PRODUCT

EU Data Residency

All verification data is stored and processed within the European Union.

Infrastructure Locations

Every component of the AgeEvidence hosted service is located within the EU:

No Data Transfer Outside the EU

The hosted AgeEvidence service does not transfer verification data outside the EU at any point in the verification lifecycle:

  • Client-side processing — biometric analysis (face detection, liveness, OCR, anti-spoofing) runs in the user's browser. No biometric data is sent to third-party servers.
  • Upload path — verification artifacts (video, document images, face descriptors) are uploaded directly to EU-based object storage.
  • Processing — admin review, status updates, and API responses are handled by the EU-based application server.
  • Storage — all database records, files, and audit logs reside in EU data centers.

GDPR Alignment

EU data residency supports GDPR compliance through several principles:

  • Data minimization — only required verification artifacts are collected and stored. Biometric processing (local AI models) happens client-side and on our servers, reducing the volume of sensitive data uploaded.
  • Purpose limitation — verification data is used solely for identity/age verification and compliance recordkeeping. It is not used for marketing, profiling, or secondary purposes.
  • Storage limitation — retention periods are configured per verification level. Age-only verifications expire after 1 year. Full KYC data is retained for the legally required 7-year period.
  • Integrity and confidentiality — data is encrypted at rest (AES-256) and in transit (TLS 1.3). Access is controlled through API key authentication, WebAuthn sessions, and audit logging.

Subprocessors

The hosted AgeEvidence service uses two EU-based subprocessors:

  • database hosting in Germany
  • application hosting and object storage in Germany
  • servers in Germany

No non-EU subprocessors are involved in verification data processing.

Frequently Asked Questions

Where exactly is verification data stored?
The database is hosted by in Germany. Object storage for verification documents and video is hosted in Germany. The application server runs on a VPS in Europe. All three components are within the EU.
Does any data leave the EU during verification?
No. Biometric processing (face detection, liveness analysis, OCR) runs client-side in the user's browser. Uploaded artifacts (video, document images, face descriptors) go directly to EU-based storage. Admin review and all API processing happen on the EU-based application server.
What about Customer-Managed Storage (BYOS) in a different region?
With BYOS, you choose your own storage location. If your bucket is outside the EU, the media stored there is subject to your chosen region's data protection laws. AgeEvidence session metadata and decisions remain in the EU regardless of BYOS configuration.