Customer-Managed Storage (BYOS)
Route verification media to your own S3-compatible storage while AgeEvidence handles processing, decisions, and compliance workflows. We do not provide our source code.
How It Works
With BYOS enabled, ID images and liveness videos are uploaded directly to your S3-compatible bucket. AgeEvidence processes the verification using temporary signed URLs and retains only session metadata and decisions.
- Your storage — ID front/back images, liveness video, face frame captures
- AgeEvidence retains — verification status, admin decisions, face descriptors, fraud signals, audit trail
- No fallback storage — if your bucket is unreachable, the session fails cleanly
Supported Destinations
Any storage service that exposes the S3-compatible API:
| Requirement | Details |
|---|---|
| Protocol | S3-compatible API (PutObject, GetObject, DeleteObject) |
| Authentication | Access key + secret key (IAM credentials) |
| Bucket access | Private bucket — no public access required |
| Encryption | Server-side encryption (SSE-S3 or SSE-KMS) recommended |
| Region | Your choice — select a region that meets your data residency requirements |
IAM Policy
The credentials you provide need minimal permissions:
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::your-bucket/*"
}No ListBucket, no bucket-level operations. AgeEvidence only reads, writes, and deletes individual objects within the paths it creates.
Failure and Retry Behavior
- Upload failures — retried up to 3 times with exponential backoff (1s, 2s, 4s)
- Persistent failures — verification session fails with a clear error; user can retry
- No fallback — media is never stored on AgeEvidence infrastructure when BYOS is enabled
- Admin review — signed URLs are generated from your bucket for admin review sessions
Availability
Customer-Managed Storage is available as a €199/month add-on on the Launch plan, and included with Scale and Business plans.
Frequently Asked Questions
- What storage destinations are supported?
- Any S3-compatible object storage service. This includes services from major cloud and infrastructure providers that expose the S3 API, as well as self-hosted solutions like MinIO.
- What data does AgeEvidence retain when BYOS is enabled?
- AgeEvidence retains session metadata (verification ID, status, timestamps), admin decisions (approve/reject/resubmit with reasons), face descriptors for matching, fraud signals, and the complete access audit trail. Verification media (ID images, liveness videos) is stored in your bucket.
- What happens if my storage is temporarily unavailable?
- Uploads are retried with exponential backoff. If your storage remains unreachable, the verification session will fail and the user can retry. No media is stored on AgeEvidence infrastructure as a fallback.
- Do you offer a fully self-hosted or on-premises deployment?
- No. AgeEvidence is a hosted verification service. We do not provide our source code. BYOS gives you control over where sensitive media is stored while we handle the verification processing, admin tools, and compliance workflows.
- How does retention work with BYOS and 2257?
- For 2257 / full_kyc verifications, AgeEvidence retains the performer record metadata for 7 years as required by law. The associated media in your bucket follows your own retention policies — you are responsible for maintaining the required document copies for the 2257 retention period.