Compliant by Design: The Full Didit Attestation Stack

Anyone can say their identity platform is secure and compliant. Far fewer can hand you the independent reports that prove it. Didit's compliance posture is a provable asset: five external attestations — covering information security, biometric anti-spoofing, and the legal adequacy of remote onboarding — including the only EU member-state government attestation that a remote identity verification tool meets and exceeds in-person identification standards.

This post is the single place to understand the full stack: what each attestation is, who issued it, exactly what it covers, and how you can use it in due diligence, RFPs, and procurement. No overstatement — the levels and dates are stated precisely, because in compliance, precision is the value.

Key takeaways

• SOC 2 Type 1 — service-organization control attestation (Security, Availability, Confidentiality) by ATOM, as of 2026-04-09. Type 2 examination planned. Restricted-use (NDA).
• ISO/IEC 27001:2022 — information-security management system, certified by Bureau Veritas, cert nº ES144068, valid until 2027-06-03. Distributable.
• iBeta Level 1 PAD — biometric Presentation Attack Detection under ISO/IEC 30107-3, 0% attack success / 0% IAPAR across 360 attempts. Distributable.
• Tesoro / SEPBLAC / CNMV — Spanish financial-sandbox conclusion that Didit's remote verification meets and exceeds in-person identification. Publicly published, permanent. The flagship EU differentiator.
• finReg360 — EBA/GL/2022/15 memo — independent legal opinion (2026-04-28) that Didit's remote onboarding is adequate under the EBA remote-onboarding guidelines and the EU AML Single Rulebook. Distributable.
• Together they cover the three questions every buyer asks: is your security sound, is your biometric spoof-resistant, and is your onboarding legally adequate?

What "compliant by design" requires

A buyer evaluating an identity-verification vendor is really running three audits at once:

1. Information security — is the platform itself secure? Is customer data protected? Are controls designed and managed to a recognized standard?
2. Biometric integrity — can the liveness and face-matching be fooled by photos, replays, masks, or deepfakes?
3. Regulatory adequacy — does using this tool actually satisfy the law the buyer is subject to, especially for remote onboarding?

A vendor that answers all three with independent third-party evidence — rather than self-assessment — collapses a multi-week due-diligence cycle into a folder of documents. That's what "compliant by design" means in practice: the proof exists before the buyer asks.

Why it matters

Compliance evidence is no longer a nice-to-have late in the sales cycle — it's a gate. Bank and EMI procurement teams, crypto VASP MLROs, and enterprise security reviewers will not sign without it. The questionnaire arrives early, and the deal stalls until the artifacts land.

The vendor that can immediately produce a SOC 2 report, an ISO 27001 certificate, an iBeta result, a government sandbox conclusion, and an independent legal opinion doesn't just pass the gate — it shortens the cycle and de-risks the decision for the buyer's compliance team. Each attestation removes a reason to say no.

How Didit helps: the five attestations

1. SOC 2 Type 1 (ATOM)

A service-organization control attestation against the AICPA Trust Services Criteria for Security, Availability, and Confidentiality, issued by ATOM. It reports on the design of Didit's controls as of 2026-04-09. A Type 2 examination — operating effectiveness over a period — is the planned next step. The full report is restricted-use under AICPA rules and shared with prospects and customers who have a legitimate need and an NDA in place. Use it for US enterprise security questionnaires and fintech procurement.

2. ISO/IEC 27001:2022 (Bureau Veritas, cert nº ES144068)

Certification of Didit's information-security, cybersecurity, and privacy management system, issued by Bureau Veritas Certification (ENAC-accredited). Certificate number ES144068, originally certified 2026-04-07, valid until 2027-06-03. It evidences a managed, audited information-security system — the baseline EU procurement and regulated financial customers expect. Distributable on request.

3. iBeta Level 1 PAD (ISO/IEC 30107-3)

An independent biometric Presentation Attack Detection evaluation by iBeta Quality Assurance (a NIST/NVLAP-accredited lab) against ISO/IEC 30107-3, Level 1. The test ran 6 species of presentation attacks across enrolled subjects for 360 attack attempts — and recorded a 0% attack success rate / 0% IAPAR. This is the audited evidence behind Didit's anti-spoofing claims. Distributable on request. (It is Level 1, not Level 2 — stated precisely.)

4. Tesoro / SEPBLAC / CNMV sandbox conclusion

The flagship differentiator. Within the Spanish financial sandbox, Spain's CNMV — reviewing in coordination with SEPBLAC (the Spanish Financial Intelligence Unit) — concluded that Didit's remote identity verification (cryptographic NFC chip reading plus facial biometrics with active liveness) meets and exceeds in-person identification standards. Tests ran from 2024-11 to 2025-07, with conclusions published in February 2026 on the Spanish Treasury site. This is the only EU member-state government attestation of its kind, it is publicly published, and it is permanent. Distributable.

5. finReg360 — EBA/GL/2022/15 adequacy memo

An independent legal opinion from finReg360 (Madrid), dated 2026-04-28, concluding that Didit's remote customer-onboarding tool meets the EBA Guidelines on remote customer onboarding (EBA/GL/2022/15) and is compatible with the incoming EU AML Single Rulebook — and that the video-identification process does not require manual human review when Didit's automated controls are in place. The document an MLRO can put in front of a board or supervisor. Distributable on request.

Deep dive: which attestation answers which question

Different buyers lead with different concerns. Here's how to reach for the right document:

• "Is your platform secure / how do you protect our data?" → SOC 2 Type 1 (under NDA) and ISO/IEC 27001:2022 (cert ES144068).
• "Can your liveness be spoofed?" → iBeta Level 1 PAD: 0% attack success across 360 attempts.
• "Does using you actually satisfy our remote-onboarding obligations?" → the finReg360 EBA/GL/2022/15 memo, backed by the Tesoro/SEPBLAC/CNMV government conclusion.
• "Why should we trust remote over in-person?" → the Tesoro/SEPBLAC/CNMV conclusion that Didit meets and exceeds in-person identification.

A note on sharing: ISO 27001, iBeta, the Tesoro/SEPBLAC/CNMV report, and the finReg360 memo are distributable on request; the SOC 2 report is restricted-use and shared only under NDA. The attestations are referenced in materials — the restricted report itself is not published.

Use cases

• Enterprise and bank procurement that requires SOC 2 and ISO 27001 before signing.
• Crypto VASP MLROs needing legal adequacy evidence for remote onboarding under EU rules.
• Security teams assessing biometric anti-spoofing with an independent lab result.
• EU sales where the government sandbox conclusion is the decisive differentiator over competitors.

Frequently asked questions

Is Didit's SOC 2 a Type 1 or Type 2?

It is a Type 1 attestation, reporting on the design of controls as of 2026-04-09. A Type 2 examination is planned. The report is restricted-use and shared under NDA.

What level is the iBeta PAD result?

Level 1 under ISO/IEC 30107-3, with a 0% attack success rate / 0% IAPAR across 360 attack attempts.

What makes the Tesoro/SEPBLAC/CNMV conclusion unique?

It is the only EU member-state government attestation that a remote identity verification tool meets and exceeds in-person identification — and it is publicly published and permanent.

Which documents can I receive without an NDA?

ISO/IEC 27001:2022, the iBeta Level 1 PAD letter, the Tesoro/SEPBLAC/CNMV conclusion, and the finReg360 memo are distributable on request. The SOC 2 Type 1 report requires an NDA.

Is Didit an eIDAS-certified Qualified Trust Service Provider?

No. Didit is aligned to and supports relevant EU frameworks but is not a certified QTSP; these five attestations are what it holds today.

Ready to get started?

See all of Didit's attestations on the trust hub, explore the ID Verification product, and review transparent pricing on the pricing page. When you're ready, start free — 500 free KYC checks every month, with a core verification flow from $0.33.