<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1611884&amp;fmt=gif">

 Identity Proofing Practice Statement  

Effective January 1, 2026

1. Purpose

This Identity Proofing Practice Statement (IPPS) defines the policies, procedures, controls, and governance mechanisms by which Vouched Identity, Inc. DBA Vouched (“Vouched”) performs identity proofing and identity verification services.

The purpose of this document is to:

  • Describe how identities are verified prior to granting access, privileges, or completing regulated transactions.
  • Define assurance levels supported.
  • Document operational, security, and compliance controls.
  • Provide transparency to customers, regulators, auditors, and partners.

2. Scope

This IPPS applies to:

  • All identity proofing services provided by Vouched
  • All employees, contractors, subprocessors, and systems involved in identity verification operations.
  • All customers consuming identity verification services via API, SDK, JSPlugIn or VouchedNow (no code).

This document covers identity proofing of natural persons unless otherwise specified.

3. Definitions

Identity Proofing – The process of verifying that a claimed identity corresponds to a real individual.

Identity Verification (IDV) – Validation of identity evidence and confirmation of identity attributes.

Evidence – Documents, data, or biometric information used to support identity claims.

Authenticator – A mechanism used to verify identity during authentication events.

IAL (Identity Assurance Level) – Assurance level aligned to NIST SP 800-63A definitions (if applicable).

Biometric Data – Facial images, liveness signals, or other biometric identifiers used for verification.

4. Regulatory and Standards Alignment

Where applicable, identity proofing practices align with:

  • NIST SP 800-63A (Digital Identity Guidelines – Identity Proofing)
  • ISO/IEC 27001
  • SOC 2 Trust Services Criteria
  • AML/KYC regulatory requirements (where applicable)
  • GDPR / CCPA and applicable privacy regulations
  • eIDAS (if applicable)
  • Industry-specific requirements (e.g., financial services, fintech, healthcare)

5. Identity Proofing Overview

5.1 Identity Proofing Methods

Vouched performs identity proofing using a combination of:

      1. Document Verification
        • Government-issued ID capture
        • Optical Character Recognition (OCR)
        • Barcode scanning
        • Tamper/fraud detection
      2. Biometric Verification
        • Facial comparison (selfie-to-ID match)
        • Liveness detection (passive and/or active)
        • Anti-spoofing detection
      3. Data Validation
        • Validation of identity attributes against authoritative or commercial data sources
        • Watchlist screening (if applicable)
      4. Risk Signals
        • IP analysis
        • Behavioral indicators
        • Fraud risk scoring

6. Identity Assurance Levels

Vouched supports the following assurance levels:

 Level   Description   Typical Use Case 
 IAL1   Self-asserted identity   Low-risk services 
 IAL2  Verified identity with validated evidence and biometric match   Regulated healthcare, financial services, fintech, marketplaces 

 

7. Identity Proofing Process

7.1 Identity Evidence Collection

      • Users submit required identity evidence via secure web or mobile interface.
      • All data in transit is encrypted using TLS 1.2+.
      • File uploads are scanned for malware.

7.2 Evidence Validation

      • Documents are analyzed for authenticity.
      • Data extracted via OCR or barcode/MRZ scans is validated against document templates.
      • Machine learning models detect forgery indicators.

7.3 Biometric Verification

      • Live capture of face image.
      • Liveness detection confirms human presence.
      • Face comparison performed between ID photo and live capture.

 

7.4 Risk Assessment

Each transaction receives a risk evaluation based on:

      • Document integrity signals
      • Biometric confidence score
      • Historical fraud indicators

7.5 Decisioning

Outcomes may include:

      • Pass
      • Fail
      • Warnings (e.g. manual review encouraged)

Decision thresholds are documented and approved internally.

8. Fraud Prevention Controls

Vouched employs layered fraud prevention techniques including:

    • Deepfake detection
    • Presentation attack detection (PAD)
    • Duplicate identity detection
    • Velocity checks
    • Behavioral analytics
    • Watchlist screening (OFAC, PEP, sanctions where applicable)

Fraud models are regularly retrained and tested. See https://www.vouched.id/identity-verification/fraud-detection for more information.

9. Data Security and Privacy

9.1 Data Encryption

      • Encryption in transit (TLS 1.2+)
      • Encryption at rest (AES-256 or equivalent)
      • Encryption key management with role-based access

9.2 Access Controls

      • Role-based access control (RBAC)
      • Multi-factor authentication for administrative access
      • Least privilege principle
      • Periodic access reviews

9.3 Data Retention

      • Retention periods defined by customer agreement and regulatory requirements.
      • Secure deletion after expiration of retention period.

9.4 Data Minimization

      • Only required identity attributes are collected.

9.5 Subprocessors

      • Subprocessors are vetted via security assessments.
      • Data processing agreements are in place.
      • Subprocessor list provided via website (Annex III of Data Processing Agreement)

10. Human Review Controls

Manual review is performed on a sample of transactions on a monthly basis for model training purposes.

  • Analysts undergo background screening.
  • Mandatory training on fraud detection and privacy.
  • Dual-control or quality assurance review sampling.
  • Activity logging and monitoring.

11. Monitoring and Logging

  • All identity proofing transactions logged.
  • Security logs retained in accordance with retention policy.
  • Real-time monitoring for suspicious activity.
  • Incident response plan maintained and tested annually.

12. Testing and Validation

12.1 Model Validation

      • Periodic bias and fairness testing
      • Performance benchmarking (FAR, FRR, TAR metrics)
      • Ongoing model monitoring

12.2 Security Testing

      • Annual penetration testing
      • Vulnerability scanning
      • Code review and secure SDLC practices

13. Business Continuity

  • Disaster recovery plan documented.
  • Data backups performed regularly.
  • High-availability infrastructure where applicable.
  • Defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO).

14. Incident Management

In the event of a security or fraud incident:

  • Incident triage and classification
  • Root cause analysis
  • Customer notification in accordance with contractual and legal obligations
  • Regulatory reporting if required

15. Customer Responsibilities

Customers are responsible for:

  • Determining required assurance level.
  • Ensuring lawful basis for data processing.
  • Proper integration of SDK/API/JS PlugIn.
  • Secure handling of verification results.

16. Governance and Review

  • This IPPS is reviewed at least annually.
  • Updates approved by leadership.
  • Material changes communicated to customers as required.

17. Contact Information

For inquiries regarding this Identity Proofing Practice Statement:

 Privacy@Vouched.id 

Vouched Identity Inc. DBA Vouched

508 2nd Avenue, Ste 1400

Seattle, WA 98104

www.vouched.id

 

 

Appendix A – Supported Document Types

Supported documents are available at https://docs.vouched.id/docs/recognized-ids