Data Security

Data Security.

When handling personal information, absolute discretion is required. Everything possible must be done to ensure that it does not fall into the wrong hands. That’s why we take the utmost care in the selection of our employees and partners.

IDnow Employees.

Our identity experts are in direct contact with your end customers. They verify the personal information, the identity documents and process the recordings. That’s why we select our identity experts with great care.

They initially undergo an application process consisting in several stages and they must submit their police clearance certificate, as well as their Schufa credit information report. They are then given intensive training from our trainers. In doing so, we use a training concept that we devised jointly with the State Criminal Police Office of Hessen. We do not only run training courses at the start, but also on an ongoing regular basis and in the event of special circumstances.

Lawmakers also require that identity experts conduct themselves in a specific way. This requirement is fully satisfied by us.

Specific Security Regulations.

In order to comply with the highest possible security standard we have adopted the following measures:

  1. All of the identity centres used for the identification have a two-factor access control and, moreover, video surveillance.
  2. The IDnow system is a software system that has been fully developed and programmed by us in-house. Within the framework of the IDnow solution we do not use any video chat software such as Skype. The system is run by us on our servers located in Germany. Security is also our maxim in the technical environment. As such, our system has, from the outset, fulfilled the required end-to-end encryption, as well as the requirements of the TR-02102.
  3. Pursuant to Art. 32 GDPR, measures are adopted which are suitable for protecting the data processing system against unauthorised access.
  4. Access to the server system is only possible by system administrators and always takes place using encrypted connections (SSH + IPsec). All accesses are personalised and secured by passwords and + 2-Factor Authentication (TOTP). Minimum requirements are set for passwords with regard to complexity, repetitions, etc.
  5. Pursuant to Art. 32 GDPR, measures are adopted which are suitable for guaranteeing that personal information cannot be exposed to unauthorised reading, copying, modification or removal during its electronic transmission or storage on data carriers.
  6. Pursuant to Art. 32 GDPR, measures are adopted which are suitable for guaranteeing that personal information is protected against accidental destruction or loss.

Data Storage.

As standard, we store personal information for 90 days. We can adapt this period to your requirements. After this period has expired the data are completely deleted.

Our appropriate data storage was, amongst others, confirmed by the Bavarian State Office for Data Protection Supervision. Moreover, our data protection officer verifies the implementation of the technical and organisational measures at regular intervals. The corresponding certificates are available and we would be happy to provide them. The agreement on the processing of the commissioned personal information in compliance with data protection legislation pursuant to Art. 32 GDPR forms an integral part of every customer contract (“Commissioned data processing agreement”).

Server Landscape.

We collaborate with the noris network high-security data centre. They are specialised in the storage and processing of highly sensitive information, in particular related to finance, and are therefore our ideal partner. The data centres used by us are located exclusively in Germany.