Our Security Commitment
Security is foundational to everything we build at Sniip Identity. We handle sensitive biometric data and identity documents, and we take that responsibility seriously. This page outlines the security measures we implement to protect your data and your customers.
Encryption
Data at Rest
All biometric data, identity documents, and liveness videos are encrypted using AES-256-GCM before storage. Encryption keys are managed through Google Cloud KMS with automatic rotation.
Data in Transit
All communications use TLS 1.3. API traffic is encrypted end-to-end between your application and our servers. We enforce HTTPS on all endpoints.
Authentication and Access Control
- API Key Authentication: All API keys are hashed with SHA-256 before storage. We never store raw API keys. Key prefixes are retained for identification only.
- Dashboard Authentication: Passwords are hashed with bcrypt. Sessions use JWT tokens with 24-hour expiry and HMAC-SHA256 signing.
- Tenant Isolation: All data is scoped to individual tenants. Cross-tenant data access is prevented at the database query layer.
- Webhook Security: All webhook payloads are signed with HMAC-SHA256 using a per-tenant secret, allowing you to verify authenticity.
Infrastructure Security
- Cloud Platform: Hosted on Google Cloud Platform with SOC 2 Type II certification
- Network Security: All services run behind Envoy proxy with TLS termination, request filtering, and rate limiting
- Container Isolation: Services run in isolated containers with minimal privileges
- Automatic Scaling: Infrastructure scales automatically to handle load without degradation
- Geographic Redundancy: Data is replicated across multiple availability zones
Compliance
SOC 2 Type II
Our infrastructure and processes are audited annually for security, availability, and confidentiality controls.
GDPR
We comply with the General Data Protection Regulation. We act as data processor on behalf of our tenants and support data subject rights.
Australian Privacy Act
We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988.
iBeta Certification
Our liveness detection is iBeta Level 1 and Level 2 certified for presentation attack detection.
Data Retention and Deletion
Biometric data is automatically deleted according to plan-specific retention periods (7 to 90 days). Enterprise customers can configure custom retention. Deleted data is permanently purged — we do not retain soft-deleted biometric records.
Incident Response
We maintain a documented incident response plan. In the event of a security incident affecting customer data, we will:
- Notify affected customers within 72 hours
- Provide details of the incident scope and impact
- Take immediate steps to contain and remediate
- Provide a post-incident report with root cause analysis
Vulnerability Disclosure
We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to security@sniip.com. We ask that you:
- Provide sufficient detail to reproduce the issue
- Allow reasonable time for remediation before public disclosure
- Do not access or modify other users' data
Questions
For security-related enquiries, contact our security team at security@sniip.com.