GDPR Compliance
Verify AI is built with privacy at its core. Our architecture gives you full control over how and where data is processed, making GDPR compliance straightforward whether you operate in the EU or serve EU customers.
Your Role, Our Role
You (Our Customer)
As the data controller, you determine the purposes and means of processing. You decide what images are submitted, what metadata is included, and how verification results are used.
- Define processing purposes
- Determine data retention needs
- Handle data subject requests
- Maintain records of processing
- Conduct DPIAs where required
Verify AI (Switch Labs)
As the data processor, we process personal data only on your instructions and in accordance with our Data Processing Agreement. We implement appropriate technical and organizational measures.
- Process data per your instructions
- Maintain security measures
- Notify you of data breaches
- Support your compliance obligations
- Delete data upon contract termination
How We Protect Your Data
GDPR compliance is not an afterthought — it is built into every layer of our architecture.
Privacy by Design
Our on-device processing mode ensures images never leave the user's phone. No data transmission means no cross-border transfer concerns and GDPR compliance by architecture, not policy.
Data Minimization
We only process and store the minimum data necessary. Verification images are retained only for the period required by your use case, with configurable retention policies and automatic deletion.
Encryption Everywhere
All data is encrypted in transit (TLS 1.3) and at rest (AES-256). API keys are hashed and never stored in plaintext. Signed URLs for image access expire after one hour.
Automatic Face Blurring
Built-in face detection automatically blurs identifiable faces before any processing or storage occurs. In on-device mode, face detection uses platform-native APIs (Apple Vision, Google ML Kit) and runs entirely on the phone.
Data Subject Rights
We provide APIs and dashboard tools to support right of access, right to erasure, right to rectification, and data portability requests. Your customers' data subjects can exercise their rights seamlessly.
Data Processing Agreements
We provide a comprehensive DPA that covers all GDPR Article 28 requirements, including processing purposes, data categories, sub-processor lists, security measures, breach notification, and deletion obligations.
Processing Modes and Privacy Impact
Choose the processing mode that matches your privacy requirements. On-device mode eliminates data transfer concerns entirely.
On-Device Processing
Images are processed entirely on the user's device using optimized ML models. No data is transmitted to external servers.
- Images never leave the device
- No cross-border data transfers
- No sub-processor involvement
- Face blurring via native platform APIs
- Offline queue syncs metadata only
- GDPR compliant by architecture
Cloud Processing
Images are transmitted securely to our API for analysis by AI vision models. Enables custom policies and maximum flexibility.
- TLS 1.3 encryption in transit
- AES-256 encryption at rest
- Standard Contractual Clauses with sub-processors
- Configurable data retention periods
- Signed URLs expire in 1 hour
- Full audit trail of all processing
Data Processing Register
A complete overview of the personal data we process, the legal basis for processing, and how long we retain it.
Sub-Processors
We maintain a transparent list of all sub-processors that may handle personal data when using cloud processing mode. On-device processing does not involve any sub-processors.
We will notify you of any changes to this list at least 30 days in advance, giving you the opportunity to object per our DPA.
Data Subject Rights
We provide the tools and processes to help you fulfill data subject rights requests from individuals whose data is processed through Verify AI.
Right of Access (Art. 15)
Export all verification data associated with a specific identifier through our API or dashboard. Responses include images, results, and metadata.
Right to Erasure (Art. 17)
Delete all verification data for a specific identifier via API call or dashboard. Deletion is permanent and propagated to all storage systems within 72 hours.
Right to Rectification (Art. 16)
Update or correct metadata associated with verifications. Verification results can be overridden with corrected compliance status through the API.
Right to Data Portability (Art. 20)
Export verification data in structured, machine-readable JSON format. Images can be exported with signed download URLs for bulk retrieval.
Right to Object (Art. 21)
We support your obligation to handle objections. Specific identifiers can be blocklisted to prevent future processing via the API.
Right to Restriction (Art. 18)
Verification data can be marked as restricted, preventing further processing while preserving it for legal obligations or dispute resolution.
International Data Transfers
When using cloud processing, data may be transferred outside the EEA. We ensure all transfers are protected by appropriate safeguards as required under GDPR Chapter V.
Transfer Mechanisms
All sub-processors have executed the EU Commission's 2021 Standard Contractual Clauses. These provide contractual guarantees that personal data transferred outside the EEA receives an equivalent level of protection.
We conduct transfer impact assessments for each sub-processor to evaluate the legal framework in the recipient country and any supplementary measures needed to ensure adequate protection.
For customers requiring data to remain within the EU, we offer EU-region deployment for database and image storage. Combined with on-device processing, this eliminates cross-border transfers entirely.
End-to-end encryption ensures that even during transit, data cannot be accessed by third parties. Images are encrypted before transmission and decrypted only within the processing environment.
Data Breach Notification
In the unlikely event of a data breach, we follow a strict notification process that meets or exceeds GDPR Article 33 requirements.
24 hrs
Maximum time to notify you after becoming aware of a breach involving your data
Full Report
Detailed breach report including nature, scope, affected data categories, and remediation steps
Ongoing
Continued communication and support as you assess impact and fulfill your own notification obligations
Technical and Organizational Measures
We implement comprehensive security measures as required by GDPR Article 32 to ensure the ongoing confidentiality, integrity, and availability of processing systems.
Access Control
- API key authentication with rate limiting
- Row-level security on all database tables
- Customer data isolation by customer ID
- Role-based access for internal staff
- Multi-factor authentication required for team access
Encryption
- TLS 1.3 for all data in transit
- AES-256 encryption for data at rest
- API keys hashed (never stored in plaintext)
- Webhook payloads signed with HMAC-SHA256
- Signed image URLs with 1-hour expiration
Monitoring & Logging
- Full audit trail of all API requests
- Real-time anomaly detection
- Automated alerting for suspicious activity
- Log retention for security analysis
- Regular penetration testing
Business Continuity
- Multi-provider AI fallback system
- Automated database backups
- Disaster recovery procedures
- 99.9% uptime SLA
- Geographic redundancy for storage
Request Our Data Processing Agreement
Our DPA covers all GDPR Article 28 requirements including processing scope, sub-processor management, security obligations, breach notification, audit rights, and data deletion. Available for all customers on paid plans.
Questions About Data Protection?
Our team is available to discuss your specific GDPR compliance requirements and help you choose the right processing configuration for your needs.
Data Protection Contact: privacy@switchlabs.dev
General Inquiries: hello@switchlabs.dev
Switch Labs LC · 434 Pine Street · San Francisco, CA 94158