Security is our
foundation
We handle sensitive biometric and identity data. That responsibility shapes every decision we makeāfrom architecture to team access.
Certifications & Compliance
We meet the highest standards for data security and privacy.
SOC 2 Type II
Annual audit verifying our security controls meet rigorous standards.
CertifiedGDPR Compliant
Full compliance with EU data protection regulations.
CompliantISO 27001
Information security management system certification.
In ProgressCCPA Compliant
California Consumer Privacy Act compliance.
CompliantSecurity Architecture
Defense in depth at every layer of our platform.
D Data Protection
Encryption at Rest
All data is encrypted using AES-256 encryption at rest.
Encryption in Transit
TLS 1.3 for all data transmission. No exceptions.
Data Isolation
Customer data is logically isolated in separate encrypted containers.
Secure Key Management
Hardware security modules (HSM) for cryptographic key storage.
A Access Control
Role-Based Access
Granular permissions based on job function and least privilege.
Multi-Factor Authentication
Required for all employee and customer dashboard access.
SSO Integration
Support for SAML 2.0 and OIDC for enterprise customers.
Audit Logging
Comprehensive logs of all access and actions, retained for 1 year.
I Infrastructure
Cloud-Native Architecture
Built on AWS with multi-region redundancy and auto-scaling.
DDoS Protection
Enterprise-grade DDoS mitigation at network and application layers.
WAF Protection
Web application firewall blocking common attack vectors.
Regular Penetration Testing
Third-party security assessments performed quarterly.
Data Handling
Transparency about what we collect, process, and retain.
| Data Type | How We Handle It | Retention |
|---|---|---|
| Biometric Data | Face embeddings are stored as mathematical vectors, not photos. Original images are deleted after processing. | Embeddings retained until user deletion |
| Document Data | ID documents are processed for age extraction only. Document images are not stored. | Processed immediately, then deleted |
| Verification Results | Only the verification outcome (over/under age) is stored, not the original data. | Per customer configuration |
| API Logs | Request logs for debugging and analytics. No biometric data in logs. | 90 days |
Responsible Disclosure
Found a security vulnerability? We appreciate your help keeping Xident secure. Please report issues responsibly.
Report a vulnerabilityWe respond to all reports within 24 hours and offer rewards for valid findings.
Need more details?
Enterprise customers can request our SOC 2 report, security questionnaire responses, and detailed architecture documentation.