Customer-Managed Storage (BYOS)
Route verification media (ID images, liveness videos) to your own S3-compatible storage. AgeEvidence handles verification processing, admin review, and compliance workflows.
Prerequisites
- An S3-compatible storage bucket with a private access policy
- IAM credentials (access key + secret key) with PutObject, GetObject, and DeleteObject permissions
- AgeEvidence account on Scale or Business plan (or Launch with the BYOS add-on)
Configuration
Provide your S3 credentials via the client dashboard or API. The following fields are required:
| Field | Example | Description |
|---|---|---|
endpoint | https://s3.eu-central-1.amazonaws.com | S3 API endpoint URL |
bucket | my-verification-media | Bucket name |
region | eu-central-1 | Bucket region |
accessKeyId | AKIA... | IAM access key |
secretAccessKey | wJalr... | IAM secret key (encrypted at rest) |
IAM Policy (Minimal Permissions)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::my-verification-media/*"
}
]
}No ListBucket or bucket-level permissions required. AgeEvidence only operates on individual objects within the paths it creates.
Object Path Structure
Objects are written using a deterministic path:
{level}/{external_id}/{timestamp}-{file_type}.{ext}
full-kyc/user_abc123/1705500000000-continuous.webm
full-kyc/user_abc123/1705500000000-id-front.jpg
full-kyc/user_abc123/1705500000000-id-back.jpg
age-verification/user_xyz789/1705500000000-face-frame.jpg| File type | Extension | Levels |
|---|---|---|
continuous | .webm | All levels |
id-front | .jpg | full_kyc, full_age |
id-back | .jpg | full_kyc, full_age (non-passport) |
face-frame | .jpg | All levels |
Encryption
AgeEvidence recommends enabling server-side encryption on your bucket:
- SSE-S3 — automatic encryption with provider-managed keys (simplest setup)
- SSE-KMS — encryption with your own KMS key for additional access control
AgeEvidence does not manage encryption keys. Encryption is handled entirely by your storage provider.
Failure and Retry Behavior
- Upload failures are retried up to 3 times with exponential backoff (1s, 2s, 4s)
- If all retries fail, the verification session fails and the user can restart
- No media is stored on AgeEvidence infrastructure as a fallback
- Failed uploads are logged in the verification audit trail with error details
Data Retained by AgeEvidence
Even with BYOS enabled, AgeEvidence retains the following in its database:
- Verification record (ID, status, timestamps, verification level)
- Admin decisions (approve/reject/resubmit with reasons and reviewer ID)
- Face descriptors (for face matching during review)
- Fraud signals (anti-spoof scores, liveness results)
- Estimated age (for age_only verifications)
- Performer records (for full_kyc — legal name, DOB, 2257 data)
- Access audit trail (who accessed what, when, from where)
Media file references (S3 paths) are stored so AgeEvidence can generate signed URLs from your bucket during admin review.
Testing
Use a separate bucket or path prefix for testing. The sandbox environment supports BYOS configuration independently from production.
For product details and pricing, see the Customer-Managed Storage product page.
Frequently Asked Questions
- Can I store media in a different region than my AgeEvidence account?
- Yes. Your bucket region is independent of AgeEvidence infrastructure. Choose any region that meets your data residency requirements.
- What happens to existing verifications when I enable BYOS?
- BYOS applies to new verifications only. Existing media remains in AgeEvidence storage. Contact support to arrange migration of historical media if needed.
- Can I use separate buckets for different verification levels?
- Not currently. All verification media for a single client is routed to one bucket. If you need level-based routing, contact us.