Enterprise Security & Compliance
This page is the customer-facing security disclosure suitable for due diligence and security questionnaires. A fuller version with implementation appendices is available under NDA — contact your account team.
Privacy posture
VerifyHuman holds face images and ID documents only for as long as is needed to produce a verification result, then purges them. Specifically:
- Single-shot verifications (e.g.
/api/verify,/api/mobile/v1/verifyhuman/verify) process the uploaded image in memory and discard it as soon as the response is returned. No image bytes are written to disk. - Multi-step session flows (VerifyAge, VerifyIdentity, VerifyTrust) hold uploaded image bytes inside the verification session row so the flow can be assembled across requests. Session storage is encrypted at rest. Image bytes are cleared from the session as soon as the verification is submitted (pass or fail). Sessions that expire without being submitted (typically 30 minutes of inactivity) become unreachable through the API and are removed by routine housekeeping.
- No biometric templates / facial-feature vectors are ever persisted, in either flow.
- Compliance reports (KYC+ PDFs) are encrypted, delivered via signed one-time URL or SFTP, and purged after delivery.
What we do store long-term:
| Data | Purpose | Retention |
|---|---|---|
| Verification metadata (status, confidence, type, environment, timestamps) | Operations, billing, customer reporting | Per customer policy (default: indefinite, deletable on request) |
| Audit logs (sign-in, settings changes, role changes) | Security & compliance | 12 months default; longer on Enterprise |
| Customer account data (email, org, billing) | Account operation | Until account deletion |
What we do not retain after the verification completes:
- Face image bytes
- ID document image bytes (front, back, MRZ scans)
- Facial-feature vectors or biometric templates
- Compliance (AML/PEP) report PDF payloads (only a hit / no-hit summary is kept)
Data handling
| Concern | Approach |
|---|---|
| In transit | TLS 1.2+ for all customer traffic |
| At rest | AES-256 for database storage, encrypted backups |
| Compliance reports (PDF) | AES-256 encrypted, delivered via signed one-time URL or SFTP, then purged |
| Secrets | Stored in a managed secrets store, rotated on a documented cadence |
| PII minimization | OCR-extracted PII is held only long enough to produce the verification result |
Access controls
- Role-based access control (RBAC) with four standard roles and ~20 fine-grained permissions. See Roles & permissions.
- Single Sign-On (SAML / OIDC) via your IdP, with per-organization domain allowlisting and JIT provisioning. See SSO.
- Two-factor authentication for password-based login (email OTP and TOTP). See 2FA.
- API key scopes restrict each key to specific products. See API keys.
- Test/Live separation isolates non-production traffic from production data on every API key, webhook endpoint, and verification record. See Environments.
Webhook security
- Every webhook delivery is HMAC-SHA256 signed with a per-endpoint secret.
- Endpoints are HTTPS-only; private/loopback addresses are blocked at create time (SSRF protection).
- Failed deliveries follow exponential backoff and auto-disable after a consecutive-failure threshold.
- Each event has a stable
event_idfor idempotent processing. - Endpoints support secret rotation without downtime.
See Webhooks.
Audit logs
Sign-ins, settings changes, role changes, key creation/rotation/revocation, webhook configuration changes, and administrative overrides are all written to your organization's audit log. Logs include actor, target, before/after values, IP address, and timestamp.
Audit logs are exportable in CSV and can be streamed to your SIEM via the audit-event webhook channel.
Compliance posture
| Standard | Status |
|---|---|
| GDPR | Privacy by design (no biometric storage). Data Processing Addendum available. Data subject access and deletion requests supported via a single API call. |
| CCPA | Same posture as GDPR. Opt-out and deletion supported. |
| SOC 2 Type II | In progress. Letter of intent / current controls map available under NDA. |
| HIPAA | Out of scope by default; ePHI handling available under separate BAA on Enterprise. |
| KYC/AML | Sanctions/PEP screening via accredited third-party provider; encrypted PDFs for regulator delivery. |
| PCI | Not applicable — VerifyHuman does not store cardholder data. Stripe handles all payment instruments. |
Vendor & subprocessors
We maintain a current subprocessor list. Customers on Pro or Enterprise can subscribe to subprocessor-change notifications. Contact your account team for the current list.
Vulnerability handling
- All dependencies are scanned for known vulnerabilities on every build.
- A coordinated-disclosure policy is published; critical vulnerabilities are eligible for acknowledgment.
- Pen-test summary letters are available under NDA.
To report a security issue: security@verifyhuman.io.
Business continuity
| Aspect | Posture |
|---|---|
| Provider redundancy | The verification engine is provider-abstracted; we can shift face-recognition traffic between providers without a code deploy. |
| Backups | Encrypted daily backups with a documented restore RPO and RTO (available under NDA). |
| Incident response | 24/7 on-call rotation for production-impacting incidents. Status page at status.verifyhuman.io. |
| DR exercises | Quarterly. |
Customer responsibilities
You are responsible for:
- Securely storing the API keys you create.
- Configuring your IdP and managing user lifecycle in it.
- Configuring webhook endpoints over HTTPS, validating signatures.
- Honoring data-subject rights for data you store about your end users (we hold only verification metadata).
Documentation
- Privacy & data handling (FAQ)
- Roles & permissions
- Single Sign-On
- API keys & scopes
- Webhooks
- Two-factor authentication
- Test vs Live environments
For RFP / due-diligence packages including pen-test letters, subprocessor lists, and the SOC 2 progress letter, contact security@verifyhuman.io.