Security & Data Retention
Effective date: 15 June 2026
This Security & Data Retention document describes the high-level technical, organizational, storage, and retention practices applied by IDEEVY to its standard identity document verification service. It is intended to provide Business Customers with a practical overview of how verification data is protected and retained.
For the purposes of this document, “IDEEVY”, “we”, “us” and “our” refer to INTEGRITYTECH HK LIMITED. This document should be read together with the IDEEVY Privacy Policy, Terms of Service, Data Processing Addendum, and End-User Verification Notice.
1. Scope of this document
This document applies to IDEEVY’s standard identity document verification service available through ideevy.com, related dashboards, APIs, and verification workflows. The standard service is focused on identity document verification and does not include full KYC decisioning, AML screening, sanctions screening, PEP screening, adverse media screening, facial recognition, selfie checks, liveness checks, or biometric template creation unless a separate written agreement expressly provides otherwise.
The data covered by this document may include identity document images, extracted document data where used for IDV, verification results, verification status, reason codes, timestamps, customer/project/session identifiers, IP address, device or browser metadata, audit records, and technical service logs related to the verification workflow.
2. Standard IDV data model
IDEEVY’s standard service is designed to verify identity documents, not to identify individuals through biometric comparison. The verification workflow may involve checking document image quality, detecting document type and issuing country, reading document fields, validating machine-readable zones or similar document structures where available, and returning a verification result to the Business Customer.
IDEEVY does not collect selfies, does not perform liveness checks, does not perform face matching, does not perform facial recognition, and does not create or store biometric templates as part of the standard service.
3. Data retention
Verification Records are retained for up to one year from the date of verification, unless a shorter retention period is configured or agreed with the Business Customer, or a longer period is required for legal, dispute, security, fraud prevention, abuse prevention, or service protection reasons.
For the purposes of this document, “Verification Records” may include identity document images, extracted document data, verification status, verification result, reason codes, timestamps, customer/project/session identifiers, related audit records, and technical metadata connected to the verification session.
Where deletion is requested or required, IDEEVY will apply deletion according to the applicable agreement, product configuration, and operational deletion processes. Backups, security logs, and archival copies may be removed according to ordinary backup rotation, logging, and retention cycles, unless earlier deletion is technically feasible and required by applicable law or agreement.
4. Storage location and cross-border processing
Where reasonably possible, IDEEVY aims to store and process verification data in the user’s country or region, or in a location consistent with the Business Customer’s configuration and applicable data protection requirements.
However, storage or processing may occur in other jurisdictions where IDEEVY, its infrastructure providers, or service providers operate. Cross-border storage or processing may depend on infrastructure availability, product configuration, support requirements, security controls, service continuity, legal obligations, and operational requirements.
Where required, IDEEVY uses appropriate contractual, technical, and organizational safeguards designed to protect verification data in connection with cross-border processing.
5. Security measures
IDEEVY applies commercially reasonable technical and organizational measures designed to protect Verification Records against unauthorized access, loss, misuse, alteration, and disclosure. These measures are based on commonly accepted security practices for cloud-based software and API services.
Security measures may include encrypted storage, encryption in transit, access controls, least-privilege access, restricted staff access, authentication controls, audit logging, infrastructure monitoring, backup processes, confidentiality obligations, vendor controls, and internal security procedures.
No internet-based or cloud-based service can be guaranteed to be completely secure. IDEEVY does not represent that the service is immune from all security risks, but it maintains controls designed to reduce risk and protect the confidentiality, integrity, and availability of the service.
6. Encryption and transmission
Verification data is transmitted using secure communication protocols where supported and appropriate. IDEEVY uses encrypted storage for identity document images and other Verification Records stored by the standard service.
Business Customers are responsible for using secure integrations, protecting API credentials, configuring webhook destinations securely, and ensuring that their own systems, applications, and personnel handle verification data in a secure manner.
7. Access controls
Access to Verification Records is restricted to authorized personnel and systems with an operational need to access such data. Access may be required for service delivery, customer support, maintenance, troubleshooting, security investigation, dispute handling, abuse prevention, legal compliance, or protection of the service.
IDEEVY applies access controls, role-based restrictions where appropriate, and internal confidentiality obligations. Access to sensitive verification data is limited and may be logged or monitored where appropriate.
8. Audit records and service logs
IDEEVY may maintain audit records and technical service logs to support security, troubleshooting, verification history, dispute handling, service integrity, abuse prevention, and operational continuity.
Audit records and technical logs are part of the Verification Record where they are directly connected to a verification session, and are subject to the retention approach described in this document unless a different retention period is required for legal, security, fraud prevention, abuse prevention, or service protection reasons.
9. Service providers and infrastructure
IDEEVY may use infrastructure, hosting, storage, monitoring, security, communication, support, and document-processing service providers to deliver and protect the service.
IDEEVY does not publish a full public list of infrastructure and security vendors for operational security reasons. Relevant information about service providers and subprocessor categories may be made available to Business Customers upon request, subject to appropriate confidentiality and security considerations. See also Subprocessors & Infrastructure.
Where IDEEVY uses service providers to process Verification Records, IDEEVY applies contractual or organizational controls intended to ensure that such providers process data only as necessary to provide their services to IDEEVY.
10. Incident response
IDEEVY maintains incident response processes designed to identify, assess, contain, investigate, and respond to security incidents affecting the service.
Where a security incident affects Customer Personal Data or Verification Records in a way that requires notification under applicable law or agreement, IDEEVY will notify affected Business Customers without undue delay after becoming aware of the incident and assessing its relevant impact.
Business Customers are responsible for notifying End Users, regulators, or other third parties where such notification is required and where the Business Customer is responsible for the relevant processing activity.
11. Customer responsibilities
Security is a shared responsibility. Business Customers are responsible for maintaining the security of their own systems, accounts, users, integrations, API keys, credentials, webhook endpoints, and internal access controls.
Business Customers must ensure that they have a lawful basis to submit identity documents to IDEEVY, provide appropriate notices to End Users, submit only data that is necessary for the verification workflow, and configure retention or deletion settings where such settings are available.
Business Customers should promptly notify IDEEVY of suspected unauthorized access to their account, API credentials, webhook endpoints, or other integration components that may affect the security of the service.
12. Changes to this document
IDEEVY may update this Security & Data Retention document from time to time to reflect changes in the service, security practices, retention practices, legal requirements, infrastructure, or operational needs. The updated version will be posted on ideevy.com with a revised effective date.
13. Contact
Questions about this document may be sent to legal@ideevy.com or privacy@ideevy.com.
INTEGRITYTECH HK LIMITED
Company Registration Number: 3339122
Business Registration Number: 75921776
Room 905, Block 2, Cyberport, 100 Cyberport Road, Hong Kong