Skip to main content

Role and processing location

AspectDetail
Processor roleDidit acts as a data processor; you remain the data controller.
Processing regionEU by default. Enterprise accounts can enable in-country processing (local data residency) subject to availability and contract.
Regulatory postureDesigned to support GDPR and local data-protection regimes. Configure retention below to meet your obligations.
Need a DPA, TOMs, or other compliance attestations? Contact your Didit representative.

Retention controls

Configure retention in Business Console → App Settings → Data.
1

Open retention settings

Go to Business Console → App Settings → Data.
2

Choose a retention policy

Select a window from 1 month to 10 years, or leave as unlimited (default).
3

Save

Click Save to apply the policy to all future and existing sessions.
The policy applies to verification inputs/outputs, derived results, and operational metadata stored by Didit.
Data retention settings in the Business Console

Manual deletion

Delete individual sessions from the Console when you need one-off removals.
  1. Navigate to Dashboard → Verifications.
  2. Search or filter for the target session.
  3. Click the Delete button (top-right) and confirm.
Delete a verification session from the Console

Programmatic deletion

Delete a session via the API at any time by calling the Delete Session endpoint. 
curl --request DELETE \
  --url https://verification.didit.me/v3/session/{session_id}/ \
  --header 'x-api-key: YOUR_API_KEY'
ResponseMeaning
204 No ContentSession deleted successfully.
404 Not FoundSession already deleted or unknown session_id.

Process-and-purge pattern

For maximum data minimization, process verification data through Didit and purge it immediately after receiving results via webhooks.
1

Create a session

Your backend calls the Create Session API.
2

Didit runs checks

Identity, liveness, AML, and any other configured checks execute automatically.
3

Receive webhook

Didit sends a webhook with status, session_id, vendor_data, and full verification data.
4

Persist only what you need

Store the minimum fields required for your records (e.g., status, vendor_data).
5

Delete from Didit

Call the Delete Session API for that session_id to remove all data from Didit.

Security and assurance

ISO/IEC 27001

ISMS in place. Certificate and excerpts available on request.

Penetration testing

Periodic third-party penetration tests with tracked remediation.

No known breaches

No security breaches reported to date.

Internal security team

Dedicated cybersecurity team with least-privilege access and strict environment separation.
All API activity is recorded in Audit Logs for security, compliance, and troubleshooting. Logs are retained for 365 days and then auto-deleted.

Privacy-minimized storage

We are adding features that let you retain only selected data fields — for example, keep status and vendor_data while auto-purging heavier artifacts like images and documents. This gives stricter control for teams operating under data-minimization principles.
Want early access to artifact-level retention rules? Contact your Didit representative.

FAQ

Yes. You can configure different retention policies for each application you have in Didit.
Yes. Export session data via the Console or API, then call the Delete Session endpoint.
Use Audit Logs in the Console. Filter by user, endpoint, or date range. Logs are retained for 365 days.

Implementation checklist

1

Configure retention

Set your retention policy in Console → App Settings → Data.
2

Subscribe to webhooks

Set up webhooks and verify signatures.
3

Persist minimal fields

Store only the fields your business requires.
4

Implement programmatic deletion

Call the Delete Session API if you use the process-and-purge pattern.
5

Confirm processing region

Verify your processing region (EU by default, or in-country for enterprise).
6

Separate environments

Use separate Sandbox and Live API keys with independent retention policies. Rotate keys regularly.