POY Verify is built on zero-data architecture. Your biometrics never leave your device. We cannot see, store, or sell what we never collect.
POY Verify processes all biometric analysis on-device using the hardware Secure Enclave built into modern smartphones and computers. Personal data never touches our servers - not during verification, not after, not ever.
POY Verify achieves compliance through architecture, not through policy workarounds. When you never collect the data, most regulations are satisfied by default.
No biometric data on servers means no personal data to protect, export, or delete. Data minimization is not a policy - it is the architecture itself.
BIPA requires consent before collecting biometric identifiers. POY never collects biometric data at all - processing happens entirely on-device in the Secure Enclave.
Minimal data processing with no personal information collected. There is nothing to sell, share, or disclose because we never have it.
POY's zero-data model aligns with HIPAA requirements for healthcare identity verification. No Protected Health Information (PHI) is ever processed or stored by POY servers.
POY's cryptographic verification aligns with NIST Identity Assurance Level 2 (IAL2) requirements using hardware-bound credentials and liveness detection.
POY's content stamping capabilities support EU AI Act requirements for marking AI-generated content and proving human-created content authenticity.
SOC 2 Type II certification is on our roadmap. While our zero-data architecture inherently satisfies many SOC 2 controls, we are pursuing formal certification for enterprise customers.
Every layer of POY Verify is designed with security as a constraint, not a feature. From cryptographic primitives to hardware isolation, the system is built to be trustworthy even if you trust no one.
All verification signatures use ECDSA on the NIST P-256 curve - the same standard used by Apple, Google, and government systems. Keys are generated and stored in hardware.
Verification results and content stamps are hashed using SHA-256. Hashes are one-way - they confirm authenticity without revealing the original input data.
Biometric processing happens inside the device's hardware security module. Keys never leave the enclave. Even if the OS is compromised, the enclave remains isolated.
A unique key pair is derived for each platform using HD key derivation. Your identity on Platform A cannot be linked to Platform B - not even by POY.
POY supports WebAuthn and FIDO2 passkeys for passwordless authentication. Hardware-bound credentials eliminate phishing and credential stuffing attacks.
Verification API responses complete in under 50 milliseconds. Low latency means real-time verification without degrading user experience in production applications.
Most identity verification platforms collect and store sensitive personal data on their servers. POY Verify takes a fundamentally different approach.
| Data Type | Traditional KYC | Biometric Platforms | POY Verify |
|---|---|---|---|
| Full Name | Collected & stored | Often collected | Never collected |
| Email / Phone | Required | Required | Never collected |
| Facial Images | Stored on servers | Stored on servers | On-device only |
| Biometric Templates | Server-side storage | Server-side storage | Never leaves device |
| Government ID | Scanned & stored | Sometimes required | Never required |
| IP Address | Logged | Logged | Not logged |
| Location / GPS | Tracked | Often tracked | Never tracked |
| Device Fingerprint | Full fingerprint | Full fingerprint | Device class only |
| Cross-Platform Linking | Linked by PII | Linked by biometrics | Unlinkable (HD keys) |
| Breach Exposure Risk | High - PII + documents | High - biometric data | Minimal - hashes only |
Transparency is not optional. We are committed to independent verification of our security claims.
POY Verify is actively engaging independent security firms to conduct penetration testing, architecture review, and cryptographic audit of our verification system. Results will be published here upon completion.
Our zero-data architecture significantly reduces the attack surface compared to traditional identity platforms. Even so, we believe trust must be verified - not assumed.
STATUS: INDEPENDENT REVIEW IN PROGRESS
We take security vulnerabilities seriously and appreciate the work of researchers who help us keep POY Verify secure.
If you have discovered a security vulnerability in POY Verify, please report it responsibly. We ask that you give us reasonable time to investigate and patch before public disclosure.
Please include a detailed description of the vulnerability, steps to reproduce, and any proof-of-concept code. We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days.
security@proofofyou.comCommon questions about how POY Verify handles security, privacy, and compliance.
Questions about our security architecture? Want to discuss enterprise compliance requirements?
Join the Waitlist Contact Us