Security posture

DomeID stores some of the most sensitive personal data Australians ever upload — government IDs, biometric vectors, address proofs. Our posture reflects that.

Subprocessors

• Sumsub — KYC/AML provider. SOC 2 Type II + ISO 27001 + GDPR + APP-aligned. Australian region storage available.
• Supabase — Postgres + Auth + Storage. SOC 2 hosting; AU region.
• Vercel — Application hosting. SOC 2 Type II.
• Resend — Transactional email. SOC 2 Type II.
• Sentry — Error tracing. PII scrubbed by default.

Data handling

• TLS 1.3 in transit, AES-256 at rest.
• Document scans never leave Sumsub or Supabase Storage.
• Document numbers stored as SHA-256 hash + last 4 only for display.
• Selfies and liveness videos auto-deleted at 12 months unless flagged.
• Hard-deletion 30 days after consumer request.
• Append-only audit log enforced by Postgres triggers (UPDATE/DELETE rejected).
• Row-level security on every consumer-data table.

Operational controls

• Service-role keys restricted to webhook handlers and background jobs.
• No production database access for engineers in normal operation.
• Quarterly access reviews.
• Notifiable Data Breaches scheme: detection via Sentry, Supabase audit logs, and Logflare alerts on bulk export.
• Cyber insurance from V1.

Reporting a vulnerability

We take responsible disclosure seriously. Email security@domeid.com.au with steps to reproduce. We acknowledge within 24 hours and aim to triage within 72.