Enterprise-Grade Security, Privacy by Design

Realeyes acts as a Data Processor under GDPR when providing VerifEye services to customers. Our compliance framework includes: Data Processing Addendum (DPA) embedded in our Terms for Customers (Annex 1), satisfying Art. 28 GDPR requirements; Privacy Policy (Section 2) fulfilling Art. 13 transparency obligations; Company Data Protection Policy governing lawful processing under Art. 6 GDPR principles; and other documentation required by global privacy laws.

Realeyes acts as a service provider under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). End user data is processed solely for the purpose of providing the VerifEye services to the business customer and is never sold or shared for cross-context behavioural advertising or any other commercial purpose. We do not retain, use, or disclose personal information outside the direct business relationship with the customer, do not combine it with personal information from other sources, and do not attempt to re-identify de-identified or aggregated data. CCPA-specific obligations are set out in the CCPA terms of our Data Processing Addendum.

VerifEye is a limited-risk AI system under Regulation (EU) 2024/1689: it performs consent-based biometric verification, confirming that a live, real person is present and, where required, meets an age threshold, which falls outside the high-risk categories and prohibited practices.

VerifEye meets the applicable transparency obligations by design, combining clear user-facing notice and explicit consent with independently validated demographic fairness and structural human oversight: VerifEye returns only a verification result, while the access decision rests exclusively with the Business Customer. Because the AI Act allocates obligations by deployment context, the specific duties applicable to any given integration are addressed in the customer's Data Processing Addendum and supporting compliance documentation.

Our public-facing legal documents:

Terms (incl. DPA): https://realeyes.ai/terms-for-customers/
Privacy Policy: https://realeyes.ai/privacy-policy/

Our Company Data Protection Policy is available on request under NDA.

A current list of authorised sub-processors, organised by category and including international transfer safeguards, is maintained in Annex 1 (Data Processing Addendum), Section 3 of our Terms for Customers (https://realeyes.ai/terms-for-customers/). Sub-processor categories include cloud infrastructure providers, analytics and monitoring tools, and content delivery / network services. We notify customers of any new or replacement sub-processor at least 10 days in advance, with the right to object on data-protection grounds.

VerifEye is available globally. The platform is hosted on AWS in three regions: EU (Ireland), US, and APAC (Singapore), with additional regions available on customer request. The end-user-facing surface (consent flows, instructions, and error messages) is delivered in English today and can be localised to any language on customer request as part of enterprise onboarding.

Our privacy framework is built to GDPR and CCPA standards, which together cover the substantive requirements of most major privacy regimes worldwide. Where customers operate in jurisdictions with specific additional requirements (for example BIPA in Illinois, India's DPDP Act, or Brazil's LGPD), we work with our legal counsel and customers to extend our standard DPA and consent flows accordingly.

VerifEye processes facial images and derived biometric data (face embeddings) for verification purposes. Embeddings are mathematical representations — they cannot be reverse-engineered to reconstruct a face. No images or embeddings are retained beyond the verification session unless the customer explicitly configures gallery storage.

Raw biometric inputs (facial imagery and video frames) are deleted immediately after the verification result is generated — no raw biometric data is persisted beyond the verification session. Derived embeddings are not retained unless the customer explicitly configures gallery storage for duplicate-detection or re-verification use cases, in which case retention is governed by the customer's configuration.

Operational data (session identifiers, telemetry, billing metadata) is retained for the duration of the Agreement and for the period necessary to meet applicable legal and tax obligations. Specific retention periods, deletion procedures, and post-termination obligations are set out in Section 8 of our Data Processing Addendum.

100% of Realeyes training data (18 million+ consented video recordings) is ethically sourced through our proprietary, consent-based data collection platform. Key safeguards: no web scraping, no social media images, no third-party datasets; explicit opt-in consent with right to withdraw at any time; Illinois residents explicitly excluded; and attention to demographic representation across age, gender, and skin tone.

Yes. Realeyes holds a current SOC 2 Type II report. A copy is available under NDA and can be shared as an attachment to this response or upon request to your account contact.

Yes. Our SOC 2 Type II report is issued by Sensiba LLP, an AICPA-accredited independent CPA firm and one of the Top 100 accounting firms in the United States. Sensiba is in good standing under the AICPA Peer Review Program and is regularly cited among the leading SOC 2 audit firms. The report is issued under SSAE 18 / AT-C 205 in conformance with AICPA Trust Services Criteria.

The SOC 2 Type II report covers the Security and Availability trust service criteria, evaluated against AICPA standards.

VerifEye cloud services are hosted on Amazon Web Services (AWS) and currently operate in three regions: EU (Ireland), US, and APAC (Singapore), giving customers broad regional coverage to meet their data residency, latency, or sovereignty requirements. Additional AWS regions can be enabled on customer request as part of enterprise onboarding. All hosting regions inherit AWS's underlying compliance certifications, including SOC 2, ISO 27001, ISO 27017, and ISO 27018.

Yes. VerifEye offers multiple deployment models: Cloud APIs hosted by Realeyes on AWS; On-device SDK running entirely on the end user's device (C++, Python, .NET); and On-premises deployed within the customer's own data centre. On-device and on-premises options mean biometric data never leaves the customer's environment.

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256) using AWS-managed encryption services. API keys are rotated on a defined schedule.

Full REST API documentation is available at https://verifeye-docs.realeyes.ai/rest-api/. The API supports face retrieval, embedding generation, and similarity scoring with JSON request/response format.

VerifEye provides native SDKs for flexible integration: C++ SDK (primary) — two header files + library + model file; Python connector; .NET connector; and PyTorch export available on request. The SDK supports face detection, alignment, embedding extraction, and similarity scoring in a six-step pipeline — all built in-house with proprietary neural network architectures.

API access is secured via API keys issued per customer environment. Keys are scoped to specific services and can be rotated at any time through the customer portal.

Matching accuracy is validated through two complementary benchmarks and external enterprise evaluation. We test on the industry-standard IJB-C benchmark (designed by the same research team responsible for NIST FRVT) and on our proprietary Realeyes Test Dataset, 880× larger than IJB-C and constructed to reflect challenging real-world conditions. Both benchmarks cover 1:1 verification (FAR/FRR at multiple operating points) and 1:N verification (Rank-1 accuracy), with VerifEye exceeding state-of-the-art on every metric. Results are further validated by a multi-month evaluation by a major social media platform customer, benchmarking VerifEye against top market providers.

Detailed per-benchmark results and methodology are documented in the Realeyes Face Verification Technical Whitepaper, available under NDA as part of our enterprise due diligence package.

VerifEye is built for real-world capture conditions rather than controlled laboratory environments. The model has been extensively tested against the image quality degradations most common in production deployments — including JPEG compression, motion blur, partial facial occlusion (eyeglasses, sunglasses, and obstructions of the eyes, nose, or mouth), and head pose variations up to profile angles.

Under single-image degradation — the most realistic verification scenario, where a high-quality gallery image is matched against a variable probe — false positive rates remain low, with only modest reductions in true positive rates. This robustness derives from training on in-the-wild data that naturally captures the variation in camera type, resolution, and capture quality found in real deployments, rather than from synthetic augmentation. Detailed per-degradation analysis is documented in the Realeyes Face Verification Technical Whitepaper, available under NDA as part of our enterprise due diligence package.

Demographic fairness is a first-class concern in VerifEye's development. Our evaluation methodology aligns with NIST FRVT and ISO/IEC 19795-10, and is validated through three layers: a public comparative benchmark (RFW), where VerifEye achieves both the highest average accuracy and the lowest standard deviation across demographic groups of all published models in the comparison set; an internal benchmark with low standard deviation across age, gender, and skin tone groups, indicating consistent performance across all demographics; and external enterprise validation, including a multi-month evaluation by a major social media platform customer benchmarking VerifEye against top market providers, in which VerifEye was selected on the basis of accuracy and fairness performance.

Detailed per-group performance data is documented in the Realeyes Face Verification Technical Whitepaper, available under NDA as part of our enterprise due diligence package.

Yes. VerifEye's liveness layer incorporates presentation attack detection (PAD) technology that has been independently tested and certified against ISO/IEC 30107-3 to iBeta PAD Level 1 and Level 2 by iBeta Quality Assurance, a NIST/NVLAP-accredited biometrics testing laboratory. Level 1 covers presentation attack instruments such as printed photographs and video replays; Level 2 extends coverage to higher-fidelity attacks including 3D masks and lifelike replicas.

Component-level certification details, including the specific tested configurations, are available under NDA as part of our enterprise due diligence package.

Realeyes commits to at least 99.5% availability for the VerifEye cloud APIs. Real-time and historical availability is published on our public status dashboard at https://realeyes-verifeye.betteruptime.com/. Specific availability measurement, exclusions, and remedies are set out in the customer SLA.

Service interruptions are categorised by priority — Critical, Significant, and Other — with Response Time, Restore, and Resolve targets defined per priority level in the customer SLA. Critical interruptions (loss of access or significant operational impact) receive the fastest response, including best-effort work outside Support Hours.

If Realeyes fails to meet the Availability commitment in a given month, customers are entitled to a Service Credit calculated pro-rata against the Monthly Fee for the actual hours of Service Interruption. Specific response targets, credit calculations, and termination rights for repeated failures are set out in the customer SLA.

Realeyes operates a publicly accessible status dashboard (https://realeyes-verifeye.betteruptime.com/) providing real-time and historical availability metrics and incident history, with internal AWS CloudWatch monitoring for real-time alerting on API latency, error rates, and availability. Customer support is available via a dedicated Slack channel and email, with best-effort response outside Support Hours for Critical issues.

Yes. Security at Realeyes is led by a nominated Security Officer, with dedicated responsibilities embedded in our SysOps, Engineering, and Architecture functions. Per-team Security Officers are appointed within engineering teams to handle vulnerability triage and incident escalation, and the program is audited under SOC 2 Type II. Specific team composition and headcount can be shared under NDA as part of our enterprise due diligence package.

Yes. A Security Officer is formally nominated and named in our 2026 SOC 2 documentation, with explicit accountability for the design, enforcement, and oversight of our Information Security Program.

Yes. Security roles and responsibilities are explicitly documented across our Information Security Policy, Incident Response Plan, Risk Assessment Policy, and supporting RACI documents.

Our SDLC Security Controls include: all code deployed on corporate or hosted infrastructure must address vulnerabilities covered by SANS and OWASP; code changes require peer review by individuals trained in secure coding and code review techniques; production, development, and test environments are separated with appropriate controls; production data is never used in dev/test; and all production changes follow change control with human approval.

Training: anyone writing or supporting code for internet-facing or customer-data-handling applications must complete annual secure coding training covering OWASP development principles and the OWASP Top 10.

Vulnerability Management: the Security Officer and engineering team leads run comprehensive scans of publicly accessible code and infrastructure using tools including Drata agents, Intune endpoint management, AWS Inspector, Google Cloud Security Scanner, and GitHub security features.

Responsible Disclosure: Realeyes operates a responsible disclosure program — external vulnerability reports submitted to verifeye@realeyes.ai are acknowledged, triaged by our Security Officer, and tracked through the same vulnerability management process as internal findings.

Realeyes enforces role-based access control (RBAC) following the principle of least privilege. Multi-factor authentication is mandatory for all administrative access to production, cloud, and SaaS systems. All users are assigned unique credentials with strong password requirements. Access is granted, modified, or revoked based on job role and responsibilities, with segregation of duties considered. Access reviews are conducted periodically by the Security Officer, and any access that doesn't align with least privilege is promptly remediated.

Yes. Realeyes maintains a documented Incident Response Plan (IRP) that covers detection, investigation, containment, resolution, and post-incident review. In the event of a data breach affecting customer data, relevant parties are notified in accordance with applicable data protection regulations.

Realeyes maintains a documented Business Continuity Plan (BCP) and a separate Disaster Recovery Plan (DRP). The BCP defines procedures for continuing operations during disruptions and is simulated and tested at least annually. The DRP covers technical recovery of systems and data, including defined RTO and RPO targets for all critical infrastructure components. Both plans were reviewed under our SOC 2 Type II audit with no exceptions noted.

Yes. Realeyes maintains a multi-layered security testing and monitoring program. Penetration testing is performed against our endpoints as part of our SOC 2 audit, with additional third-party testing available on customer request as part of a scoped engagement.

Between formal assessments, we run continuous monitoring across our code dependencies, endpoints, and cloud infrastructure, with automated alerting to the relevant teams. Findings are tracked to remediation through our Vulnerability Management Policy with defined severity-based SLAs. Further details are available under NDA as part of our enterprise due diligence package.