What user personally identifiable information (PII) is stored?
NFTgate stores user emails and only accesses them to send automated emails (e.g. after a completed purchase) or in rare cases to proactively reach out to resolve support issues. We don’t store any other user PII.
How is the NFTgate Wallet private key data stored?
NFTgate Wallets are generated on the client inside an iframe, inaccessible from NFTgate. The key is encrypted with the master key stored on AWS Hardware Security Module (HSM). When revealing their private key, a buyer’s web client interacts directly with AWS HSM/KMS (source).
Wallet private keys are never sent through nor stored on NFTgate nor our vendor’s servers. Data in AWS are encrypted at rest with AES-256.
How is credit card data stored?
NFTgate’s payment provider(s) are certified to PCI Service Provider Level 1, the highest standard set by the payment card industry to ensure that credit card data is processed, stored or transmitted in a secure environment (source).
This data is never sent through NFTgate’s servers.
How is password data stored?
NFTgate doesn’t use passwords! Logging into a NFTgate Wallet and our Seller dashboard is done through password-less authentication tied to your email address. For this reason, please keep strong password hygiene and consider adding multi-factor authentication on your email account.
How is buyer identity verification data stored?
Buyer identification verification data (i.e. KYC) is transferred via TLS encrypted connections directly to our payment vendor(s) and uses AES-256 encryption at rest (source). This data is only accessible to employees whose job role may require reviewing KYC.
This data is never sent through NFTgate’s servers.
How is seller identity verification data stored?
Seller identity verification data (i.e. KYB) that you upload in the dashboard is uploaded via TLS encrypted connections with a time-limited pre-signed URL to NFTgate’s S3 AWS bucket. The S3 bucket is not exposed to the public internet, is encrypted with an AWS KMS-managed key, has all employee interactions logged, and is only accessible to key employees whose job role requires reviewing KYB.
This data is never sent through NFTgate’s servers.
How do you handle GDPR data access or deletion requests?
A customer can contact us at [email protected] to request their data to be provided or deleted. We will comply with the request within 90 calendar days.