Certifications & standards
ISO/IEC 27001:2022
Continuously certified since 2020. iDenfy holds an ISO/IEC 27001:2022 certificate (No. 1512120135) issued by TÜV Thüringen under DAkkS accreditation. This certificate covers the development and provision of identity and business verification, fraud prevention and anti-money laundering software. Our most recent surveillance audit found zero non-conformities.SOC 2 Type II
Independently audited for security, availability and confidentiality. iDenfy’s SOC 2 Type II report covers a full 12-month examination period, certified by House of CPA. The report confirms that our controls are not only properly designed but also operate effectively over time — providing customers and their auditors with documented assurance on how we handle and store data in production.eIDAS Conformity
Certified for remote identity proofing under EU regulation. iDenfy holds an eIDAS Declaration of Conformity (No. eIDAS250020) issued by the Electrotechnical Testing Institute (EZU) in Prague, covering remote ID proofing using video identification assessed against Regulation (EU) No. 910/2014, ETSI TS 119 461, and ISO/IEC 30107-3:2023. This makes iDenfy one of the few identity verification providers certified to the highest European standards for electronic identification and trust services.GDPR
Fully compliant with the EU General Data Protection Regulation (2016/679). Designated Data Protection Officer, documented Data Processing Agreement (DPA), and all personal data stored within the EU.How iDenfy handles compliance
Data processing
| Area | How we handle it |
|---|---|
| Data minimization | Only required data fields are collected per your verification configuration. We process only what is necessary for the verification purpose. |
| Processing locations | All data is processed and stored on Amazon AWS Europe (Dublin, Ireland). Data is not transferred outside the EU unless Standard Contractual Clauses are in place. |
| Data residency | EU-based infrastructure by default. Configurable data residency options available upon request. |
| Retention | Configurable retention periods with automatic deletion. Default retention follows regulatory requirements (up to 10 years for AML-related records). Customer accounts are removed 60 days after closure. |
| Sub-processors | All sub-processors are documented, contractually bound, and subject to equivalent data protection obligations. Amazon AWS operates under a carve-out approach in our SOC 2 report. |
| Data subject requests | Responded to within 30 days per GDPR. Customers can export their data at any time before account closure. |
Audit trail
Every verification produces a complete audit trail including:- Timestamp of each verification step
- Document images and extracted data (OCR, MRZ)
- Liveness check results with anti-spoofing analysis
- Face matching results (document photo vs. selfie)
- AML screening results (PEP, sanctions, adverse media)
- Manual review decisions by in-house KYC experts (if applicable)
- Downloadable PDF verification reports for your compliance records
Security measures
| Measure | Detail |
|---|---|
| Encryption in transit | TLS 1.2-1.3 on all connections |
| Encryption at rest | AES-256-GCM on all stored data (databases, object storage, volumes, backups) |
| Key management | Managed key service with automatic rotation at least every 12 months |
| Callback signing | Webhook payloads signed to ensure integrity and authenticity |
| API access control | IP whitelisting available for API access restriction |
| Web Application Firewall | WAF with anti-DDoS protection |
| Intrusion detection | Endpoint detection and response (EDR) with cloud-native threat monitoring |
| Network security | Default deny-all firewall rules; only business-justified traffic permitted |
| Vulnerability management | Continuous automated scanning and regular penetration testing |
| Vulnerability SLAs | Critical: 48 hours. High: 7 days. Medium: 1 month |
Incident response
- Dedicated Incident Response Team (CEO, Security Officer, CTO)
- Response SLAs from immediate (catastrophic) to 2-3 business days (insignificant)
- Client breach notification within 8-24 hours of occurrence
- Data Protection Authority notification within 72 hours
- Root cause analysis and post-incident review after every incident
- Incident Response Plan tested annually
- Zero security incidents in the past 12 months
Secure development
- Agile/Scrum methodology with security integrated into every sprint
- All code reviewed via pull requests by engineers trained in secure coding
- Reviewed against OWASP Top 10 and SANS attack patterns
- Vulnerability scanning before every production deployment
- Separate development, staging, and production environments
- Production data never used in test/dev environments
- Annual secure coding training (OWASP principles) for all engineers
Data protection roles
iDenfy acts as a Data Processor when performing identity verification on behalf of clients. Your organization remains the Data Controller and determines the purposes and legal bases for processing. iDenfy acts as a Data Controller only for its own website, marketing, and recruitment activities. A standard Data Processing Agreement (DPA) is available for all customers.Mapping features to requirements
| Requirement | iDenfy Feature | Relevant Framework |
|---|---|---|
| Customer identification | ID Verification (KYC) | AML 5/6AMLD, MiCA, PSD2 |
| Beneficial owner verification | Business Verification (KYB) | AML 5/6AMLD, Company Law |
| Sanctions & PEP screening | AML Screening | AML 5/6AMLD, OFAC, EU Sanctions |
| Ongoing monitoring | AML Monitoring | AML 5/6AMLD |
| Liveness / biometric check | 3D Liveness Detection | eIDAS (Level of Assurance), PSD2 SCA |
| Proof of address | AI PoA Verification | AML CDD, Gambling regulations |
| Data retention & deletion | Identification Deletion | GDPR Art. 17 |
| Fraud risk assessment | Risk Scoring | PSD2, Internal risk policies |
| Re-authentication | Face Authentication | PSD2 SCA, eIDAS |
Regulatory framework guides
GDPR
Data protection for processing EU customer data. Covers data minimization, retention, right to erasure, and cross-border transfers.
AML Directives (AMLD5/6)
Anti-money laundering customer due diligence requirements for financial institutions.
eIDAS
EU electronic identification and trust services regulation.
Industry Guides
Sector-specific requirements: fintech (MiCA, PSD2), crypto (Travel Rule), gambling.