Security & Compliance
FaceLock meets the highest standards for biometric security and privacy compliance
Certifications & Standards
FaceLock leverages FaceTec's industry-leading biometric technology with the highest certifications
iBeta Level 1 Certified
Certified for biometric accuracy and anti-spoofing capabilities
iBeta Level 2 Certified
Highest standard for 3D liveness detection and presentation attack detection
NIST IAL2/IAL3 Compliance
Supports Identity Assurance Level 2 and 3 requirements without additional infrastructure
GDPR Compliant
Privacy-by-design architecture ensures compliance with GDPR and other privacy regulations
Level 1 & 2
IAL2/IAL3
Compliant
Security Architecture
Privacy-by-design ensures maximum security with zero data collection
Security Features
Biometric Templates Sealed in Credentials
Biometric data never leaves the credential or travels to external servers, ensuring maximum privacy protection
Local Processing
All verification happens locally on the verifier's device - no data transmission required
PKI Cryptographic Signing
All credentials are cryptographically signed by issuing authorities, ensuring authenticity and integrity
Zero Data Collection
No data is collected, stored, or transmitted during verification - completely anonymous from a data perspective
Reduce PII scope: host FaceLock in your environment
Deploy the FaceLock ecosystem in your tenant — not ours — and keep biometric and identity data under your policies and residency requirements.
SaaS-only identity stacks often expand PII and biometric processing into the vendor's cloud, complicating GDPR reviews, data residency, and security exams. FaceLock supports a deployment model where the ecosystem runs in your Azure, AWS, GCP, or on-premises environment — inside the boundary you control.
Enrollment, liveness checks, IDV workflows, credential issuance, and audit records can remain in your infrastructure. FaceLock SaaS is not required to hold your customers' or employees' PII to operate the platform.
The only connection FaceLock services require is billing telemetry — usage metering for commercial operations. Biometric payloads and credential data do not need to leave your environment for FaceLock to bill and support your deployment.
Stays in your environment
- Enrollment and identity proofing workflows
- 3D liveness and biometric binding
- Credential issuance and temporal audit records
- Integration with your Entra ID, CMS, SIS, or line-of-business systems
Reaches FaceLock (cloud)
- Billing and usage telemetry only — not biometric payloads or credential content
Note: FaceLock Reader verification remains local on the verifier's device with no central data collection during offline credential checks — a separate layer from issuance and MFA deployment.
Envoc · SOC 2 Type II
Why SOC 2 Type II Compliance Matters for PII
When organizations handle regulated or government PII, audited trust services controls matter more than startup promises.
Expected: FaceLock's parent company, Envoc, is on track to achieve SOC 2 Type II compliance by June 30, 2026.
Government agencies and regulated industries strongly prefer SOC 2 Type II providers over startups that lack mature security and data-handling practices — especially when driver's license data, health information, student records, or other sensitive PII is involved.
It is uncommon for a company of Envoc's size and focus to pursue this level of attestation. Envoc is building the policies, procedures, and controls that SOC 2 Type II requires — a deliberate commitment to security, accountability, and trust.
Many startups are not SOC 2 compliant and do not have mature security or data storage practices in place. When handling sensitive PII on behalf of governments or regulated industries, the risk of using non-compliant providers is too high.
Sensitive data FaceLock deployments may protect
- Driver's license and government ID data
- Personal information (PII)
- Health insurance information
- Health and medical information
- Student education records (diplomas, transcripts, and related records)
- Other regulated or legally protected personally identifiable information
| Aspect | SOC 2 Type II Provider (Envoc) | Typical Startup / Non-Compliant Provider |
|---|---|---|
| Security Controls | Rigorously audited trust services criteria | Often minimal or ad-hoc controls |
| Data Handling Maturity | Documented policies, procedures, and audits | Frequently lacks formal processes |
| PII Protection | Strong controls for security, availability, and confidentiality | Higher risk of breaches or poor practices |
| Government & Enterprise Fit | Suitable for regulated and government workloads | Often rejected during security reviews |
| Audit & Accountability | Annual independent SOC 2 Type II attestation (expected June 30, 2026) | Rarely have third-party security attestations |
Compliance & Standards
NIST IAL2/IAL3 Compliance
FaceLock delivers NIST Identity Assurance Level 2 and 3 compliance through biometric binding, eliminating the fundamental vulnerability in current PKI implementations. Organizations can achieve high assurance levels without extensive infrastructure investment.
GDPR & Privacy Compliance
FaceLock's architecture supports privacy compliance through its design principles: minimal data collection, local processing, no tracking during verification, and user control over credential sharing. The system processes biometric data only as necessary for verification and does not create persistent digital trails.
SOC 2 Type II (Envoc)
FaceLock is offered by Envoc, FaceLock's parent company and operating provider. See why SOC 2 Type II matters when sensitive PII is in scope. Read the SOC 2 and PII section →
Customer-controlled deployment
FaceLock can run in your cloud or on-premises so PII stays in infrastructure you control. See customer-hosted deployment above for how billing telemetry is the only required connection to FaceLock services. Learn more about customer hosting →
Standards Participation
FaceLock participates in standards bodies including NIST, W3C, and FIDO Alliance, contributing to the advancement of secure, accessible identity verification standards.
Schedule a Security Review
Our security team can provide detailed security architecture review and compliance guidance