Account Sovereignty

When choosing how your application connects to BlueNexus (see Connecting Users), it’s important to understand the concept of sovereignty — who ultimately controls and owns the user’s account and data.

In short:

• If you want user-controlled accounts and to minimize data handling risk, use the "Sign In with BlueNexus" or "Connect BlueNexus" integration strategy.

• If you need complete control and custom UX, aren't concerned with user sovereignty and have compliance capabilities, "White-Label Integration" is appropriate.

Understanding this trade-off is essential to balancing user sovereignty, privacy, and regulatory responsibility in your BlueNexus integration strategy.

User-Managed Accounts (Sovereign)

In the “Sign In with BlueNexus” and “Connect BlueNexus” models, the user retains full ownership and control of their BlueNexus account, making them self-sovereign. Their credentials, tokens, and personal data are controlled by the user, but processed by BlueNexus.

This approach ensures:

• User autonomy: The user can manage their account settings, permissions, and data directly with BlueNexus.

• Enhanced privacy: Sensitive authentication data never passes through or resides in your application’s infrastructure.

• Regulatory coverage: BlueNexus assumes responsibility for user data compliance, security, and identity management under applicable regulations (e.g., GDPR, CCPA).

For most developers, this model significantly reduces compliance and security burden, since data protection, consent, and account lifecycle management are handled by BlueNexus.

Developer-Managed Accounts

In the “White-Label Integration” model, your application creates and manages BlueNexus accounts programmatically on behalf of users. While this allows for a completely seamless, branded user experience, it also means you become the data controller for those accounts.

As a result:

• Your application is responsible for data privacy, consent, and regulatory compliance.

• You must ensure secure storage of access tokens, refresh tokens, and user-linked credentials.

• You carry full data protection obligations, including handling deletion requests, data exports, and security incident response.

This model offers the highest degree of flexibility but also the greatest operational responsibility. It is especially critical to evaluate this approach carefully in regulated industries such as healthcare, finance, and education, where data retention, encryption, and audit requirements are more stringent.