Building Digital Trust Through Zero Data Storage and Decentralised Identity

As India’s digital public infrastructure expands, privacy is evolving from a compliance requirement into the foundation of digital trust. In this interview, Siddharth Sharma, Chief Information and Innovation Officer at Digi Yatra Foundation, discusses decentralised identity, zero data storage, dynamic consent, and how privacy-by-design can enable innovation, efficiency, and user control at scale.

India’s digital public infrastructure ecosystem is expanding rapidly across sectors. From your perspective, how is the conversation around data privacy evolving from a compliance-led discussion to a larger question of digital trust and governance?

The conversation is shifting because compliance is merely a baseline. Historically, organisations treated privacy as a legal hurdle. Today, in the context of India’s rapidly expanding digital public infrastructure, privacy is the foundation of digital trust. This change is being led by responsible-by-design and privacy-by-design principles, alongside technologies such as Self-Sovereign Identity (SSI), where individuals actually control their data.

We often hear the cliché that data is the new oil, but its real value lies in motion, not in storage. Accumulating data does not create value; it creates liability. That is the model Digi Yatra is built on: personal data is never stored in centralised repositories, which is what we call zero data storage, reducing breach risks and eliminating single points of failure. Credentials are securely generated and stored on the user’s device, shared only on a need-to-know basis through encrypted channels. Trust is no longer just a policy; it is cryptographically enforced.

As organisations increasingly adopt AI, biometrics and real-time identity verification technologies, what are some of the biggest misconceptions businesses still have about responsible data usage and consent management?

One major misconception is that accumulating vast amounts of data inherently improves AI and operational efficiency. The reality is that mass data collection creates massive liability. Strict data minimisation—collecting only what a specific transaction requires—actually sharpens system performance and drastically reduces security risks. This fundamentally shifts the paradigm from KYC to DKYC (‘Don’t Know Your Customer’), where we can verify a user’s credentials without actually holding their underlying identity data.

Another persistent misunderstanding is treating consent as a static, one-time checkbox at onboarding. Consent must be dynamic, granular and easily revocable. Organisations must move away from monolithic consent frameworks and unbundle permissions so users can opt into specific capabilities without compromising their entire digital footprint.

Over the last few years, consumers have become far more aware and sensitive about how their personal data is collected, stored and processed. How do you see this shift influencing the way enterprises design digital experiences and customer journeys going forward?

Enterprises are being forced to redesign customer journeys so that data control sits directly with the user. We are moving away from fragmented, process-heavy journeys towards seamless experiences anchored in local, on-device processing. When consumers know a platform does not retain their sensitive data, their willingness to engage increases. Digi Yatra’s own adoption curve—100 million voluntary journeys—is direct evidence of this shift.

Customer-centricity now means addressing functional pain points alongside emotional concerns around data safety. The friction of repetitive form-filling is being replaced by seamless, cryptographically secure handshakes between the user’s personal device and the enterprise system.

In high-scale ecosystems such as airports and public-facing digital platforms, how important is “privacy by design” today versus treating privacy as a post-deployment compliance layer? What does true privacy-first architecture practically look like?

Answer: Treating privacy as a post-deployment patch in high-scale ecosystems is an operational hazard. Retrofitting privacy into centralised architectures inevitably leaves systemic vulnerabilities and data silos.

A privacy-first architecture flips this approach—it minimises data collection and avoids central storage entirely through what we call zero data storage, an architecture that embeds privacy and security into the system’s core. Increasingly, zero data storage should be seen not as a limitation but as a design requirement for any system that handles sensitive identity data at scale.

Practically, this means adopting decentralised identity frameworks where user credentials remain on personal devices, not on our servers. Verification happens through encrypted, time-bound exchanges using Decentralised Identifiers (DIDs), X509 certificates and verifiable credentials based on W3C standards, ensuring data is shared only when required and never stockpiled.

A privacy-first architecture flips this approach—it minimises data collection and avoids central storage entirely through what we call zero data storage, an architecture that embeds privacy and security into the system’s core.

With the Digital Personal Data Protection Act now shaping conversations across industries, what are the key governance priorities organisations should be focusing on beyond just regulatory adherence?

Beyond adhering to the DPDP Act, organisations must operationalise data minimisation at the architectural level. Governance must transition from policy documents to code. This requires implementing rigorous, automated data lifecycles where purging is not a manual clean-up task, but an immutable function of the system. At Digi Yatra, our 24-hour data deletion is system-enforced, not policy-stated—the purge is an immutable function of the architecture, not a manual process initiated by the team.

Additionally, governance teams should focus on implementing globally recognised standards for credential verification rather than building proprietary silos. Interoperability and security are not competing priorities, but that balance only holds when the underlying standards are open, auditable and globally aligned.

As India moves towards increasingly interoperable and connected digital ecosystems, how can organisations balance personalisation, operational efficiency and innovation without compromising user privacy and data minimisation principles?

The balance is struck by leveraging decentralised architecture alongside edge computing. Personalisation does not require an organisation to hold a comprehensive profile of a user on their servers. By using verifiable credentials, organisations can query a user’s device for specific attributes—such as confirming a valid ticket or exchanging a simple yes-or-no response for age verification—without ingesting the underlying data, such as ticket details or date of birth. At Digi Yatra, the platform confirms a passenger’s biometric identity at the boarding gate without retaining their booking history, seat number or flight details. That is personalised, frictionless service with zero data residue.

Operational efficiency is enhanced when matching and processing happen at the edge, on the user’s mobile hardware or at the physical point of service. Systems designed for data minimisation from day one carry less liability, lower storage costs and a smaller breach surface. That is the operational case, beyond the ethical one.

There is growing discussion globally around decentralised data frameworks, tokenisation and consent-driven architectures. Which emerging approaches or global best practices do you believe Indian organisations should pay closer attention to over the next few years?

Indian organisations should closely watch the evolution of consent-driven data-sharing frameworks and start by looking inward. India is already ahead of much of the world here with the development of frameworks such as the Data Empowerment and Protection Architecture (DEPA) and the Account Aggregator ecosystem, which have demonstrated what privacy-centric, consent-based data sharing can look like at population scale. That foundation needs to be built upon, not treated as a solved problem. We are seeing major shifts this year alone, with Aadhaar officially embracing verifiable credentials and selective disclosure via the new Aadhaar App, proving that these privacy-first models can operate seamlessly at a national scale.

Beyond that, Self-Sovereign Identity architectures based on W3C standards, including W3C-based verifiable credentials, are enabling seamless, secure digital experiences without centrally storing personally identifiable information. Work towards alignment with IATA’s One ID framework shows how the same principles apply to international travel. Digi Yatra is also actively working towards alignment with ISO/IEC 18013-5 and 18013-7, the paired international standards that define how mobile credentials are presented at physical checkpoints and verified remotely online, which will be critical infrastructure for cross-border interoperability in the years ahead.

India is already ahead of much of the world here with the development of frameworks such as the Data Empowerment and Protection Architecture (DEPA) and the Account Aggregator ecosystem, which have demonstrated what privacy-centric, consent-based data sharing can look like at population scale.

Digi Yatra has often spoken about building a seamless passenger experience anchored in privacy-by-design principles. Could you elaborate on how the platform approaches data security, user consent and governance differently in the context of biometric-enabled travel?

Built on responsible-by-design principles, Digi Yatra is anchored in a privacy-first philosophy, where passenger convenience never comes at the cost of data ownership. Digi Yatra is opt-in by design. Passengers choose to enrol, choose which airports to use the service at, and can delete their accounts and all associated data at any time with a single tap. That is consent as a live, exercisable right, not a buried terms-and-conditions clause.

Unlike conventional biometric systems that rely on centralised databases, our platform follows what we call DKYC (‘Don’t Know Your Customer’), an architecture in which we deliberately collect no more than a journey requires and retain nothing beyond it. Technically, this means zero data storage within a decentralised SSI framework. A passenger’s personally identifiable information remains securely stored only on their own device.

Verification is enabled through Decentralised Identifiers (DIDs) and verifiable credentials aligned to W3C standards. Every journey generates a new identifier, preventing passenger tracking across airports. The data shared with the departure airport is automatically and permanently deleted within 24 hours of travel, mitigating mass breach risks and reinforcing total user control.

Digi Yatra has witnessed significant user adoption in recent years. What key milestones achieved in FY26 have laid the foundation for growth in FY27?  

The technical groundwork and user trust established over the past year have driven real scale. As of this week, Digi Yatra has crossed the 100 million journey milestone across 38 operational airports, supported by over 24 million app downloads. Entry processing time has been reduced from 15 seconds to 5 seconds per passenger—a measurable operational gain delivered without any compromise on privacy.

This level of scale validates the robustness of our backend infrastructure and proves that voluntary adoption follows privacy-first design. Key FY26 milestones include the successful IATA-aligned contactless international travel proof of concept with IndiGo at Kempegowda International Airport, Bengaluru, and Digi Yatra’s first large-scale non-aviation deployment at the India AI Impact Summit 2026. In FY27, this critical mass allows us to focus on deeper airport and airline integrations, expand language support to 22 regional languages, and drive new ecosystem partnerships beyond aviation, including travel, hospitality and large-scale public venues.

What role will international collaborations or global interoperability play in Digi Yatra’s roadmap going forward? How does Digi Yatra see its contribution to India’s broader digital public infrastructure?

International collaboration is the immediate next priority. As passengers travel across geographies, there is a growing need for digital identity systems that work securely across borders without centralising data.

Our successful IATA-aligned contactless international travel proof of concept demonstrates that India’s approach to biometric travel can scale globally.

We are also actively working towards alignment with ISO/IEC 18013-7, one of the standards that define how mobile travel credentials are presented at physical checkpoints and verified remotely, which will serve as the technical bridge for seamless cross-border credential verification. Digi Yatra contributes to India’s broader digital public infrastructure by providing a functional, high-throughput blueprint for identity verification that does not compromise citizen privacy. It proves that large-scale efficiency and uncompromising data sovereignty are not mutually exclusive.