1. Can the facial image be returned to us as the client, after the comparison process has been completed?
Answer: Yes. For Document verification, the W2 SDK will return an image of the document (cropped to remove ‘noise’ from the image); an image of the subject from the document - used as the base image for the facial comparison – and an image of the signature if present. These can be retained by you as the the client for future use.
2. Is the data captured during the facial comparison and document verification process securely disposed of?
Answer: Yes. We do not retain images at our end of any element of this process. Once the verification result is returned, all images are destroyed.
3. What if people try to verify with a bogus image, do we still pay per verification and what do we do about manual intervention? Can we have access to the SDK ourselves or will W2 need to do this?
Answer: Yes – if a subject tries to send an image other then themselves then the system will interpret this as a potential fraud event and fail the check. In terms of manual intervention, the W2 SDK’s are fully isolated and independent meaning that you can call the functionality at the exact point in the customer journey that you want to. As part of a DVFC customer flow - if the document is not genuine - you DO NOT have to call the facial comparison element thus allowing for manual intervention. The majority of our service contain the ‘process breaks’ to ensure that if there is an issue with the relevant check, the process does not automatically go forward, saving our clients the cost of an unnecessary call.
4. Can we keep the images after they have been used for the verification? If so, how should we store it? How could we reference it ourselves when a user uploads a new picture?
Answer: You can store data however it is vital that you comply with GDPR requirements. If you are planning on storing biometric data, your Data Protection Officer (DPO) should be consulted at all times. The DPO may suggest that you need to complete a Data Protection Impact Assessment (DPIA) to ensure compliance outlining the risks, controls and mitigations of such an action. Your DPO may also suggest that your Data Retention Policy should be updated to reflect your storage wants and needs however, this should not be construed as legal or compliance advice – your DPO is responsible for such direction and steer.
5. Can a small sample of the comparison / verification requests be sent to our auditors or would we have to do that?
Answer: W2 will only send response data to the contracted party i.e. our clients. The client would need to manage the relationship with the respective auditors and therefore the frequency of and process behind, the safe sending and storage of response data.