Security
Built to beaudited.
The controls compliance teams and regulators expect — baked in, not bolted on. Signed webhooks, tamper-evident audit trails, source-direct data, and biometrics that never touch your servers.
Controls
What complianceteams expect.
HMAC-signed webhooks
Every callback is signed with HMAC-SHA256, so you can verify it genuinely came from us.
Full audit trail
Every verification, case, SAR and key change is logged, searchable, and tamper-evident.
Role-based access
Granular, per-action permissions across identity and compliance — down to the individual capability.
Source-direct data
Registry lookups hit the government source — no third-party brokers, no cached records.
Biometrics stay safe
Capture happens inside the SDK; raw selfies and document images never touch your servers.
Built to global standards
Sanctions, PEP, adverse media and goAML SAR filing — baked in, not bolted on.
Data handling
Your users' data,handled with care.
Biometrics captured in the SDK
Selfies, liveness video and document images are captured client-side and sent straight to our verification pipeline. Your servers never handle raw biometrics — you receive results, not faces.
- Client-side capture
- Direct-to-pipeline upload
- You store results, not biometrics
Sensitive data encrypted
ID numbers and other sensitive fields are protected with application-layer envelope encryption, with a searchable hash used for lookups so the plaintext is never queried by value.
- App-layer AES-256-GCM
- Hash-based search, never plaintext
- Least-privilege access
Access you control
Define your own roles and grant fine-grained permissions across identity and compliance. Optional org-wide two-factor, session revocation, and a searchable audit log of every administrative action.
- Org-defined roles & permissions
- Two-factor + instant revocation
- Every write audited
Standards
Regulator-readyby design.
Frequently asked
Securityquestions.
Capture happens inside the SDK and uploads directly to our verification pipeline. Your backend never receives raw selfies or document images — only the verification result and, if you request it, secured media URLs gated by a secret key.
Compliant by design.Auditable by default.
The identity and compliance backbone regulators ask about — ready today.