一度認証。どこでも再利用。

Didit is infrastructure for identity and fraud, the platform we wished existed when we were building products ourselves: open, flexible, and developer-friendly, so it works as a real part of your stack instead of a black box you integrate around.

One API covers verifying people (KYC, know your customer), verifying businesses (KYB, know your business), screening crypto wallets (KYT, know your transaction), and monitoring transactions in real time, on a stack built to be:

• Fast, sub-2-second p99 on every session
• Reliable, in production with 1,500+ companies across 220+ countries
• Secure, SOC 2 Type 1, ISO 27001, GDPR-native, and formally attested by Spain's financial regulator as safer than verifying someone in person

The footprint underneath: 14,000+ document types in 48+ languages, 1,000+ data sources, and 200+ fraud signals on every session. The Didit infrastructure dynamically learns from every session and gets better every day.

eIDAS 2.0, short for electronic IDentification, Authentication and trust Services, is the EU's 2024 update to its identity rulebook. The headline change is the European Digital Identity Wallet (often shortened to EUDI Wallet): a smartphone app every EU citizen and resident will be entitled to by the end of 2026.

The wallet holds verifiable credentials, a digital driving licence, a verified-identity attestation, an academic diploma, issued by trusted parties and presented to relying parties with cryptographic proof, optionally with selective disclosure (prove you are over 18 without revealing your full date of birth).

For businesses, eIDAS 2.0 is about both accepting wallet-presented credentials and issuing the credentials your users carry.

Mandatory acceptance is rolling in by sector:

• Public services, every EU member state must offer wallet-based identification for tax filing, social security, voting registration by 2026
• Very Large Online Platforms (VLOPs) under the Digital Services Act, must accept wallet credentials when an identity check is required
• Banks and payment service providers, wallet acceptance built into the upcoming PSD3 / Payment Services Regulation
• Telecoms operators, SIM registration, age-restricted services
• Healthcare and academic credential issuers, voluntary at first, increasing pressure over the decade

Outside the mandatory list, every EU business has the option to issue and accept wallet credentials voluntarily, and most regulated businesses will, because the user experience is dramatically better than re-running a full KYC.

The full flow normally takes under 30 seconds end-to-end, pick up the ID, snap the document, snap the selfie, done. That is the fastest in the market. Legacy KYC providers usually take more than 90 seconds for the same flow.

On the back end, Didit returns the result in under two seconds at p99, measured from the moment the user finishes the selfie to the moment your webhook fires. Mobile capture is tuned for slow phones and slow networks: progressive image compression, lazy software development kit load, and a one-tap hand-off from desktop to phone via QR code if the user starts on web.

Federated login proves an account exists with the identity provider, the receiving business gets an email address and maybe a name. That is not regulatory-grade identity.

Reusable identity carries:

• A government-document-grade verification (passport, national identity card scanned and OCR'd)
• A biometric link to the human presenting the credential (selfie matched to the document portrait)
• A liveness check that catches deepfakes, masks, replay attacks
• An AML status screened against sanctions, PEP, and adverse-media lists
• A signed attestation from a regulated provider, time-stamped, with a verifiable trail

The verifier gets the same regulatory comfort it would get from running its own KYC, without the cost, the friction, and the conversion drop.

Every session lands on one of seven clear statuses, so your code always knows what to do:

• Approved, every check passed. Move the user forward.
• Declined, one or more checks failed. You can allow the user to resubmit the specific failed step (for example, re-take the selfie) without re-running the whole flow.
• In Review, flagged for compliance review. Open the case in the console, see every signal, decide approve or decline.
• In Progress, user is mid-flow.
• Not Started, link sent, user has not opened it yet. Send a reminder if it sits too long.
• Abandoned, user opened the link but did not finish in time. Re-engage or expire.
• Expired, the session link aged out. Create a new session.

A signed webhook fires on every status change, so your database always stays in sync. Abandoned and declined sessions are free.

Production data is processed and stored in the European Union by default, on Amazon Web Services. Enterprise contracts can request alternative regions for jurisdictions whose regulators require it.

Encryption everywhere. AES-256 at rest across every database, object store, and backup. Transport Layer Security 1.3 in transit on every API call, webhook, and Business Console session. Biometric data is encrypted under a separate Customer Master Key.

Retention is yours to control. Default retention is indefinite (unlimited) unless you configure shorter, between 30 days and 10 years per application, and you can delete any individual session at any time from the dashboard or the API.

Certifications: SOC 2 Type 1 (Type 2 audit in progress), ISO/IEC 27001:2022, iBeta Level 1 PAD, and a public attestation from Spain''s Tesoro / SEPBLAC / CNMV that Didit''s remote identity verification is safer than verifying someone in person. Full report at /security-compliance.

Didit ships compliant by default for the regulators that matter to identity infrastructure:

• GDPR + UK GDPR, controller / processor split, full Data Processing Agreement published, lead supervisory authority named (Spain''s AEPD).
• AMLD6 + EU AML Single Rulebook, 1,300+ sanctions, politically exposed person, and adverse-media lists screened in real time.
• eIDAS 2.0, EU Digital Identity Wallet aligned; reusable-identity ready.
• MiCA (Markets in Crypto-Assets), ready for crypto on-ramps, exchanges, and custodians.
• DORA, Digital Operational Resilience Act, EU financial-services operational resilience.
• BIPA, CUBI, Washington HB 1493, CCPA / CPRA, US biometric privacy (Illinois, Texas, Washington) and California consumer privacy.
• UK Online Safety Act, age-gating and child-safety obligations.
• FATF Travel Rule, originator and beneficiary data on crypto transfers, IVMS-101 interoperable.

Detailed memo, every certificate, every regulator letter: /security-compliance.

• 60 seconds to a sandbox account at business.didit.me, no credit card.
• 5 minutes to a working verification through Claude Code, Cursor, or any coding agent via our Model Context Protocol (MCP) server.
• A weekend to a production-ready integration with signed-webhook verification, retries, and a remediation flow when a user is declined.

Three integration paths, pick whichever fits your stack:

• Embed natively with our Web, iOS, Android, React Native, or Flutter SDK.
• Redirect the user to the hosted verification page, zero SDK.
• Send a link by email, SMS, WhatsApp, or any channel, zero front-end work.

Same dashboard, same billing, same pay-per-success price for all three. Step-by-step guide at docs.didit.me/integration/integration-prompt.

Reusable identity is a privacy upgrade on the legacy KYC stack:

• Selective disclosure is built in, the verifier sees only the fields needed, not the underlying document
• No central registry, the credential lives in the user's wallet, not on a Didit-owned ledger of who-presented-what-to-whom
• Per-presentation consent, the user approves each disclosure explicitly
• EU-resident storage, the issuer-side evidence pack stays in EU data centres; the wallet itself is on the user's device
• Right to be forgotten, when a user revokes a credential, the receiving platform must drop it from its records under GDPR; Didit's per-platform revocation API makes this one call

The legal basis for processing on the receiving side is legitimate interest under GDPR, the user has explicitly presented a credential to access the service. Didit's standard Data Processing Agreement (DPA) covers the joint-controller relationship.

Three trigger types:

• Document renewal (passport expires, new national identity card issued) → the user re-runs a lightweight refresh in the Didit app; the credential is reissued with the new document fingerprint
• Material identity change (new legal name, gender marker change, country of residence change) → full re-verification at $0.33; the old credential is revoked and a new one issued
• AML status change (a previously-clean user becomes a PEP or hits a sanctions list) → Didit's continuous monitoring flags the change automatically, the credential's AML field is updated, and every receiving platform sees the refreshed status on next presentation

The receiving platform never has to chase the user for updates, the credential carries its own freshness signal, and stale credentials are rejected at presentation time.

The verifier (the receiving platform) gets the same per-presentation evidence pack the original verifier got, plus the chain of issuance:

• The original KYC evidence, document scan, biometric similarity, AML hits, device + IP risk signals, signed timestamps
• The issuance chain, which Didit-powered platform issued the credential, when, on which workflow
• The presentation log, when this user presented to your platform, which fields they disclosed, your verifier's verdict
• The current AML status, refreshed daily by Didit's continuous monitoring
• The HMAC SHA-256 signature on every field, so chain-of-custody is provable

Didit is the only KYC provider with a formal EU member-state government attestation, Spain's Treasury, Banco de España, and SEPBLAC jointly attested the service as safer than in-person verification. That attestation extends to every reused presentation.