Security and Privacy Overview
IdScanly is designed for privacy-first identity document OCR workflows where document images and extracted fields must be handled carefully.
Last updated: June 19, 2026
Transport security
The website and public demo are intended to be used over HTTPS only. API integrations should always use HTTPS outside local development.
Sensitive identity data should never be placed in URLs, query strings or client-side logs.
Credential handling
API keys should remain on your backend. Client applications should call your own server, and your server should call IdScanly.
Rotate credentials if a key may have been exposed.
Privacy-first processing
Identity document images are processed and discarded by default. API responses should be treated as sensitive personal data.
Responses should not be cached by clients, proxies or logs unless your organization has a lawful and intentional retention policy.
Operational controls
Enterprise deployments can discuss network allowlisting, retention controls, monitoring, logging boundaries and deployment architecture.
Audit-friendly request IDs and metadata are safer than logging document images or full OCR response bodies.
Recommended customer controls
Encrypt data at rest, restrict access to OCR results, delete temporary files promptly and avoid storing documents longer than necessary.
Need enterprise security details?
Contact us for deployment, retention, network and security review discussions.