Doc Scan is a business product allowing customer organisations to quickly, easily, and securely verify or authenticate their own customers or users. It involves these individuals taking a photo of their ID document. Customer organisations can also request a face match. Customer organisations can also use the product for age checks, based on the date of birth on a document.
What data does Doc Scan collect?
The ID or other document requested by the customer organisation doing the identity check, and the photo of the individual. There is a face match done to make sure the ID document belongs to the individual, and checks make sure they are a real person.
There is more information on biometrics later in this document.
What data does Doc Scan store?
The details from each identity check and the result. The default storage is one week, but customer organisations can customise this. The shortest storage time we can offer is 24 hours and the longest is three years.
Doc Scan SDK / API: The information and check results are sent to the customer organisation.
What is the lawful basis?
The service is a data processor for Doc Scan. Customer organisations will decide the lawful basis (if required under EU/UK privacy law). If a customer organisation chooses to include the face match option or is in a jurisdiction that considers the liveness check to be biometrics, there is a consent step built into the flow.
How does Doc Scan meet transparency requirements?
The user interface is designed so that is it is clear what information is being requested. It also contains information on the different steps, and what they are for. Customer organisations can also just use our API and build their own front end. Customer organisations are responsible for providing relevant information to their end users / customers on the ID checks they require that involve Doc Scan.
How does Doc Scan comply with individual privacy rights?
The Doc Scan SDK / API is self-serve, so customer organisations have the information in their own systems and can retrieve it during the agreed storage period. For the identity-as-a-service platform, customer organisations can find and view data.
Customer organisations can delete the entire session (which will remove the results of the checks) and will also be able to remove the media / user data in each section.
The main datacentres are in the UK. There are also two Security Centres who verify individuals and documents. One is in the UK and one is India. Some customer organisations choose to only have automated checks and not include the Security Centre human review step.