Security and privacy

Security and Privacy Overview

IdScanly is designed for privacy-first identity document OCR workflows where document images and extracted fields must be handled carefully.

Last updated: June 19, 2026

Transport security

The website and public demo are intended to be used over HTTPS only. API integrations should always use HTTPS outside local development.

Sensitive identity data should never be placed in URLs, query strings or client-side logs.

Credential handling

API keys should remain on your backend. Client applications should call your own server, and your server should call IdScanly.

Rotate credentials if a key may have been exposed.

Privacy-first processing

Identity document images are processed and discarded by default. API responses should be treated as sensitive personal data.

Responses should not be cached by clients, proxies or logs unless your organization has a lawful and intentional retention policy.

Operational controls

Enterprise deployments can discuss network allowlisting, retention controls, monitoring, logging boundaries and deployment architecture.

Audit-friendly request IDs and metadata are safer than logging document images or full OCR response bodies.

Recommended customer controls

Encrypt data at rest, restrict access to OCR results, delete temporary files promptly and avoid storing documents longer than necessary.

Need enterprise security details?

Contact us for deployment, retention, network and security review discussions.

Contact security