top of page

Compliance

The list of compliant data privacy & data protection regulations given hereafter is not exhaustive. Please contact OneVisage to query more information.

Americas

  • USA / CCPA

  • Brazil / LPPD

Africa & Middle East

  • Saudi Arabia / PDPL

  • South Africa / POPI

Asia

  • India / DPDP

  • Indonesia / PDP

Compliance-CNIL_2019
CNIL-Logo.png

CNIL Data Protection Directive 2019-001

CNIL Délibération 2019-001

Article 4 - Personal data

  • No personal data are collected by OneVisage Premier solutions; personal data remain under the management of enterprise information systems

  • User's photo might be stored by the legacy access control system to compute a biometric, encrypted mathematical model. Once sent, biometric model is deleted from the information system.

  • In case of no photo can be used in information systems, an identity document reader can be used to verify locally the identity of the user and perform a local 3D facial enrolment.

  • Logs file created at onboarding or authentication contains only identifiers, no personal data information

Article 5 - Biometric Data

  • 3D facial biometry is used to provide the highest level of security for the user (as opposed to fingerprint, iris, voice, 2D facial biometry, palm ID)

Article 6  - Authorized Persons to User's Data

  • IT administrator or System Supervisor manages access rights, authorizations and may delete the user's biometric template. 

  • User controls her biometric template and can delete it immediately, at any time

Article 7 - Biometric Template Storage 

  • Type 1: 3D facial biometric token is exclusively hold and controlled by the User

Article 8 - Storage Methods and Duration

  • Portrait picture is exclusively processed during the enrolment step

  • Biometric template created is sent by email to User, which is then destroyed once email is sent

  • Biometric template is an encrypted, irreversible mathematical model

  • Upon account deactivation, biometric template is immediately removed in case of mobile application 

Article 9 - Information of Users

  • Company is in charge of informing Users about the use of a 3D facial verification system

Article 10 - Data Security

  • All measures to secure data, hardware, software and communication channels are supported

Article 11 - Data Protection Impact Assessment (DPIA) - GDPR art. 35

  • A data protection impact assessment (DPIA) is available on demand & acceptation by OneVisage

Compliance-DORA_2022
DORA-logo.png

Digital Operational Resilience Act - EU 2022/2554

Digital Operational Resilience Act

ICT Risk Management

  • Secure control of physical and logical access to systems

  • Strong authentication for users, administrators, and operators

  • Segregation of access rights based on roles

Identity & Access Management (IAM)

  • Centralized and consistent identity verification across services

  • Strong authentication for critical systems and operations

  • Lifecycle management (onboarding, changes, revocation)

Operational Resilience & Availability

  • Reliable authentication even under stress or high load (unlimited scalability by design)

  • Reduced dependency on manual processes and human intervention

  • Support for on-premise and controlled environments

Incident Prevention & Detection

  • Reduction of identity-based attacks (credential theft, impersonation)

  • Protection against social engineering and account takeover

  • Early detection of abnormal authentication behaviour

Logging, Monitoring & Evidence

  • Event (JSON) logs suitable for incident analysis and regulatory reporting

  • Proof of authentication and access decisions

  • Support for audits and supervisory inspections

Third-Party & Supply-Chain Risk Control

  • Controlled physical and logical access for external users, contractors, and partners

  • Strong identity verification before granting system access

  • Reduction of shared credentials and unmanaged access paths

Compliance-GDPR_2018
Gdpr-logo-transparent.png

General Data Protection Regulation - EU 2018/1725

General Data Protection Regulation

Lawfulness, Fairness & Transparency

  • Lawful basis for processing (consent / contract / legal obligation)

  • Explicit consent for biometric data 

  • Clear privacy notices comprising purpose, storage duration and rights

  • Transparent information at onboarding through kiosk

  • Records of processing activities (ROPA)

Purpose Limitation

  • Biometric data used only for Identity verification, Access Control and Secure Authentication

  • No secondary use without additional lawful basis

  • Defined processing purposes in internal documentation

Data Minimisation

  • Collection limited to strictly necessary data: biometric mathematical template (not raw image storage)

  • Identity attributes required for service, not by biometric solution

  • No central biometric database: user-controlled template model

  • No storage of raw biometric images

Accuracy

  • Identity verification against HR/registration system or official ID documents

  • Per-session biometric verification (always verify, never trust)

  • >99.999% biometric authentication confidence level

Storage Limitation

  • Defined retention policies directly linked to Access Control, HR or Registration system

  • Automatic deletion after End of employment, Event closure or Expiry of access rights

  • Configurable retention periods

  • Secure deletion mechanisms

Data Integrity & Confidentiality

  • Encryption of data at rest and in transit

  • Secure registration or enrolled QR codes with encrypted biometric token

  • No reversible biometric templates

  • Photo/video deep-fake presentation attack detection with IAPAR <0.1%

  • Access control to systems (role-based access control)

  • Authentication logs & audit trails

Biometric Data Enhanced Protection (article 10)

  • Explicit consent or strong legal basis

  • Privacy-by-design architecture

  • No biometric database

  • Biometric template irreversibility: encrypted mathematical model only

  • Technical & organisational safeguards

Data Subject Rights 

  • Right of access, to rectification, to restriction of processing and to object through service

  • Right to erasure through service or by instant deletion (mobile application deletion, QR destruction...) 

  • Audit logging of requests

Privacy by Design

  • Total anonymisation: no direct link between personal data and biometric template

  • Biometric token stored under user control, but relying upon the company registration workflow

  • Secure system architecture (zero-trust design)

  • Configurable processing rules

  • Default highest privacy settings

Data Protection Impact Assessment (DPIA)

  • Risk assessment of biometric authentication

  • Assessment of fraud risks and mitigations

  • Evaluation of proportionality and necessity

  • Documentation of safeguards

  • Pre-filled DPIA document available for Data Protection Officer (DPO)

Data Breach Management, Governance & Accountability

  • Under the responsibility of the company or service provider

Compliance-MiCA_2023
EU-MiCA-Regulation.png

Markets in Crypto-Assets Regulation (MiCA) - EU 2023/1114

Markets in Crypto-Assets Regulation

Identity, Access & authentication

  • Strong customer authentication (SCA) aligned with EBA / PSD2 directives

  • Secure user access control for staff and administrators

  • Segregation of duties

  • Continuous authentication

  • Protection against phishing, MFA fatigue and credential compromise

Asset Protection

  • Protection against loss, theft or misuse of private keys

  • Incident or identity fraud detection and response mechanisms

  • Full auditability of access to custody systems

Cybersecurity & Resilience

  • Secure authentication mechanisms without reliance on weak credentials

  • Protection against identity spoofing and impersonation

  • Continuous monitoring of access sessions

  • Cyber incident reporting procedures

Data Protection & Privacy

  • GDPR compliance (privacy by design and by default)

  • No centralized biometric databases (biometric template protection)

  • User consent and transparency on authentication methods

  • Data minimization and encryption at rest/in transit

Compliance-NIS2_2022
NIS2-logo.png

Network & Information Security Directive - EU 2022/2555

Network & Information Security Directive 2

Secure Access Control Measures

  • Strong 2FA authentication for access to networks, systems, and services

  • Prevention of unauthorized physical and logical access

  • Elimination of weak credentials and badge sharing

Identity Verification & Trustworthiness

  • Verified identities for employees, visitors, and third parties

  • Assurance that access is granted to the right individual (not a device)

  • Protection against impersonation and forged identities

Risk Management & Secure Policies

  • Identity and access control integrated into security risk management

  • Elimination of human-factor vulnerabilities

  • Full automation to reduce operational errors

Incident Prevention & Impact Reduction

  • Limitation of attack surface through biometric-based access

  • Prevention of credential compromise and misuse

  • Faster containment through precise user identification

Monitoring, Logging & Accountability

  • Traceability of access to critical systems and locations

  • Logs usable for incident investigation and compliance checks

  • Clear accountability for access events

Data Security & Privacy Protection

  • Protection of personal and biometric template

  • Encryption and secure processing of identity attributes

  • Compliance with GDPR principles required by NIS2

Compliance-PSD2_2015
EU-PSD2-logo.png

Payment Services Directive 2 - EU 2015/2366

Payment Services Directive 2

Strong Customer Authentication (SCA)

  • Multi-factor authentication (what you have + who you are)

  • Resistance to spoofing and replay attacks (photo-video deep fakes)

KYC and Identity Verification

  • Reliable customer identification and verification against trusted identity documents (passports, ID cards)

  • Secure onboarding process

  • Anti-spoofing, prevention against synthetic or fake identities through "3D live" detection

Data Privacy & Protection 

  • Encryption of irreversible biometric mathematical model template

  • Secure storage such as secure mobile application with data vault, Desfire Ev3 badge, encrypted QR code

  • CNIL 2019/01 - type 1 and GDPR strict compliance

  • No biometric database, no personal data

Auditability & Traceability

  • Secure access to payment services

  • Logging of enrolment and authentication events

  • Tamper-resistant audit trails

Fraud & Risk Management

  • Real-time detection of impersonation, spoofing and deep-fake attempts

  • Transaction monitoring with strong authentication of parties 

Compliance-nFDPA
Regulation-Switzerland-FPDA_edited.png

Federal Act on Data Protection - Switzerland 09/2023

New Federal Act on Data Protection

Governance & Accountability

  • Under the responsibility of the company or service provider

  • Premier solutions maintain record of processing activities (ROPA)

Lawfulness, Fairness and Proportionality

  • Lawful basis for processing: consent, contract or legal obligation

  • Legal justification driven by strong user or badge holder authentication in high-security environment

Data Minimisation

  • Collection limited to strictly necessary data: biometric mathematical template (not raw image storage)

  • Identity attributes required for service, not by biometric solution

  • No central biometric database: user-controlled template model

  • No storage of raw biometric images

  • Use irreversible biometric template

Data Integrity

  • Encryption of data at rest and in transit

  • Use irreversible biometric templates

  • Access control to systems (role-based access control)

  • Authentication logs & audit trails

Data Protection Impact Assessment (DPIA)

  • Risk assessment of biometric authentication

  • Assessment of fraud risks and mitigations, including spoofing attacks

  • Evaluation of proportionality and necessity

  • Documentation of safeguards

  • Pre-filled DPIA document available for Data Protection Officer (DPO) before deployment

Security of Processing (article 8)

  • Encrypted communications and biometric templates

  • Total anonymisation: no direct link between personal data (managed by service) and biometric template

  • Secure onboarding server architecture (on-premise)

  • Physical security for kiosks: memory processing only, no local storage, blocked USB/Bluetooth ports, encrypted communications, tampered housing

  • Secure software updates: automated release package integrity check, secure remote connection

  • Encrypted biometric QR codes, NFC badges or digital badges

  • Logging & monitoring 

Data Retention & Deletion Policy

  • Defined retention policies directly linked to Access Control, HR or Registration system

  • Automatic deletion after End of employment, Event closure or Expiry of access rights

  • Self-deletion at any time for QR-codes or mobile application

  • Configurable retention periods

  • Secure deletion mechanisms

Data Subject Rights 

  • Right of access, to rectification, to restriction of processing and to object through service

  • Right to erasure through service or by instant deletion (mobile application deletion, QR destruction...) 

  • Audit logging of requests

Automated Decision Making

  • Propose human review as decision backup (if applicable)

  • Decision logic agnostic to skin, lighting conditions, gender or age with FRR as low as 0.0005% 

  • Audit logging of requests

Data Breach Management, Governance & Accountability

  • Under the responsibility of the company or service provider

bottom of page