Global Compliance

Built for compliance from day one.

Okto runs identity verification for hospitality partners across the EU, Morocco, and beyond. Every byte of personal data we handle is processed under documented retention controls, encryption at rest and in transit, and full audit traceability.

What we comply with

GDPR-ready
EU General Data Protection Regulation
  • Right of access (Art. 15) + portability (Art. 20) via API export
  • Right to erasure (Art. 17) via DELETE endpoint with webhook fan-out
  • Default 30-day photo retention, hourly purge cron
  • Cross-border safeguards (Standard Contractual Clauses in DPA)
AML / Sanctions screening
EU AMLD 5/6 + OFAC + UN + BIS lists
  • Self-hosted moov-io/watchman screens every successful verification
  • OFAC SDN + EU Consolidated + UN + BIS aggregated daily
  • Hits scored 0–1 with configurable match threshold (default 0.85)
  • Webhook payload exposes per-list match detail for audit
Anti-fraud defences
Document + biometric integrity
  • MRZ ↔ visual-zone cross-check (forged docs detected)
  • Per-country passport-number format validation
  • Photo-of-screen detection (Rekognition device labels)
  • Specimen / sample / training marker scan
  • Passive 6-frame liveness (blink + pose + sharpness)
Operational safety
Cost control + abuse prevention
  • Per-step attempt caps (3 per session → manual review)
  • Per-host hourly create caps (tiered, ops-managed)
  • Webhook retry with exponential backoff (7 attempts, ~33h)
  • Audit log captures every state transition + actor

Data subject rights

Guests verified through Okto can exercise their GDPR rights at any time. Requests should go to the data controller (the hospitality partner who created the verification) first; if escalation is needed, contact our Data Protection Officer directly.

Right of access / portability
Receive every data point Okto holds about you, in machine-readable JSON.
Right to erasure
Have your personal data removed from our systems within 30 days.
Right to restriction
Pause processing while disputes are resolved.
Right to lodge a complaint
With your national supervisory authority (CNIL, CNDP, BfDI, etc.).
Data Protection Officer: data-protection@okto.io
Postal: [TODO: registered address + DPO postal address]

Documents

Privacy Policy
How we collect, process, and protect personal data.
Cookie Policy
What cookies we use and how to manage them.
Data Processing Agreement (template)
Contractual basis for hospitality partners using Okto as a processor.

On the horizon

We're working toward iBeta Level 1 (ISO 30107-3 presentation-attack detection) and SOC 2 Type 1 certifications. We'll publish dates here once audits are scheduled.