Shufti Pro aims to bring the global businesses onboard in a way that covers all the legal intricacies, making the virtual marketplace a secure and safe place, through quick, real-time and accurate identity verification services. All the information we acquire from the clients and the end-users is used to help us with our operation.
Data acquisition and Identity Verification Process
Shufti Pro requires particular information from the end-users or clients (depending on whether it is an on-site or off-site verification) in order to perform Identity and document verification services. Personally Identifiable Information (PII Data) is collected, which includes name, contact information (email ID and phone number), DoB and any other information required to carry out the verification checks chosen by Shufti Pro’s client. For instance, if the client selects the Face Verification service, we will also collect the image (selfie) or video (short clip showing user’s face) proof from the user. If they (the client) opts for document verification, then we would require an image or video of the desired document from bot, the front and the back side of the document. Akin to this, if the client selects AML Screening service, we require the user’s Name and DoB for running them against the AML databases, sanctions, and watchlists. Shufti Pro’s Identity Verification Process describes what information we collect, how we collect it and when we collect it.
Shufti Pro’s Clients
Our Clients are enterprises, companies, institutions, and businesses that have opted for identity verification services from Shufti Pro’s KYC and AML Suite. The information we collect from the clients includes their Full Name, Company Email, Phone Number, Company Name, Company Website, Country, Verification Volume, Industry, and any other information required to set up their accounts, with reference to the services they select, and the users they wish to verify. Depending on the type of verification process selected, i.e. onsite or offsite, the data is collected directly from the end-users or the clients. In case if it is from the clients, they take the information and image and video proofs from the end-users and pass the data to us via the API. Shufti Pro will verify only the information that has been provided by the end-users. In case the clients don’t provide certain information required for the selected services, the missing information is collected from the end-users via OCR technology. They end-users will be asked to show their documents in real-time so relevant information may be extracted from them. Furthermore, if the end-user fails a certain check, the verification process ends. This is to ensure that the client’s verification balance is not wasted if the user is not verified.
The legal basis for this processing is the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.
The end-users are our client’s customers, whose identities we verify, documents we authenticate and run against AML lists and databases. Depending on the service type, i.e. onsite or offsite, Shufti Pro either collects end-user’s verification data from the clients or the end-users themselves. This data includes but is not limited to the images/videos of the end user’s identity documents (e.g. passport, ID card, driving license or credit/debit card), their biometric facial identifiers (e.g. face images/videos). We also require textual information that is either extracted directly from the end-user’s identity particulars or is provided by the end-user at each step. In the latter case, that data is compared to the information present on the identity particulars, using the template matching and computer vision-based techniques. If the face image of the end-user is compared to the photograph present on their identity documents, using facial recognition mechanism. By screening the end-user against the AML lists and databases, Shufti Pro ensures that we let through no fraudster, criminal, imposter, or any person associated or convicted of the cyber crime, helping us further combat breaches, violations, and infraction of intellectual property laws.
Data Usage for Identity Verification
Shufti Pro believes in secure online marketplace/trading and aims to provide a full proof identity verification solution to businesses, startups, enterprises, legal and financial entities. To do this, we need to collect, store, process and provide the necessary information in order to provide our KYC and AML services. Here’s how it works:
A verification request is Accepted
If the end-user passes all of the checks pre-set by the client, the verification request status becomes ‘Accepted’. Shufti Pro sends these results to the client through the API. These results are also available to the client in the back-office management system, along with complete verification details (e.g. end-user’s personal information, image/video proofs, any .pdf reports, and AML results). The end-user is also shown the verification status after the process completes.
A verification request is Declined
In cases where the end-user is not verified and the verification status is ‘Declined’, we send these results to the client through the API, as well as the back office management system. The results show which checks the end-user passed and at which check they failed. The verification ends at the failed check. The complete verification details (e.g. end-user’s personal information, image/video proofs, any .pdf reports, and AML results). The end-user is also shown the verification status after the process completes.
When it comes to staying ahead of the curve in the IDV industry, we believe doing the maximum to provide our clients with market-best services. Here are the steps Shufti Pro takes for the said purpose:
- Using computer vision and machine learning techniques, we continually train our artificial intelligence systems to recognize and verify a wider range of identity documents from around the globe.
- We train our machine learning algorithms to verify the authenticity of new documents, recognize the text present on them and extract it, match that text using template matching techniques, recognize if the document is original or counterfeit, forged or photoshopped and photocopied or tampered with.
- Whenever we come across any fraudulent user, we make sure that we store the documents and images they presented, in our databases.
- We then use that data stored in (3) to better train our system to detect any similar case which may present itself in the future.
- We train our Human Intelligence officers to effectively be a part of the dentity verification process.
With all these practices in place, Shufti Pro becomes a safe and secure e-KYC and AML solution, helping clients to onboard users safely.
Shufti Pro makes use of the information collected, processed and stored during any and each step of the Identity Verification process on client’s request for our services in order to verify their users for a legitimate purpose. We ensure that the client’s business is completely legal and the information collection and usage is aligned with the end-user’s absolute consent. Our process is completely transparent; the end-user is informed which of their information will be used and for what purpose. Only once the end-user consents to the process, do we start verifying their identity.
Information flow beyond Shufti Pro
Shufti Pro may disclose the information provided by you (end-user or client) to any member of our group of companies (this means our subsidiaries, our ultimate holding company, and all its subsidiaries) insofar as reasonably necessary for the purposes set out in this policy.
- Insofar as we act as a data processor rather than a data controller, this policy shall not apply. Our legal obligations as a data processor are instead set out in the contract between us and the relevant data controller (our client).
- As explained above, Shufti Pro shares information with clients and end-users only. However, verification data may travel outsite the EU for the purposes of Human Intelligence Checks that serve as an essential part of the Identity Verification Process. This data may be seen and processed, but not stored anywhere outside the European Economic Area (EEA). We have our office in the United Kingdom and provide services in 150+ countries. The hosting facility for our website is situated in the United Kingdom. The European Commission has made an “adequacy decision” with respect to the data protection laws in this country.
- Shufti Pro shares end-users’ information with internal parties, organizations and entities, located outside the EU. This is done as part of our commitment to provide accurate Identity and document verification services. Nevertheless, if the client is situated in a country or region, where the laws do not allow for the data to travel outside the EU, keeping that in perspective, we provide the client with an option to forego the Human Intelligence checks, relying solely on the results detected and compiled by the Artificial Intelligence System.
- We may disclose your personal data to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining and maintaining insurance coverage, managing risks, obtaining professional advice and managing legal disputes.
- We may disclose your personal information to our clients insofar as reasonably necessary for verification of your identity and documents and any legal purpose.
- Financial transactions relating to our website and services are handled by our payment services provider, Stripe. We will share transaction data with our payment services providers only to the extent necessary for the purposes of processing your payments. You can find information about the payment services providers’ privacy policies and practices at Stripe: https://stripe.com/us/privacy.
- In addition to the specific disclosures of personal data set out in this Section, we may also disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
Setting these rules in place helps Shufti Pro to effectively bring the legal entities, financial institutions, payment processors and global businesses safely online.
Data Storage and Retention
Shufti Pro acquires and stores the information provided by its clients and end-users during for the purposes of Identity and Document Verification. Being the data processor of millions of users comes with certain responsibility and liability on our part. For this reason, our data retention policies and procedures are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data. Below are the terms outlined for this section:
- Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- We will retain and delete your personal data as follows:
- Personal data category will be retained for two (2) years following December 1, 2017, at the end of which period it will be deleted from our systems.
- In some cases it is not possible for us to specify in advance the periods for which your personal data will be retained. In such cases, we will determine the period of retention based on the following criteria:
- The period of retention of your personal information including any data, images, videos and/or private information will be determined based on the need for their presence in our system owing to any legal reasons or for the betterment of our website or services.
- Notwithstanding the other provisions of this section, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
Shufti Pro ensures data security through adequate measures to minimize the likelihood of data breaches, whether pre-emptive or post. Data breaches and protection of data itself come under the wider umbrella of the data lifecycle.
Additionally, observing the GDPR regulations, secure auditory practices are carried out to ensure standardized operations and encryption practices. New techniques are continually implemented in order to keep our Data Security ahead of the curve.
For more information about Shufti Pro’s data security, data protection and policy in case of data breaches, read our Ultimate Guide to GDPR Compliance. If you feel like you have encountered a shortfall in our policy or a security breach in Shufti Pro’s system, reach out to us on email@example.com, for adequate error reporting.
If you would like to access any personal information we hold about you; provision of such information will be subject to:
- The payment of a fee (currently fixed at GBP 10), and
- The supply of appropriate evidence of your identity (for this purpose, we will usually accept a photocopy of your passport certified by a solicitor or bank plus an original copy of a utility bill showing your current address).
We may withhold personal information that you request to the extent permitted by law. In addition, you may request us, at any time, to not process your personal information for marketing purposes. In practice, you will usually either expressly agree in advance to our use of your personal information for marketing purposes, or we will provide you with an opportunity to opt out of the use of your personal information for marketing purposes.
For more information about your rights, please read the “Data Subject Rights – Consent Management” section of our GDPR e-book. In case of any query or concern, voice your thoughts at firstname.lastname@example.org.