ISO27001 Certified
GDPRCompliant
iBetaLevel 1 Certified
AI ActReady
CertificationsOur platform meets the highest international standards for information security, data privacy, and biometric accuracy.
ISO/IEC 27001
Information security management. Didit maintains a certified Information Security Management System (ISMS) covering the design, development, and operation of the identity verification platform. Certificate excerpts available on request.
ISO/IEC 27017
Cloud security controls. Extended cloud-specific security controls that complement our ISO 27001 certification, ensuring robust protection for cloud-based verification services.
ISO/IEC 27018
Cloud privacy protection. Dedicated controls for protecting personally identifiable information (PII) in cloud environments, going beyond general data protection requirements.
GDPR Compliant
Full EU data protection compliance. Didit is fully compliant with the General Data Protection Regulation. We act as a data processor — you remain the data controller. DPA and TOMs available on request.
iBeta Level 1 — ISO 30107-3
Biometric presentation attack detection. Our liveness detection technology is iBeta Level 1 certified under the ISO 30107-3 standard, ensuring reliable detection of spoofing attempts including printed photos, screen replays, and 3D masks.
EU AI Act Ready
Responsible AI compliance. Didit’s AI-powered verification systems are designed in alignment with the EU AI Act requirements for high-risk AI systems, including transparency, human oversight mechanisms, data governance, and bias monitoring.
Security Infrastructure
End-to-end encryption
All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Industry-standard cryptographic protocols protect sensitive information at every stage.Role-based access control
Granular permissions and role-based access ensure only authorized personnel can access verification data and system configurations.Complete audit logs
Every action is logged with timestamps, user IDs, and IP addresses. Audit logs are retained for 365 days and can be exported for compliance reviews.24/7 security monitoring
Continuous monitoring and automated threat detection across our entire infrastructure with real-time alerts for suspicious activity.EU-based infrastructure
Data is processed and stored in the EU on AWS servers by default. Enterprise customers can enable in-country processing with local data residency options.Configurable data retention
Set retention policies from 1 month to 10 years, or delete data immediately via API. Process-and-purge patterns supported for minimal data footprint.AI Act ComplianceAs an AI-native identity platform, Didit takes the EU AI Act seriously. Our systems are built to meet the requirements for high-risk AI applications.
Identity verification using biometrics is classified as high-risk under the EU AI Act. Didit proactively addresses these requirements:
| Requirement | How Didit complies |
|---|---|
| Risk management | Continuous risk assessment across all AI models with documented mitigation strategies. |
| Data governance | Training data is curated for quality, relevance, and representativeness. Bias testing across demographics. |
| Transparency | Clear documentation of AI capabilities and limitations. Users are informed when AI processes their data. |
| Human oversight | Manual review workflows allow human operators to override AI decisions at any point. |
| Accuracy & robustness | iBeta-certified liveness detection. Regular model evaluation against adversarial attacks (deepfakes, injection, replay). |
| Record-keeping | Comprehensive audit logs and session records maintained for regulatory review. |
| Non-discrimination | Bias monitoring and testing across age, gender, ethnicity, and document types to ensure equitable treatment. |
Didit continuously updates its compliance posture as the EU AI Act implementing measures are finalized. Contact your Didit representative for the latest AI Act readiness documentation.
Data Protection
Didit acts as a data processor — you remain the data controller. The platform is designed to support GDPR and local data-protection regimes out of the box.
| Aspect | Detail |
|---|---|
| Processor role | Didit processes personal data strictly on your behalf and under your instructions. |
| Processing region | EU by default (AWS). Enterprise customers can enable in-country processing. |
| Data minimization | Process-and-purge patterns let you retain only the fields your business requires. |
| Data portability | Export session data via the Console or API at any time. |
| Right to erasure | Delete individual sessions instantly via the Console or the Delete Session API. |
| Retention controls | Configure retention from 1 month to 10 years in Console → App Settings → Data. |
Need a DPA, TOMs, sub-processor list, or other compliance attestations? Contact your Didit representative or email hello@didit.me.
Operational Security
Penetration testing
Periodic third-party penetration tests with tracked remediation. Reports available to enterprise customers under NDA.No known breaches
No security breaches reported to date. Incident response procedures tested and documented.Internal security team
Dedicated cybersecurity team with least-privilege access and strict environment separation across all systems.API key security
Separate Sandbox and Live API keys. Keys can be rotated at any time via the Business Console.Security FAQ
What certifications does Didit hold?
What certifications does Didit hold?
Didit is ISO 27001 certified for information security management, ISO 27017 and ISO 27018 certified for cloud security and privacy, fully GDPR compliant, and iBeta Level 1 certified (ISO 30107-3) for biometric presentation attack detection. Certificate excerpts are available on request.
Is my data encrypted?
Is my data encrypted?
Yes. All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. We use industry-standard cryptographic protocols across our entire infrastructure.
Where is data stored and processed?
Where is data stored and processed?
By default, all data is processed and stored in the EU on AWS infrastructure. Enterprise customers can request in-country processing with local data residency options, subject to availability.
How do I configure data retention?
How do I configure data retention?
Navigate to Business Console → App Settings → Data to set your retention window (1 month to 10 years). You can also delete sessions on demand via the Console or Delete Session API. See the Data Retention page for details.
Can I delete verification data?
Can I delete verification data?
Yes. Delete individual sessions through the Console or programmatically via the Delete Session API. For maximum data minimization, use the process-and-purge pattern to remove data immediately after receiving webhook results.
How do you handle security incidents?
How do you handle security incidents?
We maintain a documented incident response plan with defined severity levels, escalation procedures, and communication protocols. Any material incidents are reported to affected customers within the timeframes required by GDPR and applicable regulations.
Is Didit compliant with the EU AI Act?
Is Didit compliant with the EU AI Act?
Didit proactively aligns with the EU AI Act requirements for high-risk AI systems, including risk management, data governance, transparency, human oversight, accuracy testing, and non-discrimination. We continuously update our compliance posture as implementing measures are finalized.
Can I get security documentation?
Can I get security documentation?
Yes. We provide DPAs, TOMs, sub-processor lists, penetration test summaries (under NDA), and ISO certificate excerpts. Contact your Didit representative or email hello@didit.me.
How are audit logs handled?
How are audit logs handled?
Every API call and Console action is recorded with timestamps, user IDs, and IP addresses. Audit logs are retained for 365 days and can be exported at any time. See the Audit Logs page for details.