The principle: if your face is in our system, it must be encrypted, audited, and revocable. Always.
How we protect biometric data
Biometric data — verified face scans, voice samples, behavioural liveness signatures — is the most sensitive category we handle. Our approach:
Encryption at rest
All biometric assets stored under AES-256 encryption with rotating keys managed via cloud KMS.
Encryption in transit
TLS 1.3 enforced across all client connections, internal services, and partner integrations.
Access control
Role-based access. Biometric data accessible only to authorised personnel under documented audit logs.
Tokenisation
Biometric vectors stored as cryptographic embeddings, not raw images, where verification logic permits.
Provenance & audit trail
Every use of a verified twin generates an immutable, cryptographically signed audit record. Talent can see who licensed their twin, for what purpose, in which territory, and for how long — at any time, in real time.
Where supported, we sign outputs with watermarking standards including SynthID-compatible techniques, so AI-generated assets can be traced back to their source twin.
Identity verification
Identity is verified at registration using government-issued ID, biometric liveness checks, and (in higher-risk cases) human review. We use established identity verification partners with documented certifications.
Operational security
- Penetration testing on a regular schedule by independent firms
- SOC 2 Type 2 alignment in progress for enterprise customer requirements
- Incident response runbook with talent notification within 72 hours under UK GDPR
- Vendor risk assessment for all third-party processors
- Background checks on all personnel with access to biometric systems
Compliance & certifications
Twinnin operates under:
- UK GDPR and the Data Protection Act 2018
- EU AI Act (deepfake transparency provisions, effective 2 August 2026)
- US NO FAKES Act framework for any US-deployed assets
- California AB 2602 / Labor Code §927
- SAG-AFTRA Digital Replica Rider (where applicable for talent-side enforcement)
We're registered with the Information Commissioner's Office (ICO) in the UK, and pursuing ISO 27001 certification.
Report a security issue
Security researchers can report vulnerabilities to security@twinnin.ai. We respond within 48 hours. We support coordinated disclosure.
For enterprise customers
Enterprise customers requesting detailed security questionnaires, DPIA support, or custom DPA agreements should contact katrien@twinnin.ai. We complete enterprise security reviews within 5 business days.
Concerned about a specific risk? Email security@twinnin.ai or katrien@twinnin.ai directly.