An official website of the Free Republic of Campfira.

Official websites use gov.campfira.org

The public-facing site of the Republic is at campfira.org. Government services are hosted on the gov.campfira.org domain. If you see that domain, you are dealing with an official organisation of the Government of Campfira.

Secure government websites use HTTPS

A lock icon, or https:// at the start of the address, means you have safely connected to the website. Share sensitive information only on official, secure websites.

Ministry of the Interior Free Republic of Campfira

How we handle data

The technical posture of the Government of Campfira's identity and citizenship services. Encryption, retention, audit, and review.

This page describes how the Ministry of the Interior handles personal data at a technical level. It is intended to satisfy reasonable scrutiny without disclosing operational detail that would assist an attacker. Specific products, key names, ciphers, network paths, and storage layouts are deliberately omitted; they are documented internally and are reviewed by the Office of the Privacy Auditor.

The legal framing for these controls is set out in the privacy policy and the Privacy Act.

1. Encryption at rest

All personally-identifying fields in the Republic's databases are encrypted at rest.

  • Encryption keys are managed by a dedicated key-management system isolated from the application services. Keys are generated, rotated, and stored only on that system, and are never exported to the application services in plaintext form.
  • Every decrypt operation against personal data is logged.
  • Identity documents, selfies, and identity-verification videos are encrypted with industry-standard authenticated encryption before being written to storage. The keys for those files are likewise held by the key-management system and are not present on disk.

2. Encryption in transit

  • All public traffic uses modern TLS, terminated at the Republic's edge and re-encrypted on the route to the Government's services.
  • Service-to-service traffic is restricted to the Government's internal network. It is not reachable from the public internet.
  • Internal calls are authenticated; no plaintext credentials live in source control or in environment files outside the key-management system.

3. Secret management

The Government operates a single, internally-administered source of truth for credentials used by the public services. There is no parallel secret store. Each service holds only the credentials necessary to authenticate to that source, and is granted only the secrets it needs to do its job.

The secret store is not directly reachable from the public internet.

4. Audit logging

Every access to personal data is logged. The audit log records:

  • The acting account (where applicable).
  • The action — for example, application viewed, application file accessed, sign-in event.
  • The IP address and user-agent string of the request.
  • A timestamped record of the action.

Audit log entries are stored separately from the personal data they describe. They are retained for seven years under the Service Charter Act.

The Privacy Auditor has read access to the audit log without further authorisation; the Auditor's reviews are based on it.

5. Retention windows

The Ministry's principle is that verification material is destroyed as soon as it is no longer needed.

  • Identity-verification documents, selfies, and videos: deleted irreversibly 30 days after the application reaches a final state (approval, rejection, or withdrawal). The retention exists to allow operational follow-up in the immediate aftermath of a decision.
  • Account profile data: retained until the data subject requests deletion through the Citizen Portal.
  • Citizen Identity Number, tier, and tier history: retained indefinitely. These are part of the civil registry and remain after account deletion. They contain no personally-identifying information.

6. Right-to-deletion processing

Account deletion in the Citizen Portal is structured around a 30-day grace period, during which the request can be cancelled by the data subject without intervention from the Ministry.

When the grace period ends:

  1. The identity service's account record is replaced with a tombstone. The email and password fields are overwritten with non-recoverable values, and the account is marked deleted.
  2. The Citizen Portal's profile data (display name, bio, avatar, language preference) is purged.
  3. Uploaded files (avatars, application documents) are removed from storage.
  4. The CMP number, the tier, the tier history, and audit-log entries identifying the account are retained, in line with the retention table on the privacy policy.

The deletion is irreversible.

7. Annual review by the Privacy Auditor

The Privacy Auditor conducts an annual review of:

  • The Ministry's compliance with this page and the privacy policy.
  • The access policies attached to each service.
  • A statistical sample of the audit log, looking for anomalous decryption patterns.
  • Any breach reports made under section 9 of the privacy policy.

The Auditor publishes the review on the news page within 60 days of completion.

8. What the Ministry does not do

  • We do not run analytics. There is no analytics tag, no pixel, no third-party telemetry on any Government service.
  • We do not log request bodies. Application-layer logs redact passwords, tokens, and known PII fields before they are written.
  • We do not sell, rent, or share personal data with commercial third parties.
  • We do not transfer personal data outside the Republic's infrastructure, with the single exception of card-payment data necessarily routed through our payment processor.

9. Reporting concerns

If you believe the Ministry has mishandled your data, write to the Privacy Auditor at [email protected]. The Auditor responds to complaints within 30 days.