EU compliance
How VEREID handles GDPR scope, the deliberate EU geo-block on /v1/verify, and the counsel sign-off gate before live PII processing.
Last updated 2026-05-20
VEREID is built on a GDPR + SOC 2 trajectory from day one. This page explains the specific operational gates that affect what you can ship from an EU end user's perspective, and how to work with us once those gates lift.
Where data lives
| Data class | Region | Storage |
|---|---|---|
| Social posts, profiles, follows | us-east-1 (V1); eu-central-1 read-replica V2 | Aurora PostgreSQL Serverless v2 |
| OIDC / OAuth tokens, sessions | us-east-1 | DynamoDB + Postgres |
| ID document images | us-east-1 S3 (vereid-id-docs), Object Lock 7 years | KMS CMK pii-vault |
| Biometric templates | us-east-1 S3 (vereid-biometrics), auto-purge 30 days | KMS CMK pii-vault |
| Audit log | us-east-1 S3 (vereid-audit), WORM Object Lock 10 years | KMS CMK audit |
EU residency lands in V2. Until then, EU end users are served from us-east-1 and the transatlantic transfer is governed by the EU–US Data Privacy Framework (DPF) — VEREID is registered. The DPF certification number and the underlying SCCs are linked from trust.vereid.com.
The /v1/verify EU geo-block
Until counsel sign-off (Workstream A item 6 of the master plan), POST /v1/verify/sessions returns HTTP 451 Unavailable for Legal Reasons when the originating IP geolocates to an EU member state or to the UK, Switzerland, Norway, Iceland, or Liechtenstein. The response is:
{
"type": "https://docs.vereid.com/errors/geo_blocked",
"title": "Region not yet supported for live verification",
"status": 451,
"detail": "Live verification is not yet available for EU/EEA/UK residents. Use sandbox mode or contact sales for early access.",
"region": "EU"
}The block is enforced at the WAF layer (CloudFront geo-restriction) and at the application layer (request cf-ipcountry). Both must agree before a session is permitted.
What still works for EU users
- Social endpoints (read and write) are unaffected.
- Auth endpoints (
/v1/oidc/*,/v1/oauth2/*) are unaffected — EU users can sign in to your VEREID-Auth app. - Test mode verifications are unaffected — your developers in the EU can build the full flow against the sandbox.
How the block lifts
Three signoffs must all be present, recorded in compliance/control-matrix.md:
- External counsel review of the verification flow, biometric retention, and consent screens against the EU AI Act risk classification.
- DPIA (Data Protection Impact Assessment) completed and reviewed.
- Sub-processor list updated and pre-notified to existing customers.
Once those three land, the WAF rule flips and the application-layer guard is downgraded to a banner.
Consent and the AI Act
Live VEREID ID will fall under the EU AI Act's biometric remote identification category (limited risk → high risk depending on use case). Our hosted flow always:
- Presents a per-purpose consent dialog with a per-purpose timestamp and IP recorded in
consent_events. - Allows the user to withdraw consent at any time via
/v1/me/consent— withdrawal purges biometric templates immediately and stops further processing. - Refuses to enroll users under 16 without a parental consent attestation (separate flow).
Data subject rights
The DSR endpoints are implemented and gated by a one-time email-OTP challenge:
| Right | Endpoint |
|---|---|
| Access | POST /v1/me/data-export — async, returns a signed S3 URL within 30 days. |
| Rectification | PATCH /v1/me/profile — instant for self-managed fields. |
| Erasure | POST /v1/me/delete — async, completes within 30 days. |
| Restriction | POST /v1/me/restrict — flag set, processing halted. |
| Objection | POST /v1/me/object — opts out of profiling-style features (currently: ranked-feed scoring). |
| Portability | Included in data-export; JSON + machine-readable. |
Full operational detail and B2B-customer DSR delegation in the DSR handling guide.
Right to access vs. trade-secret guardrails
We honour every access request to the user's data. We do not disclose tenant configuration, internal scoring weights, or other tenants' data via a user-initiated DSR. EU regulators have repeatedly clarified this carve-out; the boundary is documented in compliance/dpia.md.
Sub-processors
Live list at https://vereid.com/legal/sub-processors. Material additions are pre-notified 30 days in advance via email + this page's RSS feed.
Working with us on EU readiness
If you are an EU-headquartered customer waiting for the verify block to lift, talk to sales — you can join the early-access list. Until then, you can build and certify your integration end-to-end against sandbox.