# Security & Access Control

#### Document Access Rules

The rules for accessing sensitive user documents are strict and enforced on-chain:

1. User: Can always decrypt their own documents.
2. Government: Whitelisted government addresses can decrypt any user's documents for audit and compliance.
3. Third-Party Protocols: Can only verify the status of a user's DID (e.g., "is this user over 18?"). They cannot access the underlying documents.

#### Encryption Flow

1. Documents are encrypted client-side using Seal, with the `Government Whitelist` contract ID as a parameter.
2. The encryption key is derived from the whitelist ID and a unique nonce.
3. All addresses in the government whitelist are automatically granted decryption rights.
4. The user's own address is added as an approved address for their specific documents, ensuring they retain access.