Compliance & Security

Built for compliance-first platforms. Zero PII retention. Token-based access control.

UK OSA Ready
Age-Verification Compliant
GDPR-Safe

Why Tokenization is Safer

1. Zero PII Storage

Traditional age verification systems store personally identifiable information (PII), biometric data, and ID document images. Verqan uses JWT tokens instead; you never store sensitive data, reducing your liability and compliance burden.

2. Time-Limited Access

Tokens expire after 24 hours (configurable). This means even if a token is compromised, it has a limited window of validity. Compare this to storing permanent user data that could be breached years later.

3. Reduced Attack Surface

By not storing PII, your database becomes a less attractive target for attackers. Even if breached, there's no sensitive user data to steal. Tokens are cryptographically signed and validated server-side.

4. Audit Trail Without PII

You can maintain compliance audit trails using token IDs and verification metadata without storing actual user data. This satisfies regulatory requirements while minimizing privacy risks.

Regulatory Compliance

UK GDPR & Data Protection

Verqan operates with a zero-retention policy for PII. We only store verification metadata (IDs, status, timestamps) and technical data (IP, user agent) for rate limiting and billing. Raw evidence, ID images, and biometric templates are not stored.

Because we store no end-user PII, your exposure from a Verqan data breach is limited to verification metadata. You remain the data controller for your users; Verqan acts as a data processor under your instructions.

UK Online Safety Act Ready

Verqan is built to support the age assurance requirements of the UK Online Safety Act. Our iDenfy-powered verification generates signed audit tokens that platform operators can use to demonstrate compliance with age assurance obligations.

You remain the regulated entity; Verqan is your infrastructure layer. Always verify your specific obligations with legal counsel.

Age Verification Compliance

Meets age verification requirements for adult content, gambling, and age-restricted commerce across multiple jurisdictions including the UK and EU. US state requirements vary — contact us to discuss your specific jurisdiction.

Powered by iDenfy for robust government-ID document verification.

Data Minimization

We follow the principle of data minimization: only collecting and storing the minimum data necessary for verification and billing. No biometric templates, no ID images, no PII.

See our Data Processing Agreement for details.

US State Age Verification Laws

Louisiana (HB 142)

Requires commercial websites that publish explicit sexual material to use digital age verification before granting access. Applies to sites where over 33.3% of content is explicit. Operators must retain no PII beyond what is necessary for verification.

Verqan's zero-storage token architecture is designed to satisfy this requirement.

Utah (SB 287)

Requires age verification for commercial pornographic websites accessible to Utah residents. Age verification data must be deleted after use and not sold or shared.

Verqan retains no ID images or biometric data — only signed token metadata.

Texas (HB 1181)

Requires age verification and health warnings on sites where over 33.3% of content is sexually explicit material. Prohibits platforms from retaining identifying information after verification.

JWT tokens encode verification status without storing the underlying PII.

Virginia (HB 2485) + Others

Virginia, Arkansas, Mississippi, Montana, and Indiana have enacted similar age verification requirements. More states are enacting legislation, with federal proposals under discussion.

Contact hello@verqan.com for jurisdiction-specific compliance guidance.

This overview is for informational purposes only and not legal advice. Regulations change — verify current requirements with legal counsel.

Security Features

  • HMAC-SHA256 Signed Tokens
    All tokens are cryptographically signed and validated server-side
  • Timing-Safe API Key Comparison
    Prevents timing attacks on authentication
  • Rate Limiting & Quotas
    Per-tenant rate limits and monthly quotas prevent abuse
  • Webhook Signature Verification
    HMAC-SHA256 signed webhooks ensure data integrity