LoomAPIBETA

Compliance & Security

Built for compliance-first platforms. Zero PII retention. Token-based access control.

PSD2 Ready
Age-Verification Compliant
GDPR-Safe

Why Tokenization is Safer

1. Zero PII Storage

Traditional age verification systems store personally identifiable information (PII), biometric data, and ID document images. LoomAPI uses JWT tokens instead — you never store sensitive data, reducing your liability and compliance burden.

2. Time-Limited Access

Tokens expire after 24 hours (configurable). This means even if a token is compromised, it has a limited window of validity. Compare this to storing permanent user data that could be breached years later.

3. Reduced Attack Surface

By not storing PII, your database becomes a less attractive target for attackers. Even if breached, there's no sensitive user data to steal. Tokens are cryptographically signed and validated server-side.

4. Audit Trail Without PII

You can maintain compliance audit trails using token IDs and verification metadata without storing actual user data. This satisfies regulatory requirements while minimizing privacy risks.

Regulatory Compliance

GDPR Compliance

LoomAPI operates with a zero-retention policy for PII. We only store verification metadata (IDs, status, timestamps) and technical data (IP, user agent) for rate limiting and billing. Raw evidence, ID images, and biometric templates are not stored.

This means you're not a data controller for verification data — reducing your GDPR compliance burden.

PSD2 Ready

Payment Services Directive 2 (PSD2) requires strong customer authentication for payment processing. LoomAPI's token-based verification can be integrated into your payment flow to meet SCA requirements.

Tokens can be stored in payment metadata for audit trails without storing PII.

Age Verification Compliance

Meets age verification requirements for adult content, gambling, and age-restricted commerce across multiple jurisdictions including UK, EU, and US states.

Integrates with leading KYC providers (Veriff) for robust identity verification.

Data Minimization

We follow the principle of data minimization — only collecting and storing the minimum data necessary for verification and billing. No biometric templates, no ID images, no PII.

See our Data Processing Agreement for details.

Security Features

  • HMAC-SHA256 Signed Tokens
    All tokens are cryptographically signed and validated server-side
  • Timing-Safe API Key Comparison
    Prevents timing attacks on authentication
  • Rate Limiting & Quotas
    Per-tenant rate limits and monthly quotas prevent abuse
  • Webhook Signature Verification
    HMAC-SHA256 signed webhooks ensure data integrity