FAQs

FAQs

Clients send custom-tailored trust verification assessments to their selected participants using the administrator portal. Participants answer a series of questions on the mobile application, while physiological reactions are recorded in real-time. Trust scores are then analyzed by our AI scoring system and rapidly returned to clients on their portal.
Validit.ai’s trust verification assessments provide 85% accuracy, similar to traditional polygraph testing.
Contact our team here to book a demo and price estimation.
No, the platform is user-friendly and straightforward. Our support team is available to provide assistance through our support line on the administrator portal or through our contact form.
We do NOT collect any data in our application. We don’t store or share personal identifiable information nor does the app ask or collect any personal financial related information. Your name and email are only used for authentication reasons for signing into the app, nothing more. Facial areas/points are used to extract heart rate and other bio signals.
The test includes built-in breaks for maximum convenience.
Yes, the assessments are contactless and intuitive, allowing participants to self-administer tests whenever and wherever they choose.
No. The automatic and user-friendly application is very intuitive, easy to use and accompanied by explanations throughout all the stages of the process.
Most tests are completed in less than 10 minutes. In some cases, assessments require a few minutes more.
No, you need to be in a quiet place where you can concentrate, a stable location with a secure internet connection – and you will need your smartphone of course.
Validit.ai is a mobile-enabled deception detection solution that leverages behavioral science, AI, and bio signal processing to minimize fraud and verify trust across a variety of industries and use cases.
The app can be downloaded from all the major app stores, however in order to take an assessment, you need to receive an invitation by SMS or email from your administrator in charge of administering the assessment.
  • Exit the app
  • Close the “window” of the app
  • Re-enter the assessment
  • Check if there are active version updates for the device
  • For Android phones, the Android version should be 8.1 and above
The administrator should perform the following actions :
  1. Delete cookie files
  2. Disconnect from the admin
  3. Refresh the page
  4. Check whether the participant has completed the assessment and handled it accordingly
 
The administrator can suggest themed questions that he/she would like to be included in the assessment but the assessment is specifically designed based on years of scientific research and follow the APA standards.

Ensuring Trust, Transparency, and Compliance Across Global Privacy Regulations

At Valid.it, we understand that trust, transparency, and compliance are essential expectations from our customers. That’s why we have made it our core principle to safeguard data and process it with high level of care, security, and respect.

We recognize that leveraging advanced remote integrity assessments and AI-driven behavioral analysis has great potential for our clients, providing valuable insights and enhancing decision-making. However, we firmly believe that such innovation must be accompanied by responsible, ethical, and privacy-conscious data handling. Our commitment is to ensure that data is used safely, lawfully, and in compliance with global privacy regulations.

The following sections outline how we achieve this and maintain high standards in data privacy and security.

Valid.it aligns with the General Data Protection Regulation (GDPR) by ensuring that all personal data is processed lawfully, fairly, and transparently. As a Data Processor, we operate strictly under our customers’ instructions, implementing strong security measures and privacy-focused safeguards to help them meet compliance requirements.

To support GDPR compliance, our platform is designed around key GDPR principles such as, Fairness, Lawfulness, Transparency, Data Minimization and Storage Limitation.

  • Fairness: Our platform supports non-discriminatory and ethical data processing by allowing customers to customize the measurements, assessments, and questions they choose to include in the evaluations.
    • Customers can exclude irrelevant or unnecessary data points to prevent unintended bias.
    • This customization meant to ensures that only necessary, purpose-driven data is collected, enhancing privacy.
  • Transparency: We help customers fulfill their privacy notice obligations by allowing them to display a clear privacy policy within our platform, explaining their data practices. In addition, our own Privacy Policy further clarifies who acts as a Data Controller and Data Processor, so that customers and end-users clearly understand their data rights and how their data is used.
  • Lawfulness: We encourage our customers to define a valid legal basis for processing data and commit to not using data for any purpose beyond what was originally intended. As a Data Processor, we operate strictly under customer instructions and support them in meeting their legal obligations. To assist with compliance, we provide built-in mechanisms such as:
    • Data Processing Agreement (DPA) – Our DPA clearly defines roles, responsibilities, and lawful processing terms and limitations.
    • Configurable Data Collection – Allowing customers to limit the type of data processed based on their lawful basis.
    • Audit Logs & Documentation – Enabling transparency by logging when, how, and why data is processed, supporting compliance with accountability requirements
  • Purpose Limitation & Data Minimization: Customers can customize assessments to collect only the data they truly need, ensuring compliance with GDPR’s data minimization principle. In addition, we do not gather nor share personal identifiable information nor does our app collect any private financial information.

Storage Limitation & Security Measures

At Valid.it, data security and privacy are our top priorities. We are committed to ensuring that data is stored securely, retained only for as long as necessary, and protected using industry-leading security measures.

Privacy laws such as the GDPR, PIPEDA and the Israeli Privacy Protection Law require that personal data be retained for no longer than necessary for its intended purpose. We recognize that minimizing data storage not only ensures legal compliance but also reduces security risks.

Our approach to data retention and minimization includes:

    • Customer-Controlled Retention – Data is stored only as long as required by the customer and is deleted upon service termination or customer request, aligning with GDPR’s “Right to Erasure” (Right to be Forgotten).
    • Customizable Retention Policies – Customers can define data retention settings based on regulatory requirements and internal policies.
    • Proactive Audits & Reviews – We regularly review stored data to ensure no unnecessary retention, further reducing exposure to security risks.

Valid.it was founded by security professionals with backgrounds in national security and intelligence agencies, bringing top-tier expertise in cybersecurity and risk management. We apply strict security frameworks to safeguard customer data and ensure compliance with global regulations. Our security measures include:

    • Data encryption at rest and in transit – We use AES-256 encryption for stored data and TLS 1.2/1.3 for data in transit, ensuring end-to-end protection.
    • Strict access controls & multi-factor authentication (MFA) – Access to sensitive data is restricted to authorized personnel only, with enforced role-based permissions and MFA authentication.
    • Regular penetration testing & security audits – We conduct frequent penetration tests and SOC 2-certified security audits to proactively identify and mitigate vulnerabilities.
    • Continuous monitoring & anomaly detection – Our real-time security monitoring detects suspicious activity and potential threats, ensuring rapid response and mitigation.
    • Minimizing third-party risk – We limit the use of subprocessors and work only with globally trusted vendors that meet the highest security and compliance standards.
    • Trusted Cloud Infrastructure – Our primary infrastructure provider, Amazon Web Services (AWS), operates in a GDPR-compliant, ISO 27001, and SOC 2-certified environment with industry-leading security practices.
    • Strict Vendor Risk Management – Before onboarding any vendor, we conduct risk assessments and contractual due diligence to ensure compliance with GDPR, PIPEDA, POPIA, and other global regulations.

Accountability & Cross-Border Data Transfers

  • We provide a built-in Data Processing Agreement (DPA) in our terms, ensuring GDPR compliance and limitations on the processing.
  • We support cross-border data transfers via Standard Contractual Clauses (SCCs) and offer AWS Ireland as a hosting option for customers requiring EU-based data compliance.

At Valid.it, we work with clients across the globe, spanning diverse industries and regulatory environments. We understand that compliance is not one-size-fits-all, which is why we goal to align with privacy and security standards worldwide. Our platform is designed to help businesses meet their legal and ethical requirements, ensuring that they can operate with confidence across multiple jurisdictions.

NY SHIELD Act (New York, USA) – Data Security & Breach Notification

  • We apply encryption (AES-256, TLS 1.2/1.3), MFA, and access controls to prevent unauthorized access.
  • Our real-time monitoring & anomaly detection helps us identify potential breaches.
  • We follow incident response best practices to support customers in meeting breach notification requirements.

PIPEDA (Canada) – Accountability & Data Minimization

  • We provide clear data governance policies and ensure customers define data retention periods to avoid excessive data storage.
  • Regular security audits & risk assessments demonstrate compliance and accountability.

POPIA (South Africa) – Purpose Limitation & Security Measures

  • Customers define the scope of data processing, ensuring no unnecessary or excessive collection.
  • Our platform provides role-based access and secure processing controls to protect personal data.
  • Our Privacy Policy aligns with Section 18 of POPIA, ensuring data subjects understand who acts as a Data Controller or Data Processor, what personal data is collected, and for what purpose.
  • Customers can use our platform to provide privacy notices, ensuring compliance with South African transparency requirements.

Japan’s APPI (Act on Protection of Personal Information) – Consent Management

  • Customers can define consent mechanisms within our platform to comply with APPI’s guidelines on explicit user consent.

GDPR (EU & UK) – Comprehensive Privacy Compliance

  • Our full breakdown of GDPR alignment, including lawfulness, transparency, data subject rights, security, and storage limitation, is covered in the first section above.

At Valid.it, we are fully aware of our role and responsibilities in handling personal data and are committed to data processing limitations.

  • Primarily, we act as a data processor when processing personal data on behalf of customers (e.g., candidates, employees, insurance applicants or policyholders). We only process personal data as instructed by our customers and in accordance with our Data Processing Agreement (DPA).
  • We include a built-in DPA in our terms, ensuring compliance with GDPR, PIPEDA, NY SHIELD, Israeli law and other global privacy frameworks.
  • In some cases, we act as a data controller, such as when processing platform administrator details or website visitor interactions.
  • Our Privacy Policy clearly defines these roles and provides transparency into how we handle and protect personal data in each scenario.

By maintaining strict processing limitations and adhering to customer instructions, we ensure that personal data is handled securely, responsibly, and in compliance. This dual-layered approach, we ensure that both our customers and their end-users benefit from high level of privacy protection. This also guarantees transparency regarding who processes their data and for what purposes.

At Valid.it, we implement industry-leading security measures to safeguard personal data and prevent unauthorized access, aligned with global regulations such as GDPR, NY SHIELD, PIPEDA, and POPIA. Our SOC 2 Type II certification demonstrates our ongoing commitment to security, availability, and confidentiality through rigorous, independent audits. Our approach includes:

  • End-to-end encryption – Data is encrypted both at rest and in transit using AES-256 and TLS 1.2+, ensuring data protection against unauthorized access.
  • Strict access controls – We enforce role-based access restrictions and multi-factor authentication (MFA) to limit access to authorized personnel only.
  • SOC 2 Type II security framework – We undergo regular third-party SOC 2 audits, verifying that our security controls meet high industry standards for protecting customer data.
  • Continuous security assessments – We conduct frequent penetration testing, vulnerability assessments, and risk evaluations to proactively identify and mitigate threats.
  • Robust incident response – Our 24/7 security monitoring, automated anomaly detection, and rapid response protocols help detect and mitigate potential threats before they escalate.

No, Valid.it does not keep or store Personally Identifiable Information (PII). Our platform is designed with a privacy-by-design approach, ensuring that all assessments are conducted without gathering direct identifiers such as names, emails, phone numbers, or government-issued IDs from our end. Instead, the assessment process relies on randomly assigned identifiers that are used solely for processing. These random identifiers are automatically deleted after the evaluation is completed.

Additionally, Valid.it does not record, view, or store any video or audio from the assessment process. All video processing occurs locally on the end user’s device, and no raw footage or related data is ever transmitted to Valid.it’s servers.

This privacy-preserving methodology support compliance with GDPR and other global privacy regulations, reinforcing our commitment to data minimization and security.

Valid.it operates primarily as a Data Processor, meaning we process personal data on behalf of our customers, who act as the Data Controllers. As such, we do not handle direct requests from end users but provide the necessary tools and support for our customers to fulfill their compliance obligations under global privacy laws.

How We Help Customers Comply with Data Subject Requests

We offer functionalities that enable our customers to respond efficiently to requests from their end users, including:

  • Access Requests – Customers can retrieve and export personal data related to an end user upon request, ensuring compliance with legal access rights.
  • Correction Requests – Our platform allows customers to update or correct personal data to ensure accuracy when required.
  • Deletion Requests – If an end user requests deletion, customers can initiate a data erasure request through our platform, and we ensure data is deleted in accordance with contractual obligations and retention policies.
  • Restriction of Processing – Customers can configure settings to limit data processing based on user objections or specific compliance needs.
  • Data Portability – We provide structured data export options, enabling customers to fulfill requests for transferring personal data to another service.

Data Retention & Deletion Policies

  • Customer-Controlled Retention – We do not retain personal data beyond the period defined by the customer. Data is stored only as long as required and is deleted upon service termination or at the customer’s request.
  • Automated Deletion Tools – Customers can set retention policies to ensure data is automatically deleted after a predefined period, reducing compliance risks.
  • Audit Logs & Documentation – We maintain logs of processing activities, enabling customers to demonstrate compliance when responding to regulatory inquiries.
  • Data is hosted in AWS Ireland (EU) for GDPR compliance, per customer request.
  • Data transfers to the US follow SCCs for lawful international data movement.
  • Comprehensive Vendor Risk Assessments – We carefully evaluate all subprocessors to ensure they meet strict security, privacy, and compliance standards before granting access to data. This includes verifying compliance with laws and standards such as GDPR, PIPEDA, SOC 2, ISO 27001, and other relevant regulations.
  • Strict Data Processing Agreements (DPAs) – All third-party partnerships are governed by legally binding DPAs, ensuring that subprocessors adhere to the same level of security and privacy commitments as Valid.it.
  • Ongoing Monitoring & Compliance Audits – We conduct regular reviews and audits of third-party providers to verify continued compliance, minimizing risk for our customers.
  • Minimizing Third-Party Dependencies – We limit the use of subprocessors whenever possible, ensuring that data exposure is reduced and only the most trusted and necessary vendors are utilized.

At Valid.it, we are committed to ensuring that our assessments are fair, transparent, and free from discrimination. Our platform is designed with strong governance measures to support ethical AI and compliance with privacy and data protection laws.

  • Algorithmic Transparency – We provide customers with insights into how assessments function, allowing them to audit assessment methodologies and validate the fairness of decision-making processes.
  • Bias Mitigation Strategies – Our AI models undergo regular audits and testing to identify and mitigate potential biases, ensuring that assessment outcomes remain objective and fair across different demographics.
  • Customizable Assessment Criteria – Customers can define which measurements, assessments, and questions are relevant to their specific use case, reducing the risk of irrelevant or biased data influencing decisions.
  • Compliance with AI Regulations & Privacy Laws – We align with GDPR, emerging AI governance frameworks, and ethical AI best practices, ensuring our technology operates within established fairness and non-discrimination guidelines.
  • Continuous Model Improvement – We refine our methodologies based on customer feedback, industry best practices, and evolving regulatory requirements, reinforcing ethical and responsible AI use.

First off, we take proactive and serious measures to minimize security risks and protect personal data from breaches. Our security framework is built on robust encryption, strict access controls, real-time monitoring, and compliance with global data protection standards. However, in the unlikely event of a security incident, we have a comprehensive incident response plan in place to contain, mitigate, and prevent recurrence.

  • Immediate Security Response – Our 24/7 monitoring system detects and responds to potential threats in real time, allowing for rapid containment of any security incidents.
  • Breach Notification & Compliance – If a data breach occurs, we follow all legal and contractual obligations, including breach notification rule, ensuring transparency with affected customers.
  • Mitigation & Continuous Improvement – If a breach occurs, after containment, we conduct a thorough forensic investigation to identify the root cause, strengthen security defenses, and implement safeguards to prevent future breaches.
  • Encryption & Access Controls – All data remains encrypted at rest (AES-256) and in transit (TLS 1.2/1.3), minimizing the impact of unauthorized access. Role-based access controls (RBAC) ensure that only authorized personnel can handle sensitive information.
  • Regular Security Audits & Testing – We continuously assess our security posture through SOC 2-certified audits, penetration testing, and vulnerability scanning to identify and fix potential risks before they become threats.

 

*This Q&A is for informational purposes only and does not constitute legal advice. Customers are responsible for assessing their own compliance requirements based on their specific use of the Valid.it platform and the laws applicable to them.