VVEREID Docs
concepts

EU compliance

How VEREID handles GDPR scope, the deliberate EU geo-block on /v1/verify, and the counsel sign-off gate before live PII processing.

Last updated 2026-05-20

VEREID is built on a GDPR + SOC 2 trajectory from day one. This page explains the specific operational gates that affect what you can ship from an EU end user's perspective, and how to work with us once those gates lift.

Where data lives

Data classRegionStorage
Social posts, profiles, followsus-east-1 (V1); eu-central-1 read-replica V2Aurora PostgreSQL Serverless v2
OIDC / OAuth tokens, sessionsus-east-1DynamoDB + Postgres
ID document imagesus-east-1 S3 (vereid-id-docs), Object Lock 7 yearsKMS CMK pii-vault
Biometric templatesus-east-1 S3 (vereid-biometrics), auto-purge 30 daysKMS CMK pii-vault
Audit logus-east-1 S3 (vereid-audit), WORM Object Lock 10 yearsKMS CMK audit

EU residency lands in V2. Until then, EU end users are served from us-east-1 and the transatlantic transfer is governed by the EU–US Data Privacy Framework (DPF) — VEREID is registered. The DPF certification number and the underlying SCCs are linked from trust.vereid.com.

The /v1/verify EU geo-block

Until counsel sign-off (Workstream A item 6 of the master plan), POST /v1/verify/sessions returns HTTP 451 Unavailable for Legal Reasons when the originating IP geolocates to an EU member state or to the UK, Switzerland, Norway, Iceland, or Liechtenstein. The response is:

{
  "type": "https://docs.vereid.com/errors/geo_blocked",
  "title": "Region not yet supported for live verification",
  "status": 451,
  "detail": "Live verification is not yet available for EU/EEA/UK residents. Use sandbox mode or contact sales for early access.",
  "region": "EU"
}

The block is enforced at the WAF layer (CloudFront geo-restriction) and at the application layer (request cf-ipcountry). Both must agree before a session is permitted.

What still works for EU users

  • Social endpoints (read and write) are unaffected.
  • Auth endpoints (/v1/oidc/*, /v1/oauth2/*) are unaffected — EU users can sign in to your VEREID-Auth app.
  • Test mode verifications are unaffected — your developers in the EU can build the full flow against the sandbox.

How the block lifts

Three signoffs must all be present, recorded in compliance/control-matrix.md:

  1. External counsel review of the verification flow, biometric retention, and consent screens against the EU AI Act risk classification.
  2. DPIA (Data Protection Impact Assessment) completed and reviewed.
  3. Sub-processor list updated and pre-notified to existing customers.

Once those three land, the WAF rule flips and the application-layer guard is downgraded to a banner.

Live VEREID ID will fall under the EU AI Act's biometric remote identification category (limited risk → high risk depending on use case). Our hosted flow always:

  • Presents a per-purpose consent dialog with a per-purpose timestamp and IP recorded in consent_events.
  • Allows the user to withdraw consent at any time via /v1/me/consent — withdrawal purges biometric templates immediately and stops further processing.
  • Refuses to enroll users under 16 without a parental consent attestation (separate flow).

Data subject rights

The DSR endpoints are implemented and gated by a one-time email-OTP challenge:

RightEndpoint
AccessPOST /v1/me/data-export — async, returns a signed S3 URL within 30 days.
RectificationPATCH /v1/me/profile — instant for self-managed fields.
ErasurePOST /v1/me/delete — async, completes within 30 days.
RestrictionPOST /v1/me/restrict — flag set, processing halted.
ObjectionPOST /v1/me/object — opts out of profiling-style features (currently: ranked-feed scoring).
PortabilityIncluded in data-export; JSON + machine-readable.

Full operational detail and B2B-customer DSR delegation in the DSR handling guide.

Right to access vs. trade-secret guardrails

We honour every access request to the user's data. We do not disclose tenant configuration, internal scoring weights, or other tenants' data via a user-initiated DSR. EU regulators have repeatedly clarified this carve-out; the boundary is documented in compliance/dpia.md.

Sub-processors

Live list at https://vereid.com/legal/sub-processors. Material additions are pre-notified 30 days in advance via email + this page's RSS feed.

Working with us on EU readiness

If you are an EU-headquartered customer waiting for the verify block to lift, talk to sales — you can join the early-access list. Until then, you can build and certify your integration end-to-end against sandbox.