avalKYC
Start free

Security

Security & data protection

Identity data is the most sensitive data you handle. AvalKYC is built so you can hold it to that standard — with encryption, isolation, and privacy controls designed in, not bolted on.

Core controls

How we protect identity data

Encryption in transit

All traffic is served over HTTPS with modern TLS, terminated at a hardened reverse proxy. The verification engine is never exposed directly to the public internet.

Biometric isolation

Face embeddings are stored separately from verification records and are stripped from every API response. Submitter IPs are stored only as salted hashes, never in the clear.

Least-privilege access

API keys are random, high-entropy, and stored only as SHA-256 hashes — the raw key is shown once. Dashboard access is role-based (owner / admin / member) and session-scoped.

Tamper-evident audit trail

Every consequential action — reviews, assignments, erasures, key changes — is written to an append-only audit log, exportable as a per-case evidence pack for auditors.

Data minimization & retention

Collect only what a check requires. Set a per-organization retention window and applicant data is auto-erased on schedule, leaving a PII-free tombstone for the record.

Right to erasure

One action redacts an applicant's personal data and deletes their biometrics and review notes — keeping the decision and audit trail intact to prove the check happened.

Operational practices

Defense in depth

  • Single-tenant-friendly: deploy in your own cloud or VPC so data never leaves your boundary.
  • Network isolation between the web tier, verification engine, and database via a private container network.
  • Rate limiting on authentication and submission endpoints to blunt credential-stuffing and abuse.
  • Capture-integrity and injection signals (virtual-camera, automation, and deepfake heuristics) on every live capture.
  • Idempotency keys on write APIs so retries never create duplicate records or charges.
  • Automated, encrypted database backups on a daily schedule.

Compliance posture

Built for the requirements your auditors care about

AvalKYC implements the technical controls that underpin GDPR data minimization, the right to erasure, and auditable record-keeping: configurable retention, per-case evidence packs, and an immutable audit trail.

Formal attestations such as SOC 2 and ISO 27001 are organizational certifications of an operating company, not of software. For production use in a regulated context, pair AvalKYC with certified data sources and run it inside your own audited environment — the architecture is designed to support that.

Report a vulnerability

Found a security issue? We want to hear about it. Email our team and we'll acknowledge your report promptly. Please give us a reasonable window to remediate before any public disclosure.

security@avalkyc.com