Privacy and GDPR

Sensitive data on public blockchain? Here’s how to do it safely

Erez Tison
© Shutterstock / SB_photos

When working with blockchain, the protection of sensitive user data becomes the main concern in the age of GDPR. If you need to work with data on public blockchain, here’s how to do it safely.

In the age of GDPR, when working with blockchain, we have a lot of things to keep in mind. INVioU’s platform utilizes public blockchain technology to create new possibilities of invoice factoring for small and medium businesses, by recording electronic financial documents (such as invoices) on the Ethereum network and leveraging smart contracts technologies.

Obviously, there are more than a few tech challenges for this platform; How to protect user’s sensitive data on a public blockchain? What about European GDPR compliance? How to keep the decentralized open source spirit of public blockchain? Is Ethereum the right choice? How to store extensive amounts of data on an expensive blockchain?

Privacy and GDPR

To answer these two requirements, we’ve designed a system with which no sensitive data leaves the user machine unencrypted, encryption and decryption of the financial records’ data is taking place solely at the user’s client-side, avoiding transfer of any unencrypted data at any stage out of the user’s own machine and avoiding INVioU server holding private  keys for any user at any period of time.

SEE ALSO: Developing in the cloud in the age of GDPR

So, how would you share one user data with other selected ones? For this purpose we took the advantage of an advanced Proxy Re-Encryption scheme that allow secure delegation of decryption rights, enabling private data sharing between participants in public networks while ensuring no data damage or loss.

This pattern enables GDPR compliance: INVioU does not control the data nor the private keys of any user.


We love blockchain and decentralization it is a key factor in our vision, therefore we made sure INVioU platform is decentralized by design: while INVioU web application and server provide a simple and efficient user experience, its technology is open-sourced for the use of the community and for the sake of transparency. It is important to note that the INVioU platform’s entire cryptography protocol and smart contract invocation can be used by users, using other means of encryption and blockchain access tools.

Choosing the right public blockchain network

While working on the Ethereum network has its scalability drawbacks, we choose to work with it due to its widespread usage, well known smart-contract standards, and the EVM’s Turing-complete abilities that we aim to use for:

Token generation of VioU – The platform’s currency, VioU is an ERC-20 compliant token, to make the users’ interaction with the platform as smooth as possible.

Token Utilities – Users will pay with VioUs for operational fees in the network, both users and developers will be rewarded with VioUs for expanding the use on the network

Financial Records are Non-Fungible Tokens – The financial records which are fundamental parts of the system, are by themselves ERC-721 compliant tokens, this standard allows smart contracts to operate as tradeable tokens. ERC721 tokens are unique in that the tokens are non-fungible.

SEE ALSO: GDPR — Designing privacy and data protection

Efficient authenticity – Ethereum & IPFS

Ethereum smart contract cost with Gas, much more than at other storages cost, so we picked a safe way to combine storing on-chain only the unique record data and an IPFS hashe pointing to the complete (encrypted) record data, stored off–Ethereum on the IPFS storage. Using IPFS hashes to represent a file while storing only its hash in the Ethereum immutable blockchain guarantees authenticity for the IPFS file, meaning that any change to the IPFS file will result in a modified hash that will no longer match the one stored in the blockchain.


Profiling users based on their records’ history and public digital footprint using AI risk management mechanism can add important information for lenders while calculating the risk of the loan thus we believe will help the system best-fits the loan terms to the users’ profile, allowing further reduction the loan’s pricing.


Erez Tison

Erez Tison is the CTO of INVioU; a top-notch tech leader with vast, hands-on experience in developing large consumer web-apps including mobile apps, AI systems and financial system, formerly CTO, Software Architect and VP R&D at VATBox, NowForce, and Skillogic.

Inline Feedbacks
View all comments