Security

Security you
can rely on

Sumsub is designed with advanced engineering practices and strict security measures in mind. Our certifications and recurring testing back this up.

Certifications and attestations

SOC 3

Sumsub has successfully passed its SOC 3 examination, independently supervised by BARR Advisory, P.A. The report, released on October 21, 2022, provides an unbiased evaluation of Sumsub's security mechanisms and their capacity to prevent unauthorized access, disclosure, or harm to data. If you wish to obtain a copy of our SOC 3 report, please contact us at [email protected].

SOC 2 Type 2

Sumsub successfully completed its SOC 2 Type 2 examination, which was proctored by independent auditor BARR Advisory, P.A. The report issued October 21, 2022 include independent assessment of Sumsub security controls and its eficiency against unauthorized access, disclosure or damage of data. If you are interested in a copy of our SOC 2 Type 2 report, please reach out to [email protected].

SOC 2 Type 1

Sumsub successfully completed its SOC 2 Type 1 examination, which was proctored by independent auditor BARR Advisory, P.A. This assessment confirms that Sumsub has rigorous security controls against unauthorized access, disclosure or damage of data. If you are interested in a copy of our SOC 2 Type 1 report, please reach out to [email protected].

ISO/IEC 27001

This standard covers the security of development, implementation, functioning, monitoring, analysis, support and improvement of Sumsub's ISMS (Information Security Management System), which is audited on an annual basis. This certification means that our information sources are well protected.

ISO/IEC 27017

This certification demonstrates that Sumsub adheres to technical and organizational measures regarding risk assessments, equipment, software controls, personnel work, the backup procedure and other processes related to cloud service security.

ISO/IEC 27018

This certificate confirms that Sumsub has commonly accepted control objectives and guidelines for implementing measures to protect Personally Identifiable Information (PII) privacy principles in the public cloud computing environment.

ISO 9001:2015

ISO 9001:2015 specifies requirements for a quality management system of organization. Sumsub’s quality management system (QMS) demonstrates the ability to consistently provide products and services that meet customer and regulatory requirements.

ISO 31000:2018

Sumsub’s risk management framework and risk management processes demonstrate compliance with the components, policies and procedures stated by ISO 31000:2018 applicable to any activity including analysis, creation, design, development, testing and implementation of software solutions for online identification of individuals and legal entities through the processing of personal data, images and text documents.

PCI/DSS

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from major card schemes. This certification confirms that Sumsub is fully compliant with high standards for secure storage and processing of bank card data.

Web application assessments

Sumsub has independent penetration tests conducted periodically to identify potential weaknesses related to inadvertent misconfiguration, weak authentication, insufficient error handling, sensitive information leakage, and others.

ASV scanning

Clone Systems are engaged to perform quarterly external vulnerability scans via an Approved Scanning Vendor (ASV). This assessment contributes to building up strong security system against malware attacks or other breaches.

Protection against presentation attacks

Sumsub’s in house Liveness technology has been tested by iBeta according to the ISO 30107-3 Biometric Presentation Attack Detection Standard and successfully deters Level-1 vectors of attack.




Privacy

Our internal privacy procedures are structured according to the UK GDPR and the EU GDPR. Sumsub has also implemented the CCPA and other applicable legal requirements to ensure the privacy of our client’s customers. We continue to improve privacy frameworks and address other compliance requirements on an ongoing basis. For more information, please see our Privacy Notice.

EU GDPR compliance

Sumsub’s policies, procedures, and workflows regarding personal data processing of EU residents are fully compliant with the requirements of the EU GDPR. External and internal evaluations of Sumsub's compliance with the EU GDPR are conducted annually.

UK GDPR and DPA 2018 compliance

Sumsub has implemented the UK GDPR and the DPA 2018 requirements into internal data protection framework. Besides, Sumsub is registered with the Information Commissioner’s Office in line with the UK Data Protection Act 2018. Our Data Protection Registration Number is ZA 222205. Sumsub's compliance with UK data protection and security requirements are evaluated annually.

ACCS 2:2021 Technical Requirements for Data Protection and Privacy

Sum and Substance was assessed by The Age Check Certification Scheme Ltd and found to meet ACCS 2:2021 Technical Requirements for Data Protection and Privacy according to certification criteria approved by the Information Commissioner’s Office following the Commissioner’s tasks and powers under Articles 57(1)(n) and 58(3)(f) pursuant to Article 42(5) of the UK General Data Protection Regulation.

e-IDVT Technical Requirements for Identity Document Validation Technology

Sum and Substance was assessed by The Age Check Certification Scheme Ltd and found to meet the e-IDVT Technical Requirements for Identity Document Validation Technology according to certification criteria defined under the UK Home Office Guidance Document for Identity Document Validation Technology requirements 2018.

Age Verification System (AVS)

KJM (The Commission for the Protection of Minors in the Media (Germany) found that the concept of Sum and Substance Ltd is suitable as a total solution for an Age Verification System (AVS) within the meaning of Article 4 (2) sentence 2 Jugendmedienschutz-Staatsvertrag (JMStV).

Other compliance measures

Sumsub's business activity spans the entire world, which means that we continuously meet additional regulatory requirements in the data protection framework. We protect California residents’ personal information based on required measures. For more information, please refer to the CCPA Privacy Notification. Where the data protection laws of Illinois, Washington, or Texas apply, please refer to the “Special notice to residents of the states of Illinois, Washington, or Texas (USA)” (Provision 19 of this Privacy Notice) for more information.




System access and customization

Sumsub offers a number of measures to keep your account safe.

Secure authentication

Access to the system is as protected as it can get. Passwords are encrypted and 2-factor authentication is enabled by default for additional security. You can also opt for Google Account login and SSO, which can be enabled in the Sumsub dashboard.

Anomaly detection tools

Our product is equipped with automatic anomaly detection tools that track suspicious actions—such as logins from different devices, repeat password guesses, or API keys—and immediately alerts your tech team and administrators in case of a possible breach attempt.

User permissions

Permission levels and roles can be set up for your team for additional security. This includesaccess to settings, billing, user data, and the ability to send or edit messages. Read more about permissions and roles customization in our helpdesk article.




Secure local data processing (LDP)

Sumsub's Local Data Processing (LDP) is available in the UAE and MEA, offering KYC/AML, Transaction Monitoring, Fraud Prevention, and KYB services. LDP ensures complete compliance by securely storing applicant data locally, facilitating global expansion and reducing manual processing costs. To explore implementation in your region, contact us at [email protected].




Electronic Signatures and Infrastructures (ESI)

Sumsub has been assessed and certified as an identity proofing service provider acting in conjunction with a qualified trust service provider as an identity proofing module within the solution for issuing qualified electronic signatures/seals pursuant to eIDAS Regulation* and the following ETSI standards:

  • ETSI EN 319 401: Electronic Signatures and Infrastructures (ESI); General Policy Requirements for Trust Service Providers;
  • ETSI EN 319 411-1: Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements;
  • ETSI EN 319 411-2: Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 2: Requirements for trust service providers issuing EU qualified certificate; and
  • ETSI TS 119 461: Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service components providing identity proofing of trust service subjects.

*Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC

Have a security-related question?

In case you’ve found a potential security vulnerability,
please get in touch with us at [email protected].