Face Verification
Address Verification
Document Verification
Age Verification
VideoIdent
Fast ID
eIDV
Consent Verification
NFC Verification
Business Verification
Due Diligence
Investor Verification
QES
E-Signature
AML Screening
Transaction Monitoring
PEP & RCA
Sanctions
Watchlist
Adverse Media Screening
Business AML Screening
Behavioural Biometrics
Device Fingerprinting
1:1 Authentication
Fraud Hub
MFA
Onboarding
Ongoing Monitoring
Age Assurance
Identity Verification
KYC
KYB
KYI
Workforce IAM
Candidate Verification
Compliance
Fraud prevention
Trust & safety
Global expansion
Product Managers
Compliance Officers
Fraud Analysts
Developers
Global Trust Platform
Case Management
Journey Builder
Shufti AI
Fraud Analytics
Vendor Comparison
Brand Personalisation
IDV Modes
AI Compliance Co-Pilot
OCR
Secure Capture
Deployment Options
Identity Methods
Banking
Fintech
Crypto
Gaming
Forex
Social Networks
Marketplace
Gig Economy
Payments
Ride Hailing
Adult Content
Blind Spot Audit
Deepfake Detector
Liveness Detection
Document Originality
Document Deepfake
Deepfake
Account Takeover
Synthetic Identity Fraud
Document Fraud
Impersonation Fraud
Multi-Accounting
Bonus Abuse / Promotion Abuse
Fraud Networks
Chargeback Fraud
Money Mule Activity
Party Fraud
Regulatory & Compliance Risks
API Documentation
Mobile SDKs
Service Status
Help Center
Contact Us
Technical Support
Supported Documents
Content library
Blogs
News
Reports
Insights
Knowledgebase
ROI calculator
About
Career
Press Release
Certifications
Partnership
Awards
Events & Webinar
Interactive Demo
Podcast Studio
Spotlight Studio
REGULATORY COMPLIANCE · GDPR
Every data subject right is operationally supported not just written into a policy
Biometric data and identity documents are Article 9 special category personal data under GDPR, the most tightly regulated data category in EU law. Shufti processes this data under a documented legal basis, retains it only as long as you configure, and operationally supports every data subject right your users may exercise. Shufti GDPR Data Processing Agreement is included in the standard enterprise contract, not an optional add-on.
What GDPR Covers
GDPR applies to any organisation processing personal data of EU residents. It distinguishes between standard personal data and special category data, each with different obligations. For identity verification providers, this distinction is critical.
Standard Personal Data
Name, email address, phone number, IP address, regulated under GDPR Articles 5 and 6. Requires a lawful basis for processing, reasonable security measures, and data subject rights. Most SaaS platforms operate under this category.
Article 9 Special Category Data
Biometric data used to uniquely identify a person, facial images, and identity document data, the most tightly regulated GDPR category. Requires explicit consent or legal obligation as processing basis, stricter security controls, mandatory data minimisation, full data subject rights support, and a documented Data Protection Agreement before any processing begins.
Why It Matters
Supervisory authorities, Italy's Garante, Ireland's DPC, and France's CNIL, have specifically investigated digital onboarding flows where verification providers retained biometric data beyond necessity, lacked a documented processing basis, or could not operationally support data subject rights. Enforcement actions followed against the businesses that contracted with those providers.
When a user exercises their right to erasure
Your team needs to operationally deliver it, not just acknowledge it. Shufti's API and admin console let you trigger deletion of individual verification records and receive a deletion confirmation as your audit evidence.
EUR 1.2B+
GDPR enforcement fines, 2023-2024, with biometric data in onboarding flows a specific focus. The liability sits with the controller, which is you. Shufti's DPA and deletion controls are how you close that exposure.
How Shufti Maintains IT
Shufti GDPR documentation package includes: the Article 28-compliant DPA, sub-processor register (updated within 30 days of any change), data retention and deletion policy, and technical documentation of how data subject rights are operationally supported. All available on request before you sign a contract.
EU-resident data is processed on EU infrastructure. UK-resident data is processed under UK GDPR. US and APAC regional deployments are available for non-EU data flows.
Certification Details
Legal basis
GDPR Article 28 (processor); Article 9(2)(a) or 9(2)(b) processing basis configured by controller.
Included as standard
GDPR-compliant DPA in every enterprise contract, no separate negotiation required.
Data residency
EU infrastructure for EU flows; UK, US, APAC regional options available.
Data subject rights
Erasure, access, and portability supported via API and admin console with audit log confirmation.
What you get
DPA, sub-processor register, retention policy, and deletion documentation, available pre-contract.