Data Protection and Information Security within Mirror
All policies and technical decisions around our data storage and protection have been designed under the advisory of David Green to ensure the highest level of security from a technical and process standpoint. The Mirror product is designed to align to the training and advice provided by David Green, Director of The Strategic Partner, independently reviewed by QC Gregory Treverton-Jones, 39 Essex Chambers.
Data is encrypted and stored in the AWS United Kingdom region (including Ireland). This data is stored in a GDPR-compliant manner, and in accordance with your policies (i.e., if you ask us to remove all of your client data, including your audit trail, this is possible. We will confirm this with you, likely over the phone and in writing, so we’re absolutely sure, because this deletion would be irreversible).
We do not store customers' end-user personal data in a searchable database, all information in our Mirror databases is hashed.
Should you require us to remove all your client information from our database, we will still ensure the client’s own verification information remains available only to them. This is because the client remains in control and has full ownership of their own data, so it will continue to be available to them until they ask to be forgotten. Clients can delete their own data at any time, but this will not make their verification history and past documents submitted unavailable to the firm, unless they reach out specifically to your firm to do so.
Should a client ask your firm to be forgotten, Mirror will assist with the deletion of their records from our systems.
Mirror also complies with the Right to be Forgotten built in, both for firms and their clients.
Clients’ biometric data is also stored across databases hosted in AWS. AWS is industry-standard. Client data is never shared with third-parties for marketing purposes. We only share client data with third-parties where this is required to perform a check, e.g. when running AML checks, we would use the name of a client as it appears in their ID document.
We cannot stop end-users from sending us their personal information, if this happens we should only share this with people that require it in order to resolve an issue. Once this is done we need to delete this personal information or block it out in such a way that it protects the end user.
If we receive data that contains personal information we will alert the sender that they have provided information of a personal nature and delete this. Once the email has been responded to and the correspondence deleted, DPO@mirroridentity.com will be notified to confirm that the sensitive information has been received and deleted.
Mirror provides firms with information about their client’s identity and address, verified at source, in combination with industry-standard anti-money laundering checks.
Mirror is in some ways an aggregator of verified information about your client. Mirror enhances the information we collect with additional verification-at-source (i.e. scanning your client’s identity document and ensuring authenticity, genuineness and possession for proof-of-address documents). We then cryptographically secure real-world facts about your client’s identity within a digital identity. Mirror enables on-demand presentation of verified facts as self-validating information, as many times as necessary.
Mirror is in the process of self-certifying for the below certifications. We are, however, conscious that these standards present a ‘bare-minimum’, i.e. in some cases we not only meet, but exceed their requirements. Where Mirror is not the direct provider of information, i.e. a third-party is involved, we have taken steps to ensure these third-party providers are certified to a high standard, including and ideally beyond certification standards.
Planned certifications (explained in detail later in this piece)
- HM Land Registry’s ‘Safe Harbour for Conveyancing’ standard (HM Land Registry 2020, gov.uk, accessed 26 November 2021, <https://hmlandregistry.blog.gov.uk/2020/11/17/encouraging-digital-identity-checking-in-conveyancing/>)
(ISO 2021, International Organisation for Standardisation, accessed 26 November 2021, <https://www.iso.org/isoiec-27001-information-security.html>)
As of 2021, Mirror is GDPR compliant and takes significant steps to ensure the security of your information and your client’s verification information. We take a defense-in-depth approach to securing data collected by and stored in Mirror, ensuring where any one line of defense is compromised we will be alerted, and able to address the issue before any damage is done. All data is stored securely within a VPC (Virtual Private Cloud) which, in turn, is placed behind a firewall and NAT (Network Access Transaction) gateway. This means no data is stored in a way which is accessible directly via the internet. In addition we have a monitoring solution in place to alert us in the case of an attempted intrusion.
Mirror verifies your client’s identity by combining liveness detection, document verification and facial recognition, with NFC-enabled chip scans (for documents with a machine readable chip). When documents do not contain a chip, we still enable biometric identity verification for your clients. We then secure this information cryptographically, enabling it to be reused and presented on demand as many times as necessary.
Some components of Mirror’s identity verification engine are provided by third-parties, such as Passbase (who handle parts of biometric identity verification). Passbase is GDPR and CCPA compliant (privacy and data protection), in the process of obtaining a full SOC 2 (auditing framework for handling customer data, developed by the American Institute of Certified Professional Accountants) report and full certification of the ISO27001 standard (security standard created by the International Organisation for Standardisation and International Electrotechnical Commission), both due to complete end of 2021.
Mirror also aims to independently reach ISO27001 standards, aiming to complete in 2022.
Please note that ISO27001 only speaks to the handling of information used within verifications, and does not speak to the quality of the underlying verification.
Proof of Address
Mirror’s infrastructure enables SSL/TLS-based digital document validation, which is currently only used as part of Proof-of-Address. There are several applications for digital document validation beyond enabling digital Proof-of-Address, but this is the only use case we currently offer. We guarantee the authenticity and genuineness of a digital document, that it pertains to your client, and ensure it is passed directly from the client to the party requesting verification without being tampered with. The ‘verified facts’ of your client’s document are then secured cryptographically within Mirror.
This process is GDPR compliant. Mirror, with the addition of a second Proof of Address request, meets the HM Land Registry’s Safe Harbor for Conveyancing Standards. This is a self-certification, so it is on us not only to meet, but exceed these requirements.
Anti-Money Laundering Checks
Additionally, Mirror provides industry-standard AML checks. Our clients have two options when running these checks: we offer AML PEP and Sanctions checks via Passbase (who offer this service integrated with both Mirror’s and Passbase’s IDV, relying on databases provided by ComplyAdvantage).
Passbase’s certifications have been covered above. ComplyAdvantage is additionally GDPR compliant and has been certified to ISO27001:2013 standard since 2018. ComplyAdvantage also has enhanced cloud security, including a shared security model with AWS as well as several firewalls and steps to ensure the security of client data; including deep visibility on API calls via AWS CloudTrail.
AML PEP and Sanctions Checks included in Mirror
Mirror integrates AML PEP and Sanctions checks via Passbase (who offer this service integrated with both Mirror’s and Passbase’s IDV, relying on databases provided by ComplyAdvantage). The below is provided directly by Passbase:
Definitions of Terms
Sanctions: Countries, Corporate Entities or Individuals identified and reported by sovereign governments as not being appropriate for any entity regulated within said sovereign government’s jurisdiction, to conduct business with.
Politically Exposed Person: Pertains to an individual entrusted with a prominent public function, whether as a head of state, members of Parliament, Senior members of the Military, Judiciary, as well as Directors, Deputy Directors and Board Members of State owned enterprises.
Watchlist: Refers to the perpetual monitoring, identification and review of both individuals and entities identifiable information for the purposes of countering the financing of terrorism (CTF) and preventing money laundering globally.
Examples of International Sanctions Lists:
● European Union Sanction Lists
● United Nations Security Council Sanctions Lists
Examples of Watchlists:
● International Criminal Court
● World Bank
In addition to International Sanction & Watchlists, Passbase checks 500+ country specific Sanction & Watchlists from Europe, Asia, Middle East, Africa, Oceania and North America. Moreover, the search also includes scans for PEP and Adverse Media. For any country specific information, please let us know which geographies are of special interest and we will provide greater detail.