SCROLL
UK→US  ·  IN→US  ·  KE→US  ·  Portable credential protocol Groth16 + Ed25519 Verifier API UK→US  ·  IN→US  ·  KE→US  ·  Portable credential protocol Groth16 + Ed25519 Verifier API
Security & compliance
Pilot access available
Certified account aggregators • onboarding pilot institutions across verification, compliance, and cross-border credential workflows.

Built for regulated financial institutions.

Privacy-first by architecture. Designed to support FCA, GDPR, and ECOA review workflows. Institutions receive verified claims and verification metadata, not raw bank statement packets.

Financial source connectivity via certified account aggregators Financial signal intake without raw statement sharing PASSID verification protocol for regulated institutions Financial source connectivity via certified account aggregators Financial signal intake without raw statement sharing PASSID verification protocol for regulated institutions
Certifications
🛡️
SOC 2-aligned controls
Security, availability, and confidentiality controls aligned to SOC 2 criteria. Formal audit target: H2 2026. Current controls available for pilot review.
📋
ISO 27001-ready controls
Designed for ISO 27001-ready security practices. Security controls are documented and available during institution review.
🇪🇺
GDPR Aligned
Data minimisation by design. Raw source financial data deleted within 60 seconds. DPA available on request.
⚖️
Fair Lending
Disparate impact can be monitored per corridor. Audit trail exportable for institution review.
Swipe to reveal
Architecture

Zero raw PII. By design.

🔐 Selective disclosure
Credential presentations are designed to expose scoped claim results and verification metadata instead of raw statements.
🗝️ Ed25519 signing
Every credential is signed by PASSID's issuer key. Institutions verify the signature before trusting any claim. Tamper-evident from issuance to presentation.
📱 On-device key storage
Private keys are designed to remain on the user's device. Credential revocation is user-initiated and reflected through verifier checks.
🏗️ Data minimisation
Source financial data is processed to produce credential claims. Verifier responses are scoped to claims and metadata rather than transaction feeds.
🔍 Full audit trail
Every verification event, consent action, and credential lifecycle change is logged with millisecond timestamps. Exportable for regulatory review.
🌍 Encrypted at rest + transit
AES-256 at rest. TLS 1.3 in transit. Regional deployment options are planned for enterprise customers.
Responsible disclosure

Found a vulnerability?

We operate a coordinated disclosure programme. Report security issues to security@passid.io. We respond within 24 hours.

Scope
API endpoints, credential issuance, verification logic, wallet app, webhook delivery, and authentication.
Response SLA
Acknowledgement within 24h. Severity assessment within 72h. Critical fixes within 7 days.
Recognition
Valid reports acknowledged in our security advisories. Bug bounties available for critical vulnerabilities.
Reliability

Operational reliability.

PASSID is designed for institution verification workflows, with paid-plan reliability terms documented in customer agreements.

Target
Target uptime
Available where included in the institution agreement.
Pilot target
API latency target
Target latency for verifier API paths, monitored during operations.
Multi-AZ
Redundant deployment
Redundancy and failover options for institution deployments.
EU · UK · US
Data residency
Deployment options can be aligned with institution data residency requirements.
All systems operational › passid.io/status
Regulatory compliance

Built for regulated markets.

PASSID provides credential verification infrastructure. All eligibility decisions and adverse action determinations remain with the institution. The verification output is structured to support institutions' own regulatory obligations.

FCRA § 615 — Adverse action support
PASSID verification responses include structured verified claim context — identity, income, sanctions status, and fraud checks — to help institutions construct FCRA-compliant adverse action notices. The institution issues the notice and applies its own policy. PASSID supplies the verified claim context.
GDPR Art. 22 — Explanation artefacts
Verification outputs include explainability artefacts to help institutions meet their GDPR Art. 22 obligations for automated decision-making. PASSID itself does not make the automated decision — your institution does, using verified claims as input.
FCA CONC — Verified claim inputs
Income verification, cashflow behavior signals, and sanctions screening outputs are documented and explainable — structured so institutions can use them as part of their own FCA Consumer Credit sourcebook eligibility assessments.
ECOA / Fair lending monitoring
Disparate impact can be tracked per corridor as part of model governance. Institutions receive audit artefacts for their own fair lending programmes.
PASSID
Thank you — we'll be in touch.