ISO/IEC 27001
Information security management. Didit maintains a certified Information Security Management System (ISMS) covering the design, development, and operation of the identity verification platform. Certificate excerpts available on request.
ISO/IEC 27017
Cloud security controls. Extended cloud-specific security controls that complement our ISO 27001 certification, ensuring robust protection for cloud-based verification services.
ISO/IEC 27018
Cloud privacy protection. Dedicated controls for protecting personally identifiable information (PII) in cloud environments, going beyond general data protection requirements.
GDPR Compliant
Full EU data protection compliance. Didit is fully compliant with the General Data Protection Regulation. We act as a data processor — you remain the data controller. DPA and TOMs available on request.
iBeta Level 1 — ISO 30107-3
Biometric presentation attack detection. Our liveness detection technology is iBeta Level 1 certified under the ISO 30107-3 standard, ensuring reliable detection of spoofing attempts including printed photos, screen replays, and 3D masks.
EU AI Act Ready
Responsible AI compliance. Didit’s AI-powered verification systems are designed in alignment with the EU AI Act requirements for high-risk AI systems, including transparency, human oversight mechanisms, data governance, and bias monitoring.
Identity verification using biometrics is classified as high-risk under the EU AI Act. Didit proactively addresses these requirements:
| Requirement | How Didit complies |
|---|---|
| Risk management | Continuous risk assessment across all AI models with documented mitigation strategies. |
| Data governance | Training data is curated for quality, relevance, and representativeness. Bias testing across demographics. |
| Transparency | Clear documentation of AI capabilities and limitations. Users are informed when AI processes their data. |
| Human oversight | Manual review workflows allow human operators to override AI decisions at any point. |
| Accuracy & robustness | iBeta-certified liveness detection. Regular model evaluation against adversarial attacks (deepfakes, injection, replay). |
| Record-keeping | Comprehensive audit logs and session records maintained for regulatory review. |
| Non-discrimination | Bias monitoring and testing across age, gender, ethnicity, and document types to ensure equitable treatment. |
Didit continuously updates its compliance posture as the EU AI Act implementing measures are finalized. Contact your Didit representative for the latest AI Act readiness documentation.
Didit acts as a data processor — you remain the data controller. The platform is designed to support GDPR and local data-protection regimes out of the box.
| Aspect | Detail |
|---|---|
| Processor role | Didit processes personal data strictly on your behalf and under your instructions. |
| Processing region | EU by default (AWS). Enterprise customers can enable in-country processing. |
| Data minimization | Process-and-purge patterns let you retain only the fields your business requires. |
| Data portability | Export session data via the Console or API at any time. |
| Right to erasure | Delete individual sessions instantly via the Console or the Delete Session API. |
| Retention controls | Configure retention from 1 month to 10 years in Console → App Settings → Data. |
Customer responsibilities in verification flows
When you use Didit in your own onboarding, authentication, or verification experience, you remain responsible for the controller-side disclosures and legal basis for that flow.| Requirement | What you need to do |
|---|---|
| Tell the user who is involved | Make clear that your company is requesting the verification and that Didit is the verification provider / processor powering the flow. |
| Show your privacy notice | Link to your own privacy notice or equivalent disclosure before the user starts verification. |
| Link Didit’s legal documents | Link to Didit’s Verification Privacy Notice, End User Terms for Identity Verification, and any other Didit policy your legal team requires. |
| Collect explicit consent where required | If your flow captures documents, selfies, liveness video, or biometrics, use an unchecked checkbox or another affirmative control wherever applicable law requires explicit consent. |
| Handle white-label and custom UI correctly | If you use a custom domain, white-label flow, or API-driven UI, you must render these disclosures in your own product because the branding alone does not disclose Didit’s role. |
| Keep your own records | If your legal team requires proof of notice or consent, store the text version, timestamp, and related metadata in your own systems. |
Need a DPA, TOMs, sub-processor list, or other compliance attestations? Contact your Didit representative or email hello@didit.me.
Security FAQ
What certifications does Didit hold?
What certifications does Didit hold?
Didit is ISO 27001 certified for information security management, ISO 27017 and ISO 27018 certified for cloud security and privacy, fully GDPR compliant, and iBeta Level 1 certified (ISO 30107-3) for biometric presentation attack detection. Certificate excerpts are available on request.
Is my data encrypted?
Is my data encrypted?
Yes. All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. We use industry-standard cryptographic protocols across our entire infrastructure.
Where is data stored and processed?
Where is data stored and processed?
By default, all data is processed and stored in the EU on AWS infrastructure. Enterprise customers can request in-country processing with local data residency options, subject to availability.
How do I configure data retention?
How do I configure data retention?
Navigate to Business Console → App Settings → Data to set your retention window (1 month to 10 years). You can also delete sessions on demand via the Console or Delete Session API. See the Data Retention page for details.
Can I delete verification data?
Can I delete verification data?
Yes. Delete individual sessions through the Console or programmatically via the Delete Session API. For maximum data minimization, use the process-and-purge pattern to remove data immediately after receiving webhook results.
How do you handle security incidents?
How do you handle security incidents?
We maintain a documented incident response plan with defined severity levels, escalation procedures, and communication protocols. Any material incidents are reported to affected customers within the timeframes required by GDPR and applicable regulations.
Is Didit compliant with the EU AI Act?
Is Didit compliant with the EU AI Act?
Didit proactively aligns with the EU AI Act requirements for high-risk AI systems, including risk management, data governance, transparency, human oversight, accuracy testing, and non-discrimination. We continuously update our compliance posture as implementing measures are finalized.
Can I get security documentation?
Can I get security documentation?
Yes. We provide DPAs, TOMs, sub-processor lists, penetration test summaries (under NDA), and ISO certificate excerpts. Contact your Didit representative or email hello@didit.me.
How are audit logs handled?
How are audit logs handled?
Every API call and Console action is recorded with timestamps, user IDs, and IP addresses. Audit logs are retained for 365 days and can be exported at any time. See the Audit Logs page for details.
Related resources
Data Retention
Configure retention policies and implement privacy-first patterns.
Audit Logs
Track every action with complete audit trails.
Webhooks
Receive real-time notifications for verification events.
API Authentication
Secure API key management and authentication.