Enterprise-Grade Security, Privacy by Design

VerifEye processes billions of verifications for the world's largest platforms. Security, privacy, and regulatory compliance are foundational to everything we build.

GDPR Compliant
European data protection standards, 3+ years
CCPA Ready
California Consumer Privacy Act compliant
SOC 2 Type II
Independently audited security controls
Certifications & Standards

Independently Verified Security

Our security posture is validated through independent audits, continuous monitoring, and alignment with international standards.

SOC 2 Type II

Security and Availability criteria, evaluated against AICPA standards. Report available under NDA.

GDPR & CCPA Compliant

Full GDPR compliance for 3+ years with DPA (Art. 28) and Privacy Policy (Art. 13). CCPA/CPRA compliant with consumer rights to know, delete, and opt out.

EU AI Act Aligned

Fairness validated across all demographics. Full transparency on training data provenance.

Penetration Testing

Regular independent testing by third-party security firms. Findings remediated on priority timelines.

31 Patents

Extensive intellectual property portfolio protecting our biometric verification technology.

Legal Indemnification

Every license covers direct losses, fines, or regulatory penalties from any proven compliance failure.

Data Protection

Privacy by Architecture, Not Afterthought

VerifEye processes facial images and derived biometric data (face embeddings) for verification. Embeddings are mathematical representations that cannot be reverse-engineered to reconstruct a face.

No Images Retained

No images or embeddings are retained beyond the verification session unless the customer explicitly configures gallery storage. Raw imagery is deleted immediately after verification.

Encryption Everywhere

TLS 1.2+ for all data in transit. AES-256 encryption for all data at rest using AWS-managed encryption services. API keys rotated on a defined schedule.

Data Residency Choice

Customers select their preferred data residency region at onboarding: United States, European Union, or Singapore (APAC). International transfers safeguarded by EU Standard Contractual Clauses.

Explicit Consent

Biometric processing begins only after explicit end-user consent (GDPR Article 9). No sale or sharing of biometric data under CCPA/CPRA. Realeyes acts as Data Processor under documented instructions from the business customer.

Access Control

Role-based access control (RBAC) following the principle of least privilege. Unique credentials, segregation of duties, and periodic access reviews by the Security Officer.

Data Deletion

Upon contract termination and at the customer's request, all customer data is securely deleted or anonymised. Configurable retention periods per client agreement.

Hosting & Infrastructure

Global, Resilient, Your Choice of Deployment

ComponentDetail
Cloud Platform Amazon Web Services (AWS) across three regions: US, EU, and Singapore (APAC).
Deployment Models Cloud API hosted by Realeyes on AWS. On-device SDK runs entirely on the end user's device (C++, Python, .NET). On-premises deployed within the customer's own data centre. On-device and on-premises options mean biometric data never leaves your environment.
Encryption in Transit TLS 1.2+ enforced on all connections. No support for deprecated protocols.
Encryption at Rest AES-256 using AWS-managed encryption services. API keys rotated on a defined schedule.
Uptime SLA >99.9% availability target. 60-minute response SLA for incidents with corrective plan. Service credits for unmet SLA. Terms tailored per customer agreement.
Monitoring AWS CloudWatch and internal monitoring for real-time alerting on API latency, error rates, and availability. Incident communication via email and shared status page.
Anti-Spoofing State-of-the-art liveness detection prevents spoofing via photos, videos, masks, deepfakes, and synthetic cameras. Proven over 3+ years of global operation.

Battle-Tested at Global Scale

VerifEye isn't promising scale — it's already there. Processing verifications for the world's largest social platform, every second of every day.

100B+
Verifications annually
3,400/s
Peak throughput
93
Countries in training data
Security Practices

Defence in Depth

Security is embedded in our software development lifecycle, operational processes, and incident management.

Vulnerability Management

All code addresses SANS and OWASP vulnerabilities with mandatory peer review. Separated production, dev, and test environments. Continuous scanning via Drata, AWS Inspector, and GitHub security features.

Incident Response

Documented Incident Response Plan covering detection, investigation, containment, resolution, and post-incident review. Breach notifications in accordance with applicable data protection regulations.

Business Continuity

Documented BCP and Disaster Recovery Plan with defined RTO and RPO targets. Simulated and tested at least annually. Both plans audited under SOC 2 Type II with no exceptions noted.

Regulatory Compliance

Built for the Regulatory Stack

VerifEye is designed end-to-end for current and emerging regulatory requirements across data protection, AI governance, and biometric law.

RegulationHow VerifEye Complies
GDPR Data Processor role with DPA embedded in Terms for Customers (Art. 28). Privacy Policy fulfilling Art. 13 transparency obligations. Company Data Protection Policy governing Art. 6 principles. Data minimisation by design. EU SCCs for international transfers. EU data centres with on-prem option.
CCPA / CPRA Compliant with the California Consumer Privacy Act and California Privacy Rights Act. Consumers can exercise rights to know, delete, and opt out. No sale or sharing of biometric data. Privacy-by-design architecture stores only irreversible mathematical embeddings deleted within seconds. DPA and CPRA-specific addendum available on request.
EU AI Act Trained on ~20 million GDPR-compliant, explicitly consented webcam sessions from 6 million identities across 93 countries. 100% ethically sourced through proprietary data collection platform — no web scraping, no social media images, no third-party datasets. Independently validated for fairness across all demographics.
BIPA (Illinois) Three deployment paths: (1) On-prem SDK — zero biometric data reaches Realeyes. (2) On-device storage — embeddings never leave device. (3) Cloud API with geographic exclusion. Illinois residents explicitly excluded from all training data.
US State Privacy Privacy-by-design architecture deletes images within 1 second and stores only irreversible mathematical embeddings. DPA templates and state-specific compliance guidance available for Illinois, Texas, Washington, California (CPRA), New York, and Arkansas.
Legal Protection Every VerifEye license includes legal indemnification covering direct losses, fines, or regulatory penalties arising from any proven failure by Realeyes to meet its data-protection obligations.
Responsible AI

Ethical by Design, Fair for Everyone

Biometric AI must work equitably for all people. We built VerifEye's training data and validation processes to ensure it does.

Ethically Sourced Data

~20 million webcam sessions from 6 million individuals across 93 countries. All participants explicitly consented with right to withdraw, and were compensated ($10M+ paid). No scraped data. No social media images. No third-party datasets.

Demographic Fairness

Independently validated for equal accuracy across all skin tones, ethnicities, ages, and genders. Industry-leading fairness scores validated by major technology companies.

Independently Validated

PwC-audited data collection, consent mechanisms, and bias testing procedures. Trusted by Meta, Google, P&G, and Mars — all of whom have scrutinised and approved our responsible AI practices.

Frequently Asked

Security FAQ

How does Realeyes comply with GDPR?
Realeyes acts as a Data Processor under GDPR when providing VerifEye services. Our compliance framework includes: a Data Processing Agreement (DPA) embedded in our Terms for Customers (Annex 1), satisfying Art. 28 requirements; a Privacy Policy (Section 2) fulfilling Art. 13 transparency obligations; and a Company Data Protection Policy governing lawful processing under Art. 6 principles.
How does Realeyes comply with CCPA / CPRA?
Realeyes is fully compliant with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Consumers can exercise their rights to know, delete, and opt out. Realeyes does not sell or share biometric data. Our privacy-by-design architecture stores only irreversible mathematical embeddings that are deleted within seconds of processing. A CPRA-specific addendum is available on request alongside our standard DPA.
Where can I review your data processing terms?
Our public-facing legal documents: Terms for Customers (includes DPA as Annex 1) and Privacy Policy. Our Company Data Protection Policy is available on request under NDA.
What personal data does VerifEye process?
VerifEye processes facial images and derived biometric data (face embeddings) for verification purposes. Embeddings are mathematical representations — they cannot be reverse-engineered to reconstruct a face. No images or embeddings are retained beyond the verification session unless the customer explicitly configures gallery storage.
How is training data sourced?
100% of Realeyes training data (~20 million videos) is ethically sourced through our proprietary, consent-based data collection platform. Key safeguards: no web scraping, no social media images, no third-party datasets. Explicit opt-in consent with right to withdraw at any time. All participants compensated ($10M+ paid). Illinois residents explicitly excluded (BIPA compliance).
Do you have a SOC 2 report?
Yes. Realeyes holds a current SOC 2 Type II report. A copy is available under NDA — contact your account representative or email security@realeyes.ai.
What trust service criteria are covered?
The SOC 2 report covers the Security and Availability trust service criteria, evaluated against AICPA standards.
Where is VerifEye hosted?
VerifEye cloud services run on Amazon Web Services (AWS) across three geographic regions: United States, European Union, and Singapore (APAC). Customers select their preferred data residency region at onboarding.
Is on-premises deployment available?
Yes. VerifEye offers multiple deployment models: Cloud API hosted by Realeyes on AWS, On-device SDK running entirely on the end user's device (C++, Python, .NET), and On-premises deployed within the customer's own data centre. On-device and on-premises options mean biometric data never leaves your environment.
What encryption is in place?
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256) using AWS-managed encryption services. API keys are rotated on a defined schedule.
Where is the API documentation?
Full REST API documentation is available at verifeye-docs.realeyes.ai/rest-api. The API supports face retrieval, embedding generation, and similarity scoring with JSON request/response format.
What SDKs are available?
VerifEye provides native SDKs for flexible integration: C++ SDK (primary — two header files + library + model file), Python connector, .NET connector, and PyTorch export on request. The SDK supports face detection, alignment, embedding extraction, and similarity scoring in a six-step pipeline — all built in-house with proprietary neural network architectures.
What authentication does the API use?
API access is secured via API keys issued per customer environment. Keys are scoped to specific services and can be rotated at any time through the customer portal.
What uptime does Realeyes commit to?
Realeyes targets >99.9% availability for the VerifEye cloud API. Specific uptime commitments, monitoring, and remedies are defined in the customer SLA at contract signing.
What happens if SLA targets are missed?
Realeyes has a 60-minute SLA to correct the situation or provide a corrective plan. If this SLA is not met, Realeyes will generate a credit of fees calculated from the downtime period. Where downtime falls outside of Realeyes' control and reasonable proof is provided, the provision does not apply.
How is service performance monitored?
Realeyes uses AWS CloudWatch and internal monitoring for real-time alerting on API latency, error rates, and availability. Incident communication is provided via email and, where agreed, through a shared status page. SLA terms can be tailored per customer agreement.
What is your approach to application security?
All code addresses vulnerabilities covered by SANS and OWASP. Code changes require peer review by individuals trained in secure coding. Production, development, and test environments are fully separated — production data is never used in dev/test. All production changes follow change control with human approval. Engineers complete annual secure coding training covering OWASP principles and Top 10.
How do you manage access control?
Realeyes enforces role-based access control (RBAC) following the principle of least privilege. All users are assigned unique credentials with strong password requirements. Access is granted, modified, or revoked based on job role, with segregation of duties considered. Access reviews are conducted periodically by the Security Officer, and any access that doesn't align with least privilege is promptly remediated.
Do you have an incident response plan?
Yes. Realeyes maintains a documented Incident Response Plan covering detection, investigation, containment, resolution, and post-incident review. In the event of a data breach affecting customer data, relevant parties are notified in accordance with applicable data protection regulations.
What about business continuity?
Realeyes maintains a documented Business Continuity Plan (BCP) and a separate Disaster Recovery Plan (DRP). The BCP defines procedures for continuing operations during disruptions and is simulated and tested at least annually. The DRP covers technical recovery of systems and data, including defined RTO and RPO targets. Both plans were audited under SOC 2 Type II with no exceptions noted.

Questions About Security?

Talk to our team about your specific compliance requirements, data residency needs, or technical implementation.

Contact Us