BenchmarksStack Ranking
H33-128H33-CKKSH33-256H33-BFV32H33-FHE-IQFHE OverviewZK LookupsBiometricsH33-3-KeyH33-MPCPQC ArchitecturePQ VideoStorage EncryptionAI DetectionEncrypted Search
APIsPricingTokenDocsWhite PaperBlogAboutSecurity Demo
Log InGet API Key
Home / Compliance / DPIA: Biometric Processing
GDPR

DPIA: Biometric Processing

Effective: March 8, 2026

This Data Protection Impact Assessment (DPIA) is required under GDPR Article 35 because H33 processes biometric data, which constitutes special category data under Article 9. Processing biometric data for identification purposes at scale triggers the mandatory DPIA threshold.

1. Introduction

H33 provides biometric identity verification as a component of its post-quantum authentication platform. Biometric templates are used to verify the identity of end users during authentication flows. This DPIA assesses the data protection risks arising from this processing and documents the measures H33 has implemented to mitigate those risks.

The distinguishing characteristic of H33's biometric processing is that it is performed entirely on encrypted data using Fully Homomorphic Encryption (FHE). Biometric templates are never stored or processed in plaintext within H33 systems.

2. Processing Description

Technical Architecture

  • Encryption scheme: BFV (Brakerski/Fan-Vercauteren) lattice-based FHE with parameters N=4096, single Q=56-bit modulus, t=65537 (H33-128 security level)
  • Enrollment: Biometric templates are FHE-encrypted at the point of enrollment. The plaintext template exists only momentarily on the client device during capture. Once encrypted, the template is transmitted to H33 as a ciphertext.
  • Storage: Templates are stored exclusively as FHE ciphertexts. No plaintext biometric data exists in H33 systems at rest.
  • Verification: Identity verification is performed via BFV homomorphic inner product computation on encrypted templates. The FHE engine computes the similarity score without decrypting the templates.
  • Batching: 32 biometric templates are batched per ciphertext using SIMD encoding (4096 slots / 128 dimensions = 32 users). This is a performance optimization that does not affect privacy properties.
  • Result: The encrypted match score is decrypted only to produce a binary yes/no authentication decision. The raw score is not retained.

3. Necessity and Proportionality

3.1 Necessity

Biometric authentication provides stronger security guarantees than knowledge-based (passwords) or possession-based (SMS OTP, hardware tokens) authentication methods. For high-sensitivity operations -- such as financial transactions, identity verification for regulated industries, and access to critical systems -- biometric step-up authentication is necessary to meet the security requirements of H33's customers.

3.2 Proportionality

H33's use of FHE encryption for biometric processing is a proportionate measure that minimizes privacy risk to the greatest extent technically feasible:

  • Data minimization by design: FHE encryption ensures that biometric data exposure is zero during processing. H33 systems compute on ciphertexts, never on plaintext biometric data.
  • Purpose limitation: Biometric data is used exclusively for identity verification. No secondary uses (profiling, surveillance, behavioral analysis) are permitted by policy or technically enabled.
  • Less invasive alternatives: Password and SMS OTP authentication are available as fallback methods. Biometric step-up is required only for Critical and High sensitivity operations as defined by the customer's configuration.
  • Template irreversibility: FHE ciphertexts cannot be reversed to extract the original biometric data without the secret decryption key, which is never stored alongside templates.

4. Risk Assessment

The following table identifies the principal risks to data subjects arising from biometric processing, their assessed likelihood and impact, the mitigations in place, and the residual risk after mitigation.

Risk Likelihood Impact Mitigation Residual Risk
Template extraction from data breach Very Low High FHE encryption -- all stored templates are ciphertexts. Without the secret key, extracted ciphertexts are computationally unusable. BFV-64 lattice security provides 128-bit classical security. Very Low
Unauthorized biometric matching Low High Rate limiting on verification endpoints, Dilithium-signed audit logging for every verification attempt, admin-only access to decryption capabilities, 15-minute session freshness window. Low
Template database compromise Very Low Critical BFV lattice-based encryption with 128-bit security level. Post-quantum resistant (secure against both classical and quantum adversaries). Database encryption at rest (AES-256). VPC network isolation. Very Low
Function creep (surveillance use) Very Low High Processing purpose contractually limited to authentication. Technical architecture does not support 1:N identification (only 1:1 verification). Customer terms prohibit surveillance use. Annual compliance audit. Very Low
Consent withdrawal inability Low Medium Documented deletion procedure: ciphertext deleted from all systems, decryption keys cryptographically destroyed within 30 days. Backup purge within 90 days. Written confirmation provided to data subject. Very Low

5. Data Subject Consultation

Users provide consent to biometric processing at the point of enrollment. H33 ensures that consent meets the GDPR standard for processing special category data (Article 9(2)(a)):

  • Freely given: Biometric authentication is not the sole authentication method. Users may choose alternative methods (password + OTP) without loss of service access for standard-sensitivity operations.
  • Specific: Consent is specific to biometric identity verification. No blanket consent for unrelated processing purposes.
  • Informed: The privacy policy and enrollment flow explicitly explain that biometric data will be FHE-encrypted, that H33 systems never access plaintext biometrics, and how the data will be used, stored, and deleted.
  • Unambiguous: Consent is captured via an affirmative opt-in action (explicit checkbox or biometric capture initiation by the user).
  • Withdrawable: Users may withdraw consent at any time by contacting privacy@h33.ai or through their account settings. Withdrawal triggers the deletion procedure described in Section 6.

6. Safeguards

The following technical and organizational safeguards are implemented to protect data subjects' biometric data:

  • FHE encryption: Biometric templates never exist as plaintext in H33 systems. All storage and computation occurs on FHE ciphertexts. This is the primary safeguard and the architectural foundation of H33's privacy-preserving design.
  • Post-quantum security: BFV lattice-based encryption is resistant to attacks from both classical and quantum computers. The 128-bit security level exceeds current NIST recommendations for long-term protection of sensitive data.
  • Dilithium-signed audit trail: Every biometric operation (enrollment, verification, deletion) is recorded in a tamper-evident audit log signed with Dilithium (ML-DSA, FIPS 204) post-quantum digital signatures.
  • 15-minute freshness window: Biometric verification sessions expire after 15 minutes. Stale sessions cannot be replayed or reused.
  • Template deletion on consent withdrawal: When a user withdraws consent, all biometric ciphertexts are deleted from active systems and the associated decryption keys are cryptographically destroyed, rendering any remaining backup copies permanently unrecoverable.
  • No cross-purpose use: Biometric data is architecturally isolated from other H33 products (Vault, Share). There is no data pipeline or API that could transmit biometric data to non-authentication systems.
  • Access controls: Decryption operations require administrative-level access. The FHE secret key is stored in AWS Secrets Manager with IAM role restrictions. No single engineer has unilateral access to both ciphertexts and keys.

7. DPO Approval

Data Protection Officer: Eric Beans

Assessment: This DPIA has been reviewed and the residual risks identified are acceptable given the comprehensive safeguards in place. The use of FHE encryption for biometric processing represents the most privacy-preserving approach currently feasible for production biometric authentication systems.

Approval date: March 8, 2026

Status: Approved

8. Review

This DPIA is reviewed annually, or when a material change occurs in biometric processing that could affect the risk assessment. The next scheduled review is March 2027.

Material changes that would trigger an immediate DPIA review include:

  • Changes to the FHE encryption scheme, parameters, or security level
  • Introduction of new biometric modalities (e.g., voice, iris, gait)
  • Changes to the batching architecture or template storage format
  • Introduction of 1:N identification capabilities (currently only 1:1 verification is supported)
  • Changes to the consent mechanism or lawful basis for processing
  • New data recipients or sub-processors with access to biometric ciphertexts
  • Security incidents involving biometric data systems

Questions about biometric data processing?

Contact our Data Protection Officer at privacy@h33.ai