Trust & Compliance

Last updated 5 June 2026

Verisoar is built privacy-first: we verify age and identity without building a biometric database. This page summarises how we protect data and how our age assurance is designed to meet the standards regulators and customers expect.

Data protection by design

  • Document images, selfie frames and biometric templates are processed in memory only and are never written to storage.
  • We retain only a minimal, non-biometric record — a yes/no age result, a coded outcome, short-lived dispute scores, and a tamper-evident audit hash.
  • Explicit Art. 9 consent is captured before any biometric processing begins.
  • Automated retention enforcement deletes records on schedule; customers can erase any subject reference on demand.
  • We maintain a Data Protection Impact Assessment (DPIA) for our biometric processing; a summary is available to customers and regulators on request.
  • We act as a processor for our customers and provide a DPA, a Privacy Notice, a Biometric Data Policy, and a Retention Policy.

Security

  • Encryption in transit for all data.
  • Hashed API keys and salted IP hashes; least-privilege access to production.
  • Append-only, hash-chained audit log for accountability and tamper evidence.
  • Region-pinned cloud processing (AWS, EU) under the AWS DPA, with generative-AI inputs excluded from model training.

Highly effective age assurance

Where customers use Verisoar to meet age-assurance duties (for example under the UK Online Safety Act), our method is designed around the principles Ofcom expects of highly effective age assurance — that it be technically accurate, robust, reliable and fair:

  • Accurate & robust. Age is read from a genuine identity document, not estimated, and is bound to a server-verified claim so it cannot be hand-typed to defeat the gate.
  • Live person. Active liveness with randomised head-pose challenges and anti-spoof scoring resists photo, video and mask attacks, combined with a 1:1 face match to the document.
  • Reliable. Deterministic server-side scoring with documented thresholds, plus a retry path and the option of human review.
  • Fair & accessible. We monitor for accuracy and bias and support a clear consent and appeal route; customers should always offer an alternative route where required.

Customers remain responsible for configuring the threshold and method appropriately for their regulatory obligations. Independent assessment / certification status is available on request.

Documentation & requests

For our DPA, sub-processor list, security overview, or to discuss an assessment, contact support@verisoar.com.