What we store. What we never share.
A platform that protects identity must hold itself to a higher bar than the threats it defends against. Here is exactly how we do it.
What we store
Encrypted mathematical fingerprints (embeddings) of your reference media. The originals are deleted after fingerprinting unless you explicitly opt into retained reference.
What we never share
Reference media. Biometric vectors. Scan history. Identity-linked data is never sold, never used to train models, never shared with advertisers.
Encryption
AES-256 at rest. TLS 1.3 in transit. Keys in a hardware security module with per-user envelope encryption.
Access control
Strict least-privilege. Every employee access event is logged. SOC 2 Type II in progress.
Right to deletion
Cryptographic erasure on demand. Embeddings cannot be reconstructed once deleted — by design.
Independent audit
Annual third-party security audit. Bug bounty program. Public security disclosures.
NCII handling
Specialized pipeline. Trauma-informed reviewers. Hash-based, no human review of imagery where avoidable.
Jurisdiction
EU + US data residency options. GDPR + CCPA compliant. Government data requests published in transparency report.