Security Webpage for Customers.

All IDnow employee computers are centrally managed through a mobile device management system and are security-hardened according to best practices, including patch management, device encryption, and automatic screen-lock features.
Every machine runs anti-malware and intrusion detection software, which are centrally monitored to detect and respond to any suspicious events.

Our developer need to adhere to secure coding standards and participate in basic secure coding training
All code changes are subject to 4-eyes-reviews and we have a full audit trail of changes
We have embedded security checks (e.g. static code analysis, dependency check) directly into our pipeline

We ensure data segregation through logical separation techniques, maintaining strict boundaries and privacy for each client’s information. This separation is regularly verified through internal controls and external penetration testing.
Identification data is entirely isolated from office networks and can only be accessed by a select group of trusted individuals via secure VPN.
Our production system is fully segregated from testing and development environments. Production data is strictly confined to its designated environment and is not permitted outside of it.
Identcenter employees handle identification tasks sequentially, focusing on one customer at a time.

Our role-based access control ensures that access rights are assigned according to least privilege and need-to-know principles
Privileged access is managed via trusted roles, which need to undergo background checks and need special approval by our HR and our CISO
Our systems utilize MFA (mutli-factor authentication) to add an extra layer of security for all our critical applications
Our access control mechanisms are continuously monitored and audited to detect and respond to any unauthorized access attempts in real-time

We conduct regular risk assessments to identify potential vulnerabilities and threats, staying one step ahead of potential issue
We combine asset-based and event-based risk assessment methodologies following the ISO27005 norm to ensure that risks of all types are well-managed
Our process ensures that all identified risks are addressed promptly by assigning them directly to responsible teams and default due dates to ensure risks are mitigated within defined timelines

Our systems are monitored round-the-clock to detect and respond to security threats and incidents in real-time
We have established a clear process and a security operations team that promptly detects, assesses and mitigates any security incident
Our procedures ensure that incidents are reported to regulators if needed or to our customers in case their data is affected
Incidents undergo a post-mortem analysis which will identify the root cause of the incident and will define further measures to prevent any future occurrences 

We conduct regular supplier audits to verify adherence to our security requirements and to mitigate risks origination from our third-party providers
To ensure suppliers follow our security standards, we are embedding stringent security controls directly into supplier contracts
Our suppliers are required to maintain relevant security certifications, ensuring they meet industry standards for data protection and privacy

We have implemented a robust business continuity framework aligned with international standards to ensure continuity of critical business operations
We design our infrastructure with disaster scenarios in mind, incorporating redundancy across data centers andsystems 
We develop business continuity plans and conduct regular testing in order to ensure readiness for potential disruptions

We engage internal and external auditors and give our customers the right to conduct independent reviews of our security controls and practices 
We actively maintain our security certifications to ensure we are compliant to industry regulations and standards
Regular penetration tests are conducted by independent third-parties on all customer-facing products to identify and address vulnerabilities and ensuring our security measures work as intended

All IDnow employee computers are centrally managed through a mobile device management system and are security-hardened according to best practices, including patch management, device encryption, and automatic screen-lock features.
Every machine runs anti-malware and intrusion detection software, which are centrally monitored to detect and respond to any suspicious events.

Our developer need to adhere to secure coding standards and participate in basic secure coding training
All code changes are subject to 4-eyes-reviews and we have a full audit trail of changes
We have embedded security checks (e.g. static code analysis, dependency check) directly into our pipeline

We ensure data segregation through logical separation techniques, maintaining strict boundaries and privacy for each client’s information. This separation is regularly verified through internal controls and external penetration testing.
Identification data is entirely isolated from office networks and can only be accessed by a select group of trusted individuals via secure VPN.
Our production system is fully segregated from testing and development environments. Production data is strictly confined to its designated environment and is not permitted outside of it.
Identcenter employees handle identification tasks sequentially, focusing on one customer at a time.

All IDnow employee computers are centrally managed through a mobile device management system and are security-hardened according to best practices, including patch management, device encryption, and automatic screen-lock features.
Every machine runs anti-malware and intrusion detection software, which are centrally monitored to detect and respond to any suspicious events.

Our developer need to adhere to secure coding standards and participate in basic secure coding training
All code changes are subject to 4-eyes-reviews and we have a full audit trail of changes
We have embedded security checks (e.g. static code analysis, dependency check) directly into our pipeline

We ensure data segregation through logical separation techniques, maintaining strict boundaries and privacy for each client’s information. This separation is regularly verified through internal controls and external penetration testing.
Identification data is entirely isolated from office networks and can only be accessed by a select group of trusted individuals via secure VPN.
Our production system is fully segregated from testing and development environments. Production data is strictly confined to its designated environment and is not permitted outside of it.
Identcenter employees handle identification tasks sequentially, focusing on one customer at a time.

All IDnow employee computers are centrally managed through a mobile device management system and are security-hardened according to best practices, including patch management, device encryption, and automatic screen-lock features.
Every machine runs anti-malware and intrusion detection software, which are centrally monitored to detect and respond to any suspicious events.

Our developer need to adhere to secure coding standards and participate in basic secure coding training
All code changes are subject to 4-eyes-reviews and we have a full audit trail of changes
We have embedded security checks (e.g. static code analysis, dependency check) directly into our pipeline

We ensure data segregation through logical separation techniques, maintaining strict boundaries and privacy for each client’s information. This separation is regularly verified through internal controls and external penetration testing.
Identification data is entirely isolated from office networks and can only be accessed by a select group of trusted individuals via secure VPN.
Our production system is fully segregated from testing and development environments. Production data is strictly confined to its designated environment and is not permitted outside of it.
Identcenter employees handle identification tasks sequentially, focusing on one customer at a time.

End-customer data is protected through encryption both in transit and at rest, using secure, best practice algorithms
Access to our API services is restricted to TLS 1.2 or higher with secure ciphers only.
All traffic between the ident centers and the data centers is encrypted via secure VPN

Multiple layers of firewalls are used to control incoming and outgoing network traffic.
Web application filtering, intrusion detection, and prevention systems are implemented to detect and block malicious traffic.
Network segmentation is employed to segregate production and security-critical networks from other networks.

As a data processor, we strictly adhere to GDPR requirements, ensuring through automated processes that personal data is deleted when it is no longer needed for the purposes agreed upon with our customers or when instructed by them.
We employ secure deletion methods to ensure that data is irreversibly erased from all storage media, including secure wiping and physical destruction where necessary.

We conduct yearly penetration tests on all our customer-facing services, performed by trusted, independent third-party providers.
Quarterly external vulnerability scans are conducted by a certified provider on all internet-facing IPs.
Independent tests and scans are complemented by continuous internal scanning and penetration testing carried out by our security team..
We follow standard processes to assess, assign, and follow up on open vulnerabilities with the relevant teams, including escalation procedures when necessary

We perform regular backups of our production data to meet the service level agreements negotiated with our customers
Backup redundancy is ensured by storing backups at a separate site from the production environment.
Frequent restore tests are conducted to verify that the backups and their recovery processes function as expected.

Our systems and infrastructure are monitored around the clock for any service interruptions, with a responsive on-call team ready to react promptly to any issues.
All activities including administrative actions on our applications and servers are logged and consolidated into a central logging system.
Our dedicated SOAR (Security Orchestration, Automation, and Response) infrastructure, isolated from the production network, collects data from critical systems. It can correlate security events to detect, alert, and automatically respond to specific attack patterns.