deepidv Logo
Trust is
earned.

We're transparent about where we stand. As we scale, we pursue real audits and accreditation — not shortcuts.

Privacy Center
Verified

Third-Party Audits & Certifications

Independent verification of our security controls, processes, and infrastructure by qualified third-party auditors.

01

SOC 2 Type II

  • Independent audit of security, availability, confidentiality, processing integrity, and privacy controls. Covers the deepidv verification platform, APIs, and supporting infrastructure.
02

ISO/IEC 27001:2022

  • Certified Information Security Management System (ISMS) covering all deepidv operations, from product development through service delivery and customer support.
03

GDPR Compliant

  • Full compliance with the General Data Protection Regulation (EU) 2016/679. Data Processing Agreements available for all business clients. Standard Contractual Clauses executed for international transfers.

In Progress

Certifications and standards we are actively pursuing.

iBeta Level 1 & 2

iBeta Level 1 & 2

In Progress

Independent biometric testing by iBeta Quality Assurance for ISO 30107-3 Presentation Attack Detection (PAD). Validates liveness detection against printed photos, screen replays, and 3D masks.

HIPAA

HIPAA

In Progress

Health Insurance Portability and Accountability Act compliance for processing protected health information (PHI) in healthcare identity verification workflows.

FIDO Alliance

FIDO Alliance

In Progress

FIDO2/WebAuthn certification for passwordless authentication standards. Enables phishing-resistant biometric authentication across deepidv verification flows.

ISO/IEC 27018

ISO/IEC 27018

In Progress

Code of practice for protection of personally identifiable information (PII) in public clouds. Extends ISO 27001 with cloud-specific privacy controls.

ISO 31000:2018

ISO 31000:2018

In Progress

International standard for risk management framework and principles. Guides deepidv's approach to identifying, assessing, and mitigating operational and security risks.

Core Advantages

Security Practices

Our security program is aligned with ISO 27001, SOC 2, NIST CSF 2.0, and the OWASP ASVS. Overseen by a dedicated CISO reporting directly to the CEO.

01

Encryption

  • AES-256 encryption for all data at rest
  • TLS 1.3 for all data in transit with perfect forward secrecy
  • FaceX/TripleLock three-party nested AES-256-GCM biometric encryption
  • HSM-managed key rotation on defined schedule
02

Data Isolation

  • Per-client data isolation with separate encryption keys
  • AWS Lambda, DynamoDB, SQS with strict IAM policies
  • Network segmentation with isolated prod/staging/dev environments
  • No commingling of verification data across clients
03

Access Controls

  • Role-based access control (RBAC) with principle of least privilege
  • MFA mandatory for all production, admin, and code access
  • Just-in-time (JIT) provisioning for privileged access
  • Quarterly access reviews by CISO with immediate revocation
04

Monitoring & Detection

  • 24/7 SIEM with ML-based anomaly detection
  • Endpoint detection and response (EDR) on all managed devices
  • Cloud security posture management (CSPM) for AWS
  • Real-time alerting with automated incident playbooks
05

Application Security

  • Secure SDLC with SAST, DAST, SCA integrated in CI/CD
  • Mandatory peer code review for all changes
  • Regular third-party penetration testing
  • Vulnerability management with severity-based SLAs
06

Incident Response

  • Documented IRP with 72-hour GDPR breach notification
  • Forensic analysis and evidence preservation capabilities
  • Real-time status at status.deepidv.com via incident.io
  • Post-incident review with lessons-learned process

Our Privacy Promise

At Deep Identity Inc., privacy is not a compliance checkbox — it is the architecture of everything we build. Our platform is designed so that your data belongs to you.

We enforce this promise through advanced cryptography, strict data minimization, and complete transparency in our policies and practices.

Read our full Privacy Center
1

No Data Sales

We do not sell, trade, or rent your personal data. Ever. The only exception is voluntary participation in clearly identified opt-in research programs.

2

Data Minimization

We collect only what is necessary for the specific service requested. Biometric data for liveness is deleted within 24 hours of successful verification.

3

Transparency

Our Privacy Center contains 16 policies covering every aspect of data handling. No hidden practices, no fine print surprises.

4

Data Sovereignty

FaceX/TripleLock ensures no single party — including deepidv — can access raw biometric data without the cooperation of all three independent key holders.

Regulatory Compliance

We maintain compliance across multiple jurisdictions and regulatory frameworks worldwide.

GDPR

EU Data Protection

CCPA / CPRA

California Privacy

PIPEDA

Canada Privacy

GLBA

Financial Privacy

PCI DSS

Payment Security

MHMDA

Health Data (WA)

NDPA

Nigeria Data Protection

LGPD

Brazil Data Protection

Frequently asked questions

Common questions about deepidv's security, privacy, and compliance practices.

deepidv currently holds SOC 2 Type II, ISO/IEC 27001:2022, and GDPR compliance certifications. We are actively pursuing iBeta Level 1 & 2, HIPAA, FIDO Alliance, ISO/IEC 27018, and ISO 31000:2018.

All biometric data is encrypted using our proprietary FaceX/TripleLock system — a three-party nested AES-256-GCM encryption scheme. No single entity, including deepidv, can access raw biometric data without the cooperation of all three independent key holders. Biometric data used solely for liveness detection is deleted within 24 hours.

No. Deep Identity Inc. does not sell, trade, or rent personal data to any third party for any purpose. This is a foundational principle of our business.

Click the 'Submit Request' button on any certification above, or email security@deepidv.com with your company name and the specific documents you need. We typically respond within 2 business days.

deepidv infrastructure runs on Amazon Web Services (AWS) with multi-availability-zone deployments. Data may be stored in the United States and Canada. International transfers are protected by Standard Contractual Clauses (SCCs) and Transfer Impact Assessments.

Please email security@deepidv.com with details of the vulnerability. We acknowledge reports within 48 hours and provide substantive responses within 30 days.

Still have questions?

Our team is ready to help you get started.

Contact Sales

Ready to get started?

See how deepidv protects your users and your business with AI-native identity verification.

Get StartedPrivacy Center