> ## Documentation Index
> Fetch the complete documentation index at: https://docs.didit.me/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & compliance

> Didit security and compliance posture: SOC 2 Type I, ISO 27001, GDPR, iBeta Level 1, EU AI Act ready, and validated by Spain's Treasury and SEPBLAC.

export const StatGrid = ({children}) => <div className="didit-stat-grid">
    {children}
  </div>;

export const StatCard = ({value, label}) => <div className="didit-stat-card">
    <span className="didit-stat-value">{value}</span>
    <span className="didit-stat-label">{label}</span>
  </div>;

export const SectionHeader = ({label, title, description, align = "left"}) => <div className="didit-section-header" style={{
  textAlign: align,
  alignItems: align === "center" ? "center" : "flex-start"
}}>
    {label && <p className="didit-section-label">{label}</p>}
    <h2 className="didit-section-title">{title}</h2>
    {description && <p className="didit-section-desc">{description}</p>}
  </div>;

export const FeatureGrid = ({cols = 3, children}) => <div className="didit-feature-grid" style={{
  "--grid-cols": cols
}}>
    {children}
  </div>;

export const FeatureCard = ({icon, title, description, href}) => {
  const inner = <div className="didit-feature-card">
      {icon && <div className="didit-feature-card-icon">
          <Icon icon={icon} size={20} />
        </div>}
      <div className="didit-feature-card-content">
        <h3 className="didit-feature-card-title">{title}</h3>
        {description && <p className="didit-feature-card-desc">{description}</p>}
      </div>
      {href && <div className="didit-feature-card-arrow">
          <Icon icon="arrow-right" size={14} />
        </div>}
    </div>;
  if (href) {
    return <a href={href} style={{
      textDecoration: "none",
      color: "inherit",
      display: "block",
      border: "none",
      boxShadow: "none"
    }}>{inner}</a>;
  }
  return inner;
};

Didit is built from the ground up with security as a first-class principle. Every layer of the platform — from infrastructure to AI models — is designed to meet the highest international standards for information security, data privacy, and biometric accuracy.

<StatGrid>
  <StatCard value="SOC 2" label="Type I Certified" />

  <StatCard value="ISO" label="27001 Certified" />

  <StatCard value="GDPR" label="Compliant" />

  <StatCard value="iBeta" label="Level 1 Certified" />

  <StatCard value="AI Act" label="Ready" />
</StatGrid>

***

<SectionHeader label="Government-validated" title={<>More secure than <span>in-person</span></>} description="Validated by the Spanish Treasury, SEPBLAC, and CNMV — the first and only provider to receive this validation." />

<Info>
  **"Didit's NFC + active liveness verification offers security equivalent to or greater than in-person verification."**
  — Official report, Spanish Treasury ([tesoro.es](https://www.tesoro.es/sites/default/files/publicaciones/Informe%20Conclusiones%20DIDIT.pdf))
</Info>

After a year-long test by Spanish financial regulators — the Spanish Treasury (Tesoro Público), SEPBLAC (the financial intelligence unit), Banco de España, and CNMV (the securities and markets commission) — Didit was recognized as the only provider whose NFC + active liveness flow meets or exceeds the security level of in-person identity verification.

<FeatureGrid cols={2}>
  <FeatureCard icon="award" title="Only provider with this validation" description="First and only vendor to pass the year-long financial-regulator test in Spain. Independent, adversarial, and repeatable." />

  <FeatureCard icon="chart-network" title="200+ signals per verification" description="Biometric, document, behavioral, and database signals cross-checked in real time on every session." />

  <FeatureCard icon="database" title="Connected to government data sources" description="Integrated one-by-one with authoritative government databases worldwide to confirm identity against source-of-truth records." />

  <FeatureCard icon="file-certificate" title="Global licenses & compliance" description="SOC 2 Type I certified (Type II in progress), ISO 27001, ISO 27017, ISO 27018, GDPR, and iBeta Level 1 (ISO 30107-3). Licensed and compliant in every country we operate." />
</FeatureGrid>

***

<SectionHeader label="Certifications" title={<>Certified for <span>enterprise trust</span></>} description="Our platform meets the highest international standards for information security, data privacy, and biometric accuracy." />

<CardGroup cols={2}>
  <Card title="SOC 2 Type I" icon="shield-halved">
    **Service Organization Controls — Type I.** Didit's controls over security, availability, processing integrity, confidentiality, and privacy have been independently audited against the AICPA Trust Services Criteria. **SOC 2 Type II audit is currently in progress.** Report available to enterprise customers under NDA.
  </Card>

  <Card title="ISO/IEC 27001" icon="shield-check">
    **Information security management.** Didit maintains a certified Information Security Management System (ISMS) covering the design, development, and operation of the identity verification platform. Certificate excerpts available on request.
  </Card>

  <Card title="ISO/IEC 27017" icon="cloud">
    **Cloud security controls.** Extended cloud-specific security controls that complement our ISO 27001 certification, ensuring robust protection for cloud-based verification services.
  </Card>

  <Card title="ISO/IEC 27018" icon="user-shield">
    **Cloud privacy protection.** Dedicated controls for protecting personally identifiable information (PII) in cloud environments, going beyond general data protection requirements.
  </Card>

  <Card title="GDPR Compliant" icon="scale-balanced">
    **Full EU data protection compliance.** Didit is fully compliant with the General Data Protection Regulation. We act as a data processor — you remain the data controller. DPA and TOMs available on request.
  </Card>

  <Card title="iBeta Level 1 — ISO 30107-3" icon="face-smile">
    **Biometric presentation attack detection.** Our liveness detection technology is iBeta Level 1 certified under the ISO 30107-3 standard, ensuring reliable detection of spoofing attempts including printed photos, screen replays, and 3D masks.
  </Card>

  <Card title="EU AI Act Ready" icon="robot">
    **Responsible AI compliance.** Didit's AI-powered verification systems are designed in alignment with the EU AI Act requirements for high-risk AI systems, including transparency, human oversight mechanisms, data governance, and bias monitoring.
  </Card>
</CardGroup>

***

<SectionHeader label="Security Infrastructure" title={<>How we protect <span>your data</span></>} />

<FeatureGrid cols={2}>
  <FeatureCard icon="lock" title="End-to-end encryption" description="All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Industry-standard cryptographic protocols protect sensitive information at every stage." />

  <FeatureCard icon="users" title="Role-based access control" description="Granular permissions and role-based access ensure only authorized personnel can access verification data and system configurations." />

  <FeatureCard icon="clipboard-list" title="Complete audit logs" description="Every action is logged with timestamps, user IDs, and IP addresses. Audit logs are retained for 365 days and can be exported for compliance reviews." />

  <FeatureCard icon="eye" title="24/7 security monitoring" description="Continuous monitoring and automated threat detection across our entire infrastructure with real-time alerts for suspicious activity." />

  <FeatureCard icon="server" title="EU-based infrastructure" description="Data is processed and stored in the EU on AWS servers by default. Enterprise customers can enable in-country processing with local data residency options." />

  <FeatureCard icon="clock" title="Configurable data retention" description="Set retention policies from 1 month to 10 years, or delete data immediately via API. Process-and-purge patterns supported for minimal data footprint." />
</FeatureGrid>

***

<SectionHeader label="Fraud signals" title={<>200+ signals, <span>real-time fraud loop</span></>} description="Fully integrated fraud loop — detect, analyze, and fix in real time. Every verification is scored against 200+ signals across biometric, document, behavioral, and database sources." />

| Signal type            | Capability                                                                                                                                   |
| ---------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
| **Deepfakes**          | +20 proprietary AI models, built in-house for the generative AI era. [Liveness →](/core-technology/liveness/overview)                        |
| **Injection attacks**  | Camera stream tampering prevention — catches replay and video injection. [Liveness →](/core-technology/liveness/overview)                    |
| **Document forgery**   | Hologram, reprint, screenshot, and digital alteration detection. [ID Verification →](/core-technology/id-verification/overview)              |
| **Synthetic IDs**      | Cross-reference against authoritative government databases worldwide. [Database Validation →](/core-technology/database-validation/overview) |
| **Behavioral signals** | Device & IP Analysis, device fingerprinting, and replay detection. [Device & IP Analysis →](/core-technology/ip-analysis/overview)           |
| **Face Search 1:N**    | Duplicate and multi-account detection across all verified users. [Face Search →](/core-technology/face-search/overview)                      |

<Tip>
  Our expert fraud team responds to new attack vectors within hours, not quarters. Models and rules are updated continuously as the threat landscape shifts.
</Tip>

***

<SectionHeader label="AI Act Compliance" title={<>Responsible AI — <span>by design</span></>} description="As an AI-native identity platform, Didit takes the EU AI Act seriously. Our systems are built to meet the requirements for high-risk AI applications." />

Identity verification using biometrics is classified as **high-risk** under the EU AI Act. Didit proactively addresses these requirements:

| Requirement               | How Didit complies                                                                                                       |
| ------------------------- | ------------------------------------------------------------------------------------------------------------------------ |
| **Risk management**       | Continuous risk assessment across all AI models with documented mitigation strategies.                                   |
| **Data governance**       | Training data is curated for quality, relevance, and representativeness. Bias testing across demographics.               |
| **Transparency**          | Clear documentation of AI capabilities and limitations. Users are informed when AI processes their data.                 |
| **Human oversight**       | Manual review workflows allow human operators to override AI decisions at any point.                                     |
| **Accuracy & robustness** | iBeta-certified liveness detection. Regular model evaluation against adversarial attacks (deepfakes, injection, replay). |
| **Record-keeping**        | Comprehensive audit logs and session records maintained for regulatory review.                                           |
| **Non-discrimination**    | Bias monitoring and testing across age, gender, ethnicity, and document types to ensure equitable treatment.             |

<Info>
  Didit continuously updates its compliance posture as the EU AI Act implementing measures are finalized. Contact your Didit representative for the latest AI Act readiness documentation.
</Info>

***

<SectionHeader label="Data Protection" title={<>Your data protection <span>partner</span></>} />

Didit acts as a **data processor** — you remain the **data controller**. The platform is designed to support GDPR and local data-protection regimes out of the box.

| Aspect                 | Detail                                                                                                          |
| ---------------------- | --------------------------------------------------------------------------------------------------------------- |
| **Processor role**     | Didit processes personal data strictly on your behalf and under your instructions.                              |
| **Processing region**  | EU by default (AWS). Enterprise customers can enable in-country processing.                                     |
| **Data minimization**  | Process-and-purge patterns let you retain only the fields your business requires.                               |
| **Data portability**   | Export session data via the Console or API at any time.                                                         |
| **Right to erasure**   | Delete individual sessions instantly via the Console or the [Delete Session](/sessions-api/delete-session) API. |
| **Retention controls** | Configure retention from 1 month to 10 years in **Console → App Settings → Data**.                              |

## Customer responsibilities in verification flows

When you use Didit in your own onboarding, authentication, or verification experience, you remain responsible for the **controller-side disclosures and legal basis** for that flow.

| Requirement                                    | What you need to do                                                                                                                                                                                                                               |
| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Tell the user who is involved**              | Make clear that your company is requesting the verification and that Didit is the verification provider / processor powering the flow.                                                                                                            |
| **Show your privacy notice**                   | Link to your own privacy notice or equivalent disclosure before the user starts verification.                                                                                                                                                     |
| **Link Didit's legal documents**               | Link to Didit's [Verification Privacy Notice](https://didit.me/terms/verification-privacy-notice), [End User Terms for Identity Verification](https://didit.me/terms/identity-verification), and any other Didit policy your legal team requires. |
| **Collect explicit consent where required**    | If your flow captures documents, selfies, liveness video, or biometrics, use an unchecked checkbox or another affirmative control wherever applicable law requires explicit consent.                                                              |
| **Handle white-label and custom UI correctly** | If you use a custom domain, white-label flow, or API-driven UI, you must render these disclosures in your own product because the branding alone does not disclose Didit's role.                                                                  |
| **Keep your own records**                      | If your legal team requires proof of notice or consent, store the text version, timestamp, and related metadata in your own systems.                                                                                                              |

<Warning>
  Didit provides the verification infrastructure, but it does not decide whether your specific user journey satisfies the consent, disclosure, or biometric-law requirements that apply to your business. Review your implementation with legal counsel before going live.
</Warning>

<Note>
  Need a DPA, TOMs, sub-processor list, or other compliance attestations? Contact your Didit representative or email [hello@didit.me](mailto:hello@didit.me).
</Note>

***

<SectionHeader label="Operational Security" title={<>Continuous <span>protection</span></>} />

<FeatureGrid cols={2}>
  <FeatureCard icon="bug" title="Penetration testing" description="Periodic third-party penetration tests with tracked remediation. Reports available to enterprise customers under NDA." />

  <FeatureCard icon="lock" title="No known breaches" description="No security breaches reported to date. Incident response procedures tested and documented." />

  <FeatureCard icon="user-shield" title="Internal security team" description="Dedicated cybersecurity team with least-privilege access and strict environment separation across all systems." />

  <FeatureCard icon="key" title="API key security" description="Separate Sandbox and Live API keys. Keys can be rotated at any time via the Business Console." />
</FeatureGrid>

***

## Security FAQ

<AccordionGroup>
  <Accordion title="What certifications does Didit hold?">
    Didit is **SOC 2 Type I certified** (with SOC 2 Type II audit in progress), ISO 27001 certified for information security management, ISO 27017 and ISO 27018 certified for cloud security and privacy, fully GDPR compliant, and iBeta Level 1 certified (ISO 30107-3) for biometric presentation attack detection. Certificate excerpts and the SOC 2 Type I report (under NDA) are available on request.
  </Accordion>

  <Accordion title="Is my data encrypted?">
    Yes. All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. We use industry-standard cryptographic protocols across our entire infrastructure.
  </Accordion>

  <Accordion title="Where is data stored and processed?">
    By default, all data is processed and stored in the EU on AWS infrastructure. Enterprise customers can request in-country processing with local data residency options, subject to availability.
  </Accordion>

  <Accordion title="How do I configure data retention?">
    Navigate to **Business Console → App Settings → Data** to set your retention window (1 month to 10 years). You can also delete sessions on demand via the Console or [Delete Session API](/sessions-api/delete-session). See the [Data Retention](/console/data-retention) page for details.
  </Accordion>

  <Accordion title="Can I delete verification data?">
    Yes. Delete individual sessions through the Console or programmatically via the [Delete Session API](/sessions-api/delete-session). For maximum data minimization, use the process-and-purge pattern to remove data immediately after receiving webhook results.
  </Accordion>

  <Accordion title="How do you handle security incidents?">
    We maintain a documented incident response plan with defined severity levels, escalation procedures, and communication protocols. Any material incidents are reported to affected customers within the timeframes required by GDPR and applicable regulations.
  </Accordion>

  <Accordion title="Is Didit compliant with the EU AI Act?">
    Didit proactively aligns with the EU AI Act requirements for high-risk AI systems, including risk management, data governance, transparency, human oversight, accuracy testing, and non-discrimination. We continuously update our compliance posture as implementing measures are finalized.
  </Accordion>

  <Accordion title="Can I get security documentation?">
    Yes. We provide DPAs, TOMs, sub-processor lists, penetration test summaries (under NDA), and ISO certificate excerpts. Contact your Didit representative or email [hello@didit.me](mailto:hello@didit.me).
  </Accordion>

  <Accordion title="How are audit logs handled?">
    Every API call and Console action is recorded with timestamps, user IDs, and IP addresses. Audit logs are retained for 365 days and can be exported at any time. See the [Audit Logs](/console/audit-logs) page for details.
  </Accordion>
</AccordionGroup>

***

## Related resources

<CardGroup cols={2}>
  <Card title="Data Retention" icon="clock" href="/console/data-retention">
    Configure retention policies and implement privacy-first patterns.
  </Card>

  <Card title="Audit Logs" icon="clipboard-list" href="/console/audit-logs">
    Track every action with complete audit trails.
  </Card>

  <Card title="Webhooks" icon="webhook" href="/integration/webhooks">
    Receive real-time notifications for verification events.
  </Card>

  <Card title="API Authentication" icon="key" href="/getting-started/api-authentication">
    Secure API key management and authentication.
  </Card>
</CardGroup>
