HomeATHENTY

    • Smart IDV

      Identity document verification with biometric matching

    • Smart KYC

      End-to-end KYC with enhanced due diligence and compliance reporting

    • Athenty Protect

      Free consumer app for secure identity management

    • Legal Services

      FINTRAC-compliant client identification for law firms

    • Real Estate

      Verify buyers, sellers, and agents before closing

    • Mortgage & Lending

      Streamline borrower KYC for mortgage origination

    • Insurance

      Identity checks for policy applications and claims

    • Documentation

      Guides and technical reference

    • API Reference

      REST API endpoints and webhooks

    • Knowledge Base

      How-to articles and best practices

    • Blog

      Updates, insights, and industry news

  • Why Athenty
  • Pricing
Login
Get Started
Home
Get Started Free
Book a Demo

Menu

    • Smart IDV
    • Smart KYC
    • Athenty Protect
    • Legal Services
    • Real Estate
    • Mortgage & Lending
    • Insurance
    • Documentation
    • API Reference
    • Knowledge Base
    • Blog
    • Why Athenty
    • Pricing
    • About
    • Security
    • Contact
Log in

Security

How we protect identity data

Canadian Data ResidencyTLS 1.3AES-256

Security and privacy are foundational to what Athenty does. Here's an honest look at our infrastructure, practices, and roadmap.

Contact Security Team
View Privacy Policy

Philosophy

Security by design, not compliance checkbox

We handle identity documents and biometric data for regulated industries. Security isn't a feature — it's a precondition. Our approach is to build the minimum viable trust boundary first, then harden outward.

We publish our compliance roadmap honestly. If a certification is planned, we say planned — not implied. This page reflects our current state, not an aspirational posture.

Isolated compute

Each verification pipeline runs in an isolated execution context. No shared memory between tenant workloads.

Canadian data residency

All identity data is processed and stored within Canadian data centers. No cross-border transfer of PII.

TLS 1.3 in transit

All API and portal traffic is encrypted using TLS 1.3. Older protocol versions are rejected.

AES-256 at rest

Documents, verification results, and PII are encrypted at rest using AES-256 with key rotation.

Security infrastructure visualization

Data handling

What we collect, how long we keep it

Document images

Encrypted at rest (AES-256)

Document images are stored in encrypted cloud storage with strict access controls. Storage is access-logged and protected by role-based permissions.

Biometric data

Retained for matching

Face embeddings are stored in encrypted form and used to support biometric match scoring. Selfie images are stored with the same access controls as document images.

Verification results

Retained per account settings

Risk scores, compliance flags, and audit trails are retained. Default retention is 7 years to meet FINTRAC record-keeping obligations. Configurable per account.

PII (name, DOB, address)

Retained for audit trail

Extracted identity fields are retained in encrypted form to support audit trail requirements. Deletion requests are honored per PIPEDA.

API & Webhooks

Signed webhooks and sandbox testing

Every webhook delivery from Athenty is signed with HMAC-SHA256 using a shared secret. Verify the signature on receipt to confirm the payload originated from Athenty and was not tampered in transit.

HMAC-SHA256 signing

All outbound webhook payloads include an X-Athenty-Signature header. Reject unsigned or mismatched payloads.

Sandbox environment

Full REST API sandbox with test document sets. Trigger all verification outcomes — pass, fail, pending — without real ID documents.

API key scoping

API keys are scoped to specific environments (sandbox/production) and can be restricted to read-only or write access.

Replay protection

Webhook payloads include an event timestamp. Reject payloads older than 5 minutes to prevent replay attacks.

Compliance roadmap

Honest status, not aspirational claims

We show the real status of each standard. Planned means we're on the roadmap. In progress means active work is underway. Compliant means it's done.

StandardStatusTarget
PIPEDA (Canada)CompliantOngoing
GDPR (EU)In Progress2026
SOC 2 Type IIPlanned2026
ISO 27001Planned2027

Responsible disclosure

Found a vulnerability?

If you believe you've discovered a security issue in Athenty's platform, please report it responsibly. We commit to responding within 2 business days, working with you to understand the scope, and crediting researchers who report valid findings.

Please do not publish vulnerability details publicly before we've had a chance to address them. Send reports to: security@athenty.com

Security questions?

Our team is available to answer security and compliance questions for enterprise evaluations.

Contact Security Team
View Privacy Policy
ATHENTY

Intelligent identity verification for businesses that need to know who they're dealing with.

LinkedIn
Facebook
Instagram
YouTube
X (Twitter)
GitHub
App StoreGoogle Play

Products

  • Smart IDV
  • Smart KYC
  • Athenty Protect

Solutions

  • Legal Services
  • Real Estate
  • Mortgage & Lending
  • Insurance
  • vs Manual Verification
  • Case Studies

Company

  • About
  • Security
  • Why Athenty
  • Pricing
  • Contact
  • Book a Demo
  • Get Started

Legal

  • Terms of Service
  • Privacy Policy
  • Cookie Policy
  • Disclaimer

© 2026 Athenty – Verification Intelligence