We're rather selective in terms of which customers we serve given that we see the verification of someone’s identity as a privilege rather than a right.
With respect to Sift, we see them as good stewards given their narrow focus of preventing fraud as opposed to data brokers that sell your data to ad networks, hedge funds, etc.
Sift has taken a privacy-conscious approach to responding to data access requests by ensuring the individual is in fact who they say they are. We’re proud to help them prevent fraudulent access to sensitive personal information.
Thanks for taking the time to carefully read our terms of service! We share your point of view that these aren't merely a series of boxes to check.
Our “privacy-first” claims are namely three-fold:
1. We limit the data returned to our customers and enforce a maximum data retention period after which data is permanently deleted. We encourage customers to reduce the amount of data they need and the number of days it must be stored.
2. We built our own image watermarking service to protect the sensitive images we process and store. This helps ensure that the images cannot be used to verify an identity on any other service.
3. We completed our SOC 2 Type 1 examination in March 2019. This is an intensive security audit performed by an accredited third party. We perform these annually.
And thanks for the feedback regarding JAMS specifically. We are in the process of revising our terms that were first drafted early this year before our public launch.
We really do appreciate this feedback, which we will take into account as we continue to iterate on both our Terms of Service and Privacy Policy to best-reflect our business practices. As part of this effort, we are making a commitment to always publish a record of all changes to our terms.
Commenting as an uninvolved bystander:
your entire reply sounds like corporate-speak to me, and it's offputting. I get that you're trying to state your intent, and perhaps English isn't your native language, but it's deterring me from looking further into Berbix.
Also, your second claim really just seems to be a lock-in, not a user-friendly positioning.
FYI: SOC 2 Type 1 has no weight for corporate/data privacy/infosec because anyone get it with a dozen .docx templates from the internet. Type II report is substantial because it requires the auditor to observe your actual operations for the previous 3-6 months. If you got Type 1 report in March, does that mean that Type 2 report will be available to prospect customers any day now?
So the purpose of taking a picture of yourself is to make sure that the photo as depicted on the ID matches the person who is completing the flow. This is important as a stolen ID should not be usable for the purposes of online identity verification.
We’re not in the business of selling your data, but of providing a secure, privacy-oriented way for businesses that have to perform ID checks to do so. In the situation described above, we’re providing identity verification services for Sift in the context of the data subject access requests they’re receiving.
Thanks and great question! Our patent-pending fake ID detection provides an additional layer of fraud prevention on top of the surface-level checks of visual indicators that are typical in online ID checks. This gets closer to a DMV database check without the high cost (several dollars) of checking against motor vehicle records.
Gotcha, thanks! When you say "provides an additional layer of fraud prevention", you mean you're verifying against some external service like Checkr or something?
If not, very curious how you solve for false negatives in your KYC. That itself is a meaty problem domain. I remember when Coinbase was scaling, tons of folks were complaining about being unable to access funds because they were told that they weren't providing proper identifying information, even when they were, in fact, were.
Our customers can specify their own risk profile, and in general, customers using us for more sensitive use cases (e.g. returning all the data they possess about individuals), tend to pick our most thorough checks. In addition, we return a number of signals to our customers to help them determine how confident they should be about a given verification. That said, it is ultimately the responsibility of the business who's the recipient of the data request to determine whether they're confident enough about the identity of a "data requester" before acting on their request.
The unfortunate reality is that very often, businesses do not do enough due diligence before responding to data requests. [1] Berbix makes such diligence easier and more secure, such that more companies should be able to adopt better processes around data access requests.
With respect to Sift, we see them as good stewards given their narrow focus of preventing fraud as opposed to data brokers that sell your data to ad networks, hedge funds, etc.
Sift has taken a privacy-conscious approach to responding to data access requests by ensuring the individual is in fact who they say they are. We’re proud to help them prevent fraudulent access to sensitive personal information.