **TODO:** to find each in-context. The bigger gaps:

1. Specific AWS service — RDS / Aurora / Neon-on-AWS / self-managed Postgres on EC2?
2. VPS provider — which provider hosts the Ashburn, VA VPS?
3. Vendor DPAs — signed-on dates with AWS, Cloudflare, ZeptoMail, Termii, Better Stack.
4. Security hardening toggles in prod — JWT_ACCESS_TOKEN_EXPIRY, JWT_REFRESH_TOKEN_EXPIRY, REFRESH_TOKEN_ROTATION, CSRF_ENFORCE, PKCE_REQUIRED, REDIRECT_URI_STRICT, ADMIN_TOKEN_RS256, INTERNAL_ENFORCE_IP.
5. Backup retention at AWS for the database; R2 versioning configuration on the file-upload bucket.
6. Subject-rights gap — no DELETE /v1/account/me endpoint, no Privacy view in the user portal, no SAR-export tooling. Remediation plan in subject-rights.md — DPO sign-off needed.
7. Retention for non-cron-purged tables — zpip_token_log, zpip_consent_requests (terminal-state rows), invites, referrals are unbounded today; policy decisions needed.
8. DPO designation — name + contact at ZevOP Technologies Limited; reflected in dpoLiaison frontmatter and policies/dpo.md.
9. NDPC registration — is ZevOP Technologies Limited registered under NDPA / GAID? Registration number?
10. Admin staff headcount + role distribution — needed to populate access-control.md.
11. On-call rotation + dependency-scanning tool in use + audit of Ops-team secret reads.

What this product is

ZevID is the centralised identity provider for the Zev ecosystem. It lives at accounts.zevop.com. Every Zev product authenticates users through ZevID and reads core user state from it (identity, KYC outcome, enrollments, cross-product permissions). ZevID is not a consumer product — users don't "use ZevID" the way they use ZevPay or ZevCloud. They sign up once at any Zev product and get a ZevID account behind the scenes.

Regulatory scope

• NDPA, 2023 — primary obligation as a Nigerian data controller for identity data.
• NDPC GAID, 2025 — implementing rules including 72-hour breach notification, DPO designation, RoPA.
• Specific telecommunications / financial regulations do NOT apply directly to ZevID (those apply to the products that use ZevID for identity).

Data-controller role

• Controller for: email, password (hashed), phone number, MFA enrolment data, login events, cross-product consent grants, OAuth authorisations, KYC verification record.
• Processor for: nothing. ZevID processes only its own data subjects' data, with the user's contract / consent.
• Source of truth for: identity, KYC outcome (written by ZevPay or any KYC-running product), cross-product permissions, enrollment registry.

Quick links

• Data inventory
• Processing purposes + lawful basis
• Data flows
• Third parties
• Security controls
• Access control
• Retention
• Subject rights
• Change log