SECURITY & COMPLIANCE

The most advanced technologies to keep you compliant with GDPR and KYC/AML requirements

KYC / AML Compliance

Here at Sumsub, data protection and financial compliance are at our core.

Global compliance

Sumsub’s identity verification platform is globally applicable, as our approach and methodology are carefully designed according to the FATF recommendations regarding AML and CTF requirements (specifically, Article 10), which serves as the international basis for local AML laws.

Risk-based approach

Our system is based on a risk-based approach and follows global and local regulatory norms (FATF, FINMA, FCA, CySEC, MAS). Our expertise in compliance and our provision of a range of technologies help businesses and financial authorities to speak in a common language.

Enhanced KYC verification

Our platform is equipped with tools that enable completely automatic verification as well as checks based upon human review in line with the current European legislation on non-face-to-face customer identification in the banking industry.

Ongoing monitoring

We constantly monitor all the existing user profiles to manage the risks associated with your customers. The system will notify you if a user has been put on a Sanctions list or his document has expired. Because of this, you can react immediately in case of any changes.

Compliance With Data Privacy Laws

At Sum&Substance, we have established a comprehensive ongoing GDPR compliance program while providing training to our staff and conducting meetings on how important data protection is for the entire core team. To illustrate just how we have reached transparency, here are a few examples of what we currently have in place:

Customer consent

We receive customer consent before processing personal data. The request for consent is placed in a separate checkbox before verification, so a user clearly understands what they are agreeing with.

Clear privacy policy

In our policy it is clearly stated how the user’s data is going to be used and for how long. It gives users transparency and information about the purposes and methods of processing.

European data centers and data protection officer

We store all the data in Amazon GDPR compliant servers, which are located in the EU. Overall responsibility for all data lies on the DPO (Data Protection Officer).

The right to revoke consent

Our users have the right to withdraw consent within a reasonable timeframe. To revoke an approval, all they have to do is to send a message to [email protected]

Breach alerts

Despite all of the preparations, there is always a chance that something can go wrong. We have tested our processes and technologies and are ready to detect and address breaches within 72 hours.

Bank-level security

We know that data security is paramount, that’s why we’d like to tell you a bit about how we ensure it.

Secure data storage

User data is stored in an encrypted format on our servers, which are kept at Uptime Institute classified Tier III data centers compliant with TIA-942 and PCI DSS standards. The data centers are protected technically and guarded physically around the clock by specially audited security personnel.

Leading encryption technologies

All data is transferred via a protected channel with cryptographic encryption based on the TLS 1.2 protocol. Decryption keys are stored separately from the actual data, so people with criminal intent won’t get access to your sensitive data.

Independent testing

We work with independent experts in information security, in order to find and prevent potential vulnerabilities. Our site, iFrame, and API constantly undergo penetration testing, security checks, threat detection, black box and white box testing.