Security and Privacy
Real ID is committed to the security and privacy of end customers and merchants alike using ID verification to facilitate trust and comply with KYC, AML, and age restriction regulations.
This is not an exhaustive list of practices, but an overview of key policies and procedures.
Real ID has completed and been approved for Shopify's Level 1 and Level 2 Customer Data Protection requirements. SOC 2 compliance is in progress.
If you have any security related questions or need to report a security concern you can email [email protected].
If you have any privacy related questions, or would like to have a GDPR or CCPA request fulfilled you can email us at [email protected].
Real ID provides tooling to comply with customer privacy regulations such as GDPR, CCPA as well as override decisions by A.I. and permanently delete customer data on request.
Do not sell data
All of Real ID's revenue comes directly from merchant subscriptions and usage fees for its ID verification service. We respect our merchants and customers privacy and do not sell or profit from customer data in any way.
Real ID's primary function is to securely and instantly collect and verify the ID documents of your customers.
As part of that process, Real ID will collect metadata during the ID verification process for additional fraud screenings.
This includes images of the customer's ID documents and optional biometric information like headshots for comparison against documents for additional security.
Real ID will also collect IP addresses, device metadata, order metadata like phone numbers, emails and firsthand customer provided data like first name, last name, and email address.
The only purpose of collecting this information is for corroborating multiple pieces of real world identifiable information to help make the most accurate automated decision possible. This helps to provide the most complete possible picture of the customer's real world identity.
Minimum data sharing
Real ID shares as little data as possible to other services for processing. This helps to provide the Real ID verification services.
Customer data deletion policies
Limit your risk and comply with privacy regulations by defining a fine tuned customer data retention policy within Real ID.
Specify how long customer data should be retained for, with granularity from 1 day for as long as up to 5 years.
By Q2 2023, Real ID will apply custom data retention policies to automatically delete flagged customer data at 00:00 UTC.
GDPR & CCPA Compliance
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). A "processor" under the GDPR is any entity that processes personal data on behalf of a controller.
The California Consumer Protection Act (CCPA) is a similar regulation that provides rights to Californian's data stored by online services.
Like GDPR, the CCPA grants the right to consumers to know the data collected by services, delete data stored by services, as well as opt out of collection.
Real ID is considered a Data Processor entity under GDPR and has the responsibility of ensuring the security of personal data and take appropriate measures to prevent unauthorized access, disclosure, alteration, or destruction of personal data.
Customers can request for their collected data, as well as have it deleted at any time by sending a request to [email protected].
Compliance Tools for Merchants
As a controller using Real ID, you have the ability to delete customer data at any time using the Real ID dashboard.
You can delete customer data at anytime, which will permanently and irreversiably delete the photos and personally identifiable data.
Shopify GDPR Compliance
Real ID integrates with Shopify's customer and merchant GDPR lifecycle events.
When end customers submit data requests or deletion requests, Real ID will automatically provide this data for you or delete this information on your behalf.
When uninstalling Real ID, your merchant data and customer data will be deleted within 30 business days.
Opt out of A.I. decisions
As a merchant, you can opt out of any automated decision by the built-in ID verification A.I. system by manually approving or rejecting a given ID check in the Real ID dashboard.
This will override the automatic result of an ID check and will either allow the customer to pass ID verification or reject their submission.
In addition, you can allow the customer to retry their ID verification submission by sending them a new ID check.
Operational Security Measures
Real ID implements best practice security measures for operational accounts including but not limited to the following:
- All user passwords must be 20 characters, unique across all accounts, and must be generated randomly with enthropy.
- MFA is required on all accounts.
- Physically based keys for MFA are used when available, followed by app based tokens.
- Regular password resets and API token refreshes are implemented.
All merchant and customer data and images handled by Real ID are hosted within Amazon Web Services (AWS) platform under
You can read more about AWS’s security practices and compliance certifications here.
AWS is a best-in-class infrastructure as service provider, which allows Real ID to implement server side and client side encryption of data.
In addition, it allows Real ID to segregate infrastructure access to specific employee roles to limit access.
Encryption in transit and at rest
Real ID employs state of the art encryption during ID verification as well as in our vaults holding your customers data and ID document photos.
During transit from customer's devices to Real ID, vaults are protected with Secure Socket Layer/Transport Layer Security (SSL/TLS) protocol.
At rest, customer's images are encrypted with the industry standard Advanced Encryption Standard (AES256) to protect files against unauthorized access and protect customer confidentiality.
AES256 is the industry standard because the key used for encryption is 256 bits long, which means there are 2^256 possible combinations of the key. This makes it extremely difficult for someone to figure out the key through brute force methods, such as trying every possible combination until the correct one is found.
Merchants do not have access to these AES keys. Instead, images are shared by short lived links to your Real ID dashboard in Shopify or WooCommerce. To limit your exposure, these links expire after 15 minutes.
Intrusion Protection and Prevention
Real ID uses Cloudflare for its Web Application Firewall (WAF). Cloudflare is built with the modern Zero Trust infrastructure principles for modern web applications.
Cloudflare provides both intrusion prevention through advanced adaptive firewall rules based on real time threat data across its global network. Learn more about Cloudflare's security policies here.
In addition, Real ID uses AWS Cloudwatch for logging and monitoring access to infrastructure.
Data Contingency Policies
To protect against data loss, data is backed up between multiple physical regions within AWS.
This provides a contingency in case of data loss at a single physical data center location.
These backups are performed on a daily basis. Expired snapshots are deleted within a reasonable time period.