Security is our
foundation
We handle sensitive biometric and identity data. That responsibility shapes every decision we makeāfrom architecture to team access.
Certifications & Compliance
We align with industry standards for data security and privacy.
SOC 2 Type II
Security controls aligned with SOC 2 standards. Formal certification planned.
PlannedGDPR Compliant
Full compliance with EU data protection regulations.
CompliantISO 27001
Information security management system certification.
In ProgressCCPA Compliant
California Consumer Privacy Act compliance.
CompliantSecurity Architecture
Defense in depth at every layer of our platform.
D Data Protection
Encryption at Rest
Sensitive data is encrypted using AES-256-GCM encryption at rest.
Encryption in Transit
TLS 1.3 for all data transmission. No exceptions.
Data Isolation
Customer data is logically isolated with tenant-level database filtering.
Secure Key Management
Secure key management using cloud provider key management services.
A Access Control
Role-Based Access
Granular permissions based on job function and least privilege.
Passkey Authentication
Passkey-based authentication for dashboard and admin panel access.
API Key Security
Constant-time comparison for API keys, with per-tenant key isolation.
Audit Logging
Comprehensive logs of all access and actions, retained for 1 year.
I Infrastructure
Cloud-Native Architecture
Built on modern infrastructure with automated failover and monitoring.
DDoS Protection
Enterprise-grade DDoS mitigation at network and application layers.
WAF Protection
Web application firewall blocking common attack vectors.
Security Assessments
Security assessments and code reviews performed regularly.
Data Handling
Transparency about what we collect, process, and retain.
| Data Type | How We Handle It | Retention |
|---|---|---|
| Biometric Data | Face embeddings are stored as 512-dimensional mathematical vectors, not photos. Original images are deleted after processing. | Until account deletion or 24 months inactivity |
| Document Data | ID documents are processed for age extraction. Document images are deleted immediately after processing. | Deleted immediately after processing |
| Verification Results | Session metadata including verification outcome (over/under age), liveness result, IP, and timestamps. | 90 days |
| API Logs | Request logs for debugging and analytics. No biometric data in logs. | 90 days |
Responsible Disclosure
Found a security vulnerability? We appreciate your help keeping Xident secure. Please report issues responsibly.
Report a vulnerabilityWe respond to all reports within 24 hours. We take all reports seriously and will work with you to understand and resolve valid findings.
Need more details?
Enterprise customers can request our security documentation, questionnaire responses, and detailed architecture documentation.