My-K
/

Security Overview

MY-K Platform – MyBioPass FZ-LLC
Last updated: 03-03-2026

1. OVERVIEW

MY-K is a digital identity verification platform designed to provide secure, real-time identity verification through automated technical checks.

The platform performs identity verification using a combination of document validation, biometric comparison and authentication mechanisms, delivered through secure APIs and SDK integrations.

MY-K is part of the MyBioPass identity infrastructure, a broader biometric identity ecosystem supporting digital identity, secure access and identity-based services within partner ecosystems.

The platform is commercially distributed in certain jurisdictions through authorized partners, including MyMoney, while the technical platform and infrastructure are operated by MyBioPass FZ-LLC (MBP).

2. DATA PROCESSING MODEL

The MY-K service is designed following strict privacy-by-design and data minimization principles.

Depending on the commercial structure of the service deployment:

  • the Customer acts as Data Controller
  • MyMoney or another authorized commercial partner may act as Data Processor
  • MyBioPass FZ-LLC acts as core Sub-Processor for the platform infrastructure.

This structure ensures that customers retain full control over the purposes and legal basis of personal data processing.

MY-K performs technical identity verification only and does not perform AML screening, risk scoring, or onboarding decisions.

3. DATA MINIMIZATION AND RETENTION

MY-K is designed to process only the data strictly necessary to generate a verification output.

Key principles include:

  • biometric data processed only for real-time comparison
  • no persistent storage of biometric templates
  • no reuse of identity data for analytics or model training
  • no profiling or behavioral analysis

Personal data processed during the verification process are automatically deleted from the MY-K platform within twenty-four (24) hours after completion of the verification process, except for limited technical logs required for operational security.

Where reusable identity credentials are generated within the mobile application, such credentials remain stored locally on the user’s device and are protected by device-level security mechanisms.

Customers remain responsible for the storage and regulatory retention of verification results within their own systems.

4. IDENTITY WALLET ARCHITECTURE

MY-K may enable the creation of a reusable digital identity credential associated with the verified user.

Once the verification process is completed, a secure identity credential can be generated and stored locally within the user’s mobile application environment.

This credential allows the user to reuse the verified identity in subsequent authentication or access flows without repeating the full identity verification process.

Key characteristics of the MY-K identity architecture include:

  • identity credentials stored locally on the user’s device
  • no centralized storage of reusable biometric identity profiles within the MY-K platform
  • user-controlled access to the mobile application

Access to the mobile application is protected through device-level security mechanisms, including:

  • user-defined PIN authentication, or
  • native biometric authentication supported by the device operating system (such as Face Recognition or fingerprint authentication).

Biometric authentication used to unlock the application relies exclusively on the device’s operating system security framework and is not transmitted to or stored by the MY-K platform.

Users maintain control over the locally stored identity credential and may delete it at any time by removing the application from their device.

5. DEVICE-BASED IDENTITY STORAGE

For mobile integrations, MY-K may enable the creation of a reusable identity credential stored locally on the user’s device.

In this configuration:

  • identity credentials are stored locally within the mobile application environment
  • access to the application is protected by a user-defined PIN or the device’s native biometric authentication mechanisms (such as Face Recognition or fingerprint authentication)
  • biometric authentication used to unlock the application relies exclusively on the device’s operating system security framework

No biometric templates used for device authentication are transmitted to or stored by the MY-K platform.

This device-based architecture allows users to securely reuse their verified identity while maintaining control of their credentials on their personal device.

6. INFRASTRUCTURE SECURITY

MY-K operates in secure cloud infrastructure environments primarily located within the European Union.

Security measures include:

  • encrypted communications using TLS
  • encryption of sensitive data at rest where applicable
  • server-to-server encrypted communication channels
  • hybrid encryption mechanisms for secure mobile communication
  • isolated processing environments for each customer integration

Infrastructure environments are hardened and continuously monitored to detect operational or security anomalies.

7. ACCESS CONTROL AND SYSTEM INTEGRITY

Access to platform infrastructure is strictly controlled.

Security controls include:

  • role-based access control
  • multi-factor authentication for administrative access
  • least-privilege access policies
  • secure credential management
  • monitoring of administrative actions

System access is limited to authorized personnel responsible for maintaining platform infrastructure and service availability.

8. SUB-PROCESSORS AND THIRD-PARTY SERVICES

MY-K relies on a limited number of specialized technical providers to deliver certain components of the verification process.

These include services supporting:

  • biometric verification processing
  • email delivery
  • SMS verification

All sub-processors are contractually bound to data protection obligations consistent with Article 28 GDPR, and are required to implement appropriate technical and organizational security measures.

9. INTERNATIONAL DATA TRANSFER

The MY-K platform is primarily hosted within the European Union.

Where specific technical services require processing outside the EU (such as email delivery infrastructure), transfers are carried out in compliance with Chapter V GDPR, including the use of Standard Contractual Clauses (SCCs) and additional technical safeguards where applicable.

10. INCIDENT RESPONSE AND SECURITY MONITORING

MY-K implements continuous monitoring of system availability and security indicators.

Security measures include:

  • system monitoring and uptime tracking
  • anomaly detection
  • incident management procedures
  • controlled logging of technical events

In the event of a confirmed personal data breach, customers are notified without undue delay in accordance with GDPR requirements.

11. COMPLIANCE FRAMEWORK

The MY-K platform is designed to align with applicable European regulatory frameworks, including:

  • Regulation (EU) 2016/679 (GDPR)
  • security obligations under Article 32 GDPR
  • data minimization and privacy-by-design principles
  • contractual governance of sub-processors under Article 28 GDPR

The service provides technical identity verification tools that customers may integrate within their own regulatory compliance frameworks.

12. SECURITY DOCUMENTATION

Customers may request additional documentation supporting their internal compliance assessments, including:

  • Data Processing Agreement (DPA)
  • Technical and Organizational Measures (TOM)
  • Sub-Processor list
  • Security overview documentation

These documents provide detailed information regarding the security architecture and operational safeguards of the MY-K platform.