Question 1

How secure is Didit?

Accepted Answer

**Zero data breaches since Didit launched in 2023.** Security is built into every layer of the platform.

- **Zero breaches**, across millions of verifications and 1,500+ paying customers.
- **Everything is encrypted** — both when data is stored and when it moves between systems. Encryption keys live in Amazon Web Services (AWS), separated so a sandbox cannot read production data.
- **Every request is checked. Every action is logged.** No shared secrets across customers.
- **Independently audited** — SOC 2 Type 1 (Type 2 in progress), ISO/IEC 27001:2022, and iBeta Level 1 Presentation Attack Detection (PAD) with 0% attack-success across 360 attempts.
- **Live public status page** at `status.didit.me` — every incident, every post-mortem, no login required. 100% uptime over the last 6 months.
- **If anything happens, we tell you within hours** — well inside the General Data Protection Regulation (GDPR) Article 33 reporting window. Enterprise gets a named engineer on call 24/7, with a dedicated Slack and WhatsApp channel.

Request the Trust Pack on this page — SOC 2 report, ISO certificate, iBeta report, Tesoro attestation, Data Processing Agreement (DPA), sub-processors list — sent back the same business day under a signed Non-Disclosure Agreement (NDA).

Question 2

I have lots of verifications. Will Didit support my volume?

Accepted Answer

**Yes. The infrastructure scales itself in real time and supports millions of verifications a day.**

- **Scales automatically.** When your traffic doubles overnight, the platform expands itself. No sales call, no capacity-plan rewrite, no warning needed.
- **Every check completes in under 2 seconds**, even at peak load. The infrastructure is optimised for fast inference end to end.
- **100% uptime over the last 6 months.** Track it live at `status.didit.me` — no login required.
- **Battle-tested in production** — 1,500+ paying customers across 220+ countries, in production since 2023.
- **Built for spike events** — sports-betting kick-offs, marketplace launches, age-verification rollouts. The platform handles the spike without anyone at Didit having to lift a finger.
- **Enterprise contracts include written guarantees** — a Service Level Agreement (SLA) on speed, uptime, and capacity, with billing credits if we miss.

Volume tiers on the pricing page kick in automatically as you grow — no contract change, no manual renegotiation.

Question 3

What data does Didit store, and how much control do I have over it?

Accepted Answer

**You choose, per workflow.** Didit does not have a fixed list of what we keep. Your compliance team configures each app in the Business Console, and the workflow only collects and stores what you tell it to.

The **Returned-data** tab gives you a toggle for every category:

- Identity (ID) document images and Machine-Readable Zone (MRZ) fields
- Near-Field Communication (NFC) chip data
- Extracted identity fields (name, date of birth, document number, expiry, address)
- Biometric templates
- **Raw selfie and full liveness video**
- Device fingerprint, browser, operating system, platform
- Internet Protocol (IP) geolocation, Virtual Private Network (VPN) / Tor signals
- Document-location match coordinates
- Anti-Money Laundering (AML) screening hits with sanctions, Politically Exposed Person (PEP), and adverse-media match details
- Webhook payload, audit log, and per-session metadata

The exact list of toggles depends on the modules in your workflow — check them when you set the workflow up in the Business Console under **Returned-data**.

Question 4

Who is the Data Controller and who is the Data Processor?

Accepted Answer

**You are the Data Controller. Didit is the Data Processor.** This is the General Data Protection Regulation (GDPR) Article 28 set-up most regulated buyers expect.

- **You decide** *why* the data is collected, *what* fields are kept, *how long* they are retained, and *who* inside your team can act on them. The Data Processing Agreement (DPA) on this page is the contract that binds Didit to those instructions.
- **Didit processes the data on your behalf** — running the verifications, the screening, the biometric checks, the document classification, the webhooks — under your DPA and under our own SOC 2, ISO/IEC 27001, and General Data Protection Regulation (GDPR) Article 32 controls.

**We recommend you let Didit store and access the data on your behalf.** Most of our customers do. Securing identity data at internet scale is a full-time job: hardened encryption, key rotation, intrusion detection, vulnerability management, certification renewals, regional residency, data-subject-rights tooling, breach notification. Didit's security and platform teams focus on it every day so your compliance and engineering teams do not have to. You retain full control through the Business Console — every retention rule, every Data Subject Access Request (DSAR), every delete is yours to trigger.

If your policy requires the data to live entirely in your own environment (your cloud account, your on-premise database), we support that too — Didit runs as a processor on a fetch-and-forget basis and your team owns retention end to end.

Question 5

Where is data stored, and can I choose the region?

Accepted Answer

**European Union by default. Specific region or in-country available on Enterprise.**

The default deployment runs on Amazon Web Services (AWS) in EU. Data is encrypted at rest and in transit, with encryption keys held by AWS and separated per environment.

- **European Union (default)** — every account. Covers the General Data Protection Regulation (GDPR), Schrems II / European Union – United States Data Privacy Framework, and eIDAS 2.0.
- **Specific region** (United States East, Asia-Pacific, etc.) — Enterprise contracts, when your regulator requires it.
- **In-country residency** (Brazil, India, etc.) — Enterprise, subject to availability, for local laws like Brazil's Lei Geral de Proteção de Dados (LGPD) and India's Digital Personal Data Protection Act (DPDPA).

When data crosses a border, it is protected by the European Commission's 2021 Standard Contractual Clauses (SCCs). The matching Transfer Impact Assessment (TIA) ships with the Trust Pack on this page.

Question 6

How long do you keep data, and how do I configure retention?

Accepted Answer

**You set the retention window. From 1 month to 10 years, per app.** Enforcement is automatic.

In the Business Console you set:

- A **global retention window** — anywhere from 1 month (when you want Didit to keep nothing after your webhook fires) to 10 years (the Anti-Money Laundering Directive 6 (AMLD6) ceiling).
- **Per-data-category retention** — biometric templates can outlive raw images; screening hits can outlive identity data; document-location match can be dropped entirely.
- **Automatic enforcement** — every night, the platform deletes anything past its retention window across every copy. Every delete is recorded in the audit log.

If you want Didit to keep nothing after the verdict, call `POST /v3/sessions/:session_id/delete/` from your webhook handler and the session is gone the moment your system records its own copy of the result — Didit never holds the data past the call. Full reference at `docs.didit.me/sessions-api/delete-session`.

Question 7

How do you handle Data Subject Access Requests (DSARs), deletion, and portability?

Accepted Answer

**One endpoint per right.**

- **Right of access (Article 15) and right to data portability (Article 20)** — pull the full session payload at `GET /v3/sessions/:session_id/decision/`. Reference at `docs.didit.me/sessions-api/retrieve-session`.
- **Right to erasure (Article 17)** — `POST /v3/sessions/:session_id/delete/` removes the session and every linked artifact. Reference at `docs.didit.me/sessions-api/delete-session`.

Question 8

Which certifications and attestations do you hold?

Accepted Answer

**Five external attestations on file. All packaged in the Trust Pack.**

- **SOC 2 Type 1** — Security, Availability, and Confidentiality, issued by ATOM in April 2026 under the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria. SOC 2 Type 2 examination is in progress.
- **ISO/IEC 27001:2022** — Information Security Management System, certified by Bureau Veritas (certificate `ES144068`, valid through 2027-06-03).
- **iBeta Level 1 Presentation Attack Detection (PAD)** — independent biometric anti-spoofing test, conducted under ISO/IEC 30107-3 at a National Institute of Standards and Technology (NIST)-accredited lab. 0 successful attacks across 360 attempts.
- **GDPR Article 32** — Data Processing Agreement (DPA), sub-processor list, and Technical and Organisational Measures (TOMs), all public.
- **European Banking Authority (EBA) / Markets in Crypto-Assets (MiCA) memo** — independent legal opinion that Didit satisfies the EBA Guidelines on remote customer onboarding (`EBA/GL/2022/15`) and the MiCA regulation.

Request the Trust Pack on this page and we send every report, certificate, and memo back the same business day under a signed Non-Disclosure Agreement (NDA).

Question 9

What does the Spanish regulator attestation actually mean for me?

Accepted Answer

**Mutual recognition across the European Union (EU) — and a regulator-defensible audit trail.**

Spain's **Tesoro Público**, **Banco de España**, **SEPBLAC**, and **CNMV** ran a year-long financial sandbox (November 2024 – July 2025) on Didit's Near-Field Communication (NFC) chip read plus active liveness onboarding flow. The official conclusions report, published on `tesoro.es`, finds Didit's remote verification **meets or exceeds the security level of in-person identification** under the Anti-Money Laundering Directive (AMLD).

For your compliance team this means:

- **AMLD6 mutual recognition** — the attestation is portable across every other EU member state without re-certification.
- **eIDAS 2.0 alignment** — Didit's NFC + liveness flow is on the public record as suitable for Qualified Electronic Signature (QES) onboarding.
- **Defensible audit trail** — when your local Financial Intelligence Unit (FIU) reviews your onboarding, you point at the same report your EU peer regulators have signed off on.

Didit is the only identity-verification vendor with this attestation on the public record.

Question 10

Can I ask Didit to obtain a specific license or certification?

Accepted Answer

**Yes — and we are probably already working on it.** Didit is actively pursuing 10+ certifications, licenses, and regulator approvals across markets and verticals at any given time: payment authorisations, crypto and Markets in Crypto-Assets (MiCA) registrations, Anti-Money Laundering (AML) supervisor approvals, eIDAS 2.0 Qualified Trust Service Provider (QTSP) status, regional Financial Intelligence Unit (FIU) reporting, and vertical-specific authorisations (iGaming, healthcare, banking).

If there is a license or certification your compliance team needs Didit to hold, **email `security@didit.me`**. Odds are it is already in our queue — and if it is not, your request bumps it up the list. We come back with:

- Where the certification sits in our roadmap.
- The expected timeline.
- The scope (full coverage, a specific region, a specific module).

We carry the compliance. Launch identity checks in one click

Regulators say Didit is safer than in-person verification.

A dedicated fraud team. Models, monitoring, prevention.

Models — built and retrained in-house.

Monitoring — every session, every hour.

Prevention — inline, invisible to the user.

Every claim has a document behind it.

SOC 2 Type 1

ISO/IEC 27001:2022

iBeta Level 1 PAD

Tesoro sandbox attestation

GDPR Article 32

EBA / MiCA compliance

What we store, where we store it, how long we keep it.

Encryption at rest — AES-256.

Encryption in transit — TLS 1.3.

Data residency — EU by default.

Retention — 1 month to 10 years.

Biometric handling — Data minimization.

Data subject rights — Delete data with one endpoint.

Security questions, answered.

Infrastructure for identity and fraud.

We carry the compliance. Launch identity checks in one click.

By the numbers