W3C VC 2.0 COMPLIANT DISTF ACCREDITATION TRACK NZ DATA RESIDENCY: AWS AP-SOUTHEAST-2
OL
Platform Overview
Onboarding Limited · NZ Employment Credential Platform · est. 2026
Platform initialised in accreditation-track mode. All transactions are logged with consent references. Data residency: NZ (AWS ap-southeast-2). No credentials have been issued yet — this is your clean-start baseline.
Credentials Issued
0
Ready to issue
● System ready
Active Holders
0
Workers / entities
● Wallet integration ready
Accreditation Readiness
74%
6 items outstanding
⚠ In progress
Audit Log Entries
12
System events captured
● Tamper-evident
TFA Accreditation Progress
74%
ready
Company registered — Onboarding Limited
NZ Companies Register · March 2026
W3C VC 2.0 technical stack built
SD-JWT VC · EdDSA · did:web · Bitstring Status List
Credential schemas defined (NZ Employment, H&S, Trade)
JSON-LD context published · GitHub
Consent recording system operational
Per-transaction consent log · Privacy Act 2020 aligned
Audit log — tamper-evident, immutable
All issuance, verification, revocation events captured
Contact TFA — pre-application engagement
TFA@dia.govt.nz · Schedule within 30 days
Privacy Impact Assessment
Draft complete · Independent review needed
Independent security evaluation
Commission TFA-approved evaluator
Independent privacy evaluation
Commission TFA-approved evaluator
Submit TFA accreditation application
Target: Q3 2026
Credential Types Available
NZ Employment Agreement
Employer signed · NZBN anchored
Ready
H&S Certification
WorkSafe NZ / Site Safe aligned
Ready
Trade Licence
EWRB / PGDB / LBP registry wrapper
Ready
IRD Identity Anchor
RealMe verified identity binding
Pending
Data Residency
✓ NZ Only
All credential data, keys, and audit logs processed and stored exclusively within New Zealand jurisdiction (AWS ap-southeast-2). No personal or organisational information transmitted outside NZ. Meets DISTF requirement for data sovereignty disclosure.
REGION
ap-southeast-2
PROVIDER
AWS / Mattr VII
Issue Credential
Every field is recorded with consent reference · W3C VC 2.0 · SD-JWT signed
Credential Type
Consent Declaration · DISTF Rule 10(1)
By issuing this credential, Onboarding Limited confirms: (a) valid authorisation has been received from the credential subject; (b) the subject has been informed of what is being authorised; (c) this consent event will be recorded with timestamp and transaction reference as required under the Digital Identity Services Trust Framework Rules 2024.
VC 2.0 Preview
SD-JWT
// W3C Verifiable Credential 2.0
// Secured: SD-JWT (VC-JOSE-COSE)
// Issuer DID: did:web:onboarding.nz

{
  "@context": [
    "https://www.w3.org/ns/credentials/v2",
    "https://onboarding.nz/contexts/employment/v1"
  ],
  "type": ["VerifiableCredential", "NZEmploymentCredential"],
  "issuer": {
    "id": "did:web:onboarding.nz",
    "name": "Onboarding Limited"
  },
  "validFrom": "2026-03-15T00:00:00Z",
  "credentialSubject": {
    "id": "did:key:z6Mk...",
    "holderName": "—",
    "employerName": "—",
    "nzbn": "—",
    "employmentType": "permanent",
    "role": "—",
    "startDate": "—"
  },
  "credentialStatus": {
    "type": "BitstringStatusListEntry",
    "statusListIndex": "0",
    "statusListCredential": "https://onboarding.nz/status/1"
  },
  "proof": {
    "type": "DataIntegrityProof",
    "cryptosuite": "eddsa-rdfc-2022",
    "proofPurpose": "assertionMethod",
    "verificationMethod": "did:web:onboarding.nz#key-1"
  }
}
Selective disclosure: Holder can present employment status without revealing IRD number, pay band without revealing role, or any subset of claims. Zero personal data shared beyond what the verifier requests.
Accreditation Readiness
Digital Identity Services Trust Framework · Trust Framework Authority (TFA) · DIA
The Trust Framework Register currently has zero accredited providers. Being first on the register is a significant commercial and trust signal. Target submission: Q3 2026.
Technical Readiness
92%
VC 2.0 · SD-JWT · DID · Status List
Governance Readiness
65%
PIA drafted · Evals outstanding
Operational Readiness
70%
Audit log live · Security plan needed
Technical Standards
92%
  • W3C VC 2.0 data model compliant
  • SD-JWT VC format (VC-JOSE-COSE)
  • EdDSA / eddsa-rdfc-2022 cryptosuite
  • Bitstring Status List v1.0 for revocation
  • did:web issuer DID published
  • OID4VCI issuance protocol
  • OID4VP presentation protocol
  • Selective disclosure — attribute-level
  • ~ISO 18013-5 mDL support (optional path)
  • ~Credential format questionnaire — drafted
Privacy (Privacy Act 2020)
68%
  • Consent recorded per transaction (Rule 10)
  • Data minimisation — selective disclosure native
  • No phone-home verification (Rule 27)
  • No cross-issuer tracking or correlation
  • NZ data residency — AWS ap-southeast-2
  • ~Privacy Impact Assessment — drafted, not reviewed
  • ~Te ao Māori data governance consideration
  • Independent privacy evaluation — not commissioned
  • Privacy evaluator appointed (designated person)
Security & Risk Management
70%
  • Cryptographic key management (HSM-backed)
  • Key rotation policy defined
  • Tamper-evident audit log
  • Credential revocation within 24hrs
  • Data breach response procedure drafted
  • ~Security risk assessment — in progress
  • ~Security management plan — drafted
  • Independent security evaluation — not commissioned
  • Penetration test — not completed
Identification Management
80%
  • NZ Identification Standards awareness
  • RealMe verified identity as identity anchor
  • NZBN employer verification integrated
  • Holder binding — cryptographic (DID key)
  • ~ID management evaluation — prepare for DIA
  • Independent ID management evaluator — not engaged
Governance & Operations
60%
  • Company registered — Onboarding Limited
  • Information governance plan — drafted
  • 6-monthly reporting template prepared
  • DINZ membership — targeted
  • ~TFA pre-application contact — scheduled
  • Designated privacy officer appointed
  • TFA application form — not started
  • Accreditation mark agreement — pending
Consent & Authorisation
95%
  • Per-transaction consent capture (Rule 10)
  • Consent recorded with timestamp + txn ref
  • Only subject can authorise presentation
  • No consent bundling for unrelated activities
  • Consent records immutable, audit-linked
  • User informed of all data collected
  • Consent withdrawal mechanism available
  • ~Consent UI copy — legal review needed
Audit Log
Tamper-evident · Immutable · All events captured per DISTF Rule 10(6)
System Event Feed
● Live
09:14:03
Platform initialised — Onboarding Limited v1.0.0
SYSTEM · did:web:onboarding.nz · NZ residency confirmed · AWS ap-southeast-2
09:14:05
🔑
Issuer DID generated — did:web:onboarding.nz
KEY_GEN · Ed25519 · key-1 · HSM-backed · rotation policy: 12mo
09:14:06
📋
Credential schemas loaded — Employment, H&S, Trade Licence, Identity Anchor
SCHEMA_LOAD · W3C VC 2.0 · JSON-LD context · https://onboarding.nz/contexts/v1
09:14:07
📡
Bitstring Status List initialised — revocation registry ready
STATUS_LIST · https://onboarding.nz/status/1 · 131072 entries · W3C BitstringStatusList v1.0
09:14:08
Consent recording system activated — per-transaction capture enabled
CONSENT_SYS · DISTF Rule 10(1)(c) compliance mode · immutable log active
09:14:09
OID4VC endpoints activated — issuance and presentation protocols ready
PROTOCOL · OID4VCI draft-14 · OID4VP 1.0 · No phone-home verification mode
09:14:10
🛡
Anti-correlation controls active — verifier activity not tracked or correlated
PRIVACY · DISTF Rule 27 · Presentation unlinkability enabled
09:14:11
📊
6-monthly reporting templates loaded — TFA compliance reporting ready
GOVERNANCE · Regulation 19(1) · Report period: 2026-01 to 2026-06
09:14:12
Accreditation readiness baseline scan complete — 74% ready, 6 items outstanding
ACCRED_SCAN · DISTF Act 2023 · Regulations 2024 · Rules 2024 (July revision)
Audit Log Integrity
TOTAL ENTRIES
12
INTEGRITY
100%
HASH CHAIN
SHA-256
TAMPER CHECK
PASS
Current log chain hash
sha256:a4f2e9c1b8d7f3e0a1c5b9d4e8f2a6c0
b3d7e1f4a8c2b6d0e3f7a1c5b9d4e8f2
Each log entry includes: timestamp, actor DID, action type, affected credential ID, consent reference, and hash of previous entry.
DID & Key Management
Decentralised Identifiers · Cryptographic signing keys · did:web method
Issuer DID Document
did:web
Issuer DID
did:web:onboarding.nz
DID Document URL
https://onboarding.nz/.well-known/did.json
"@context": ["https://www.w3.org/ns/did/v1"]
"id": "did:web:onboarding.nz"
"verificationMethod": [{
  "id": "did:web:onboarding.nz#key-1"
  "type": "Ed25519VerificationKey2020"
  "controller": "did:web:onboarding.nz"
}]
"assertionMethod": ["#key-1"]
Signing Keys
Primary Signing Key
Active
ID: did:web:onboarding.nz#key-1
Algorithm: Ed25519
Created: 2026-03-15
Rotation: 2027-03-15
Storage: HSM-backed (AWS KMS)
Recovery Key
Standby
ID: did:web:onboarding.nz#key-recovery
Algorithm: Ed25519
Use: Key rotation events only
Storage: HSM-backed (AWS KMS)
Credential Schemas
NZ-specific JSON-LD contexts · Published openly · First-mover schema ownership
NZEmploymentCredential v1
Published W3C VC 2.0
Context: https://onboarding.nz/contexts/employment/v1
ClaimTypeSelective DisclosureDISTF Aligned
holderNamestringYes
employerNamestringYes
nzbnstringYes
employmentTypeenumYes
rolestringYes
startDatedateYes
payBandstringYes — optional
NZHealthSafetyCertification v1
Published W3C VC 2.0
Context: https://onboarding.nz/contexts/hs/v1
ClaimTypeSelective DisclosureDISTF Aligned
certificationNamestringYes
issuingBodystringYes
certNumberstringYes
issuedDatedateYes
expiryDatedateYes
scopestring[]Yes
Verify Credential
No credential data stored · Verification activity not tracked · DISTF Rule 27
Privacy-preserving verification: this system verifies the cryptographic proof only. No personal data is logged. Verifier activity is not correlated across presentations, complying with DISTF Rule 27.
Paste or scan credential JWT
Verification Result
Awaiting credential input…
Consent Records
Every authorisation captured · DISTF Rule 10(1)(c) · Immutable log
Consent Register
0 records
📋
No credentials issued yet. Consent records will appear here with each issuance.
Each record captures: timestamp · holder DID · issuer DID · claims authorised · consent method · transaction ref
Privacy Controls
Privacy Act 2020 · DISTF Privacy Rules · Te ao Māori data governance
Active Privacy Controls
  • No phone-home verification
    Verifiers check credentials offline — no server callback to Onboarding Limited at verification time
  • Anti-correlation
    Verifier activity not tracked or correlated across presentations — DISTF Rule 27
  • Selective disclosure native
    Holder presents only the claims needed for each interaction — not the full credential
  • Data minimisation by design
    Schemas built to collect only what is necessary — pay band optional, IRD only for identity binding
  • NZ data residency
    All processing in AWS ap-southeast-2. Disclosed to users at consent capture.
  • ~
    Privacy Impact Assessment
    Draft complete — independent reviewer not yet engaged
  • ~
    Te ao Māori data governance
    DISTF requires ethical handling including Māori perspective — consultation needed
Privacy Impact Assessment Status
PIA drafted but requires independent review before TFA application. Commission a TFA-approved privacy evaluator.
Data flows mappedDone
Risk identificationDone
Mitigation controlsDone
Independent reviewPending
2-yearly review schedule setPending
Issued Credentials
All credentials issued by Onboarding Limited · W3C VC 2.0
No credentials issued yet
Issue your first NZ employment credential to get started.
Integrations
Government data sources · Industry partners · Wallet ecosystem
Government Integrations
RealMe Verified Identity
Identity anchor for holder binding — DIA
Setup required
NZBN Registry
Employer verification — MBIE
Setup required
NZ Government Wallet
Govt.nz app — credential delivery (2026)
Planned
NZ Verify
Mattr's verifier app — cross-credential verification
Planned
Industry Partners
Site Safe NZ
H&S card issuance — 200k+ cardholders
Outreach
EWRB
Electrical Workers Registration Board
Outreach
Mattr VII Platform
Core VC infrastructure — AWS NZ hosted
Target partner