Skip to content
Security & trust

Security

Built to beaudited.

The controls compliance teams and regulators expect — baked in, not bolted on. Signed webhooks, tamper-evident audit trails, source-direct data, and biometrics that never touch your servers.

Controls

What complianceteams expect.

HMAC-signed webhooks

Every callback is signed with HMAC-SHA256, so you can verify it genuinely came from us.

Full audit trail

Every verification, case, SAR and key change is logged, searchable, and tamper-evident.

Role-based access

Granular, per-action permissions across identity and compliance — down to the individual capability.

Source-direct data

Registry lookups hit the government source — no third-party brokers, no cached records.

Biometrics stay safe

Capture happens inside the SDK; raw selfies and document images never touch your servers.

Built to global standards

Sanctions, PEP, adverse media and goAML SAR filing — baked in, not bolted on.

Data handling

Your users' data,handled with care.

01

Biometrics captured in the SDK

Selfies, liveness video and document images are captured client-side and sent straight to our verification pipeline. Your servers never handle raw biometrics — you receive results, not faces.

  • Client-side capture
  • Direct-to-pipeline upload
  • You store results, not biometrics
02

Sensitive data encrypted

ID numbers and other sensitive fields are protected with application-layer envelope encryption, with a searchable hash used for lookups so the plaintext is never queried by value.

  • App-layer AES-256-GCM
  • Hash-based search, never plaintext
  • Least-privilege access
03

Access you control

Define your own roles and grant fine-grained permissions across identity and compliance. Optional org-wide two-factor, session revocation, and a searchable audit log of every administrative action.

  • Org-defined roles & permissions
  • Two-factor + instant revocation
  • Every write audited

Standards

Regulator-readyby design.

HMAC-SHA256 webhooksgoAML XML SAR/STRRole-based access controlTwo-factor authenticationTamper-evident audit logApp-layer encryptionPerpetual KYCData-residency aware

Frequently asked

Securityquestions.

Capture happens inside the SDK and uploads directly to our verification pipeline. Your backend never receives raw selfies or document images — only the verification result and, if you request it, secured media URLs gated by a secret key.

Compliant by design.Auditable by default.

The identity and compliance backbone regulators ask about — ready today.