🔵 Numira for Developers
⚠️ Template — not legal advice. The text below is a plain‑language starting point for the dSSO relying‑party (RP) relationship. It must be reviewed and finalized by qualified counsel for your jurisdiction (incl. Indonesia PDP Law / GDPR where applicable) before launch.

Relying Party Terms of Service

By registering an application and using “Login with Numira” (the dSSO service), you (the relying party, “RP”) agree to these terms.

  1. Purpose. The dSSO service lets a user authenticate to your application using a self‑sovereign wallet identity (an alias DID) and to selectively disclose attributes.
  2. Credentials. Your client_secret authenticates your backend; keep it confidential. You are responsible for all activity under your client_id.
  3. Redirect URIs. You must register exact redirect URIs and only use them for your own application.
  4. Availability. The staging service is provided “as is” without warranty and may change. Production SLAs, if any, are covered by a separate agreement.

Acceptable‑Use Policy

  1. No re‑identification or correlation. You must not attempt to re‑identify a user behind an alias DID, nor correlate a user’s alias across services, applications, or data brokers. This is the core privacy guarantee of decentralized SSO and a condition of access.
  2. Data minimization. Request only the claims your feature genuinely needs. Do not request attributes to build profiles beyond your stated purpose.
  3. No prohibited use. No unlawful, deceptive, or rights‑infringing use; no attempt to probe, overload, or circumvent the service’s security or consent mechanisms.
  4. Enforcement. We may suspend or revoke your client_id for violations.

Data‑Processing & Privacy notes

  1. What you receive. On a successful login: the user’s per‑RP alias DID(sub) and only the claims the user explicitly disclosed for that login. Internal fields (e.g. credential ids, commitments) are never released.
  2. Lawful basis. Treat each login as the user’s consent to process the disclosed attributes for the stated purpose only. You are the data controller for what you receive and store.
  3. Retention. Retain disclosed attributes no longer than necessary for the stated purpose; honour user deletion requests for data you hold.
  4. No selling / brokering. You must not sell, rent, or share disclosed attributes or alias identifiers with third parties except sub‑processors strictly necessary to deliver your service.
  5. Security. Protect the client_secret, tokens, and any stored claims with industry‑standard controls; report suspected compromise promptly.

Acceptance of these terms is recorded against your app at registration time (tos_accepted_at). Questions: contact the HaraDID team.