Photos never stored. Embeddings, encrypted.

Camera frames at the moment of verification.

When a user runs /enroll or /verify, the client SDK captures camera frames. Frames are sent to the Lorica server over TLS 1.3, processed into a 512-dimensional embedding via a face- recognition model (InsightFace Buffalo-L), and discarded. Raw frames are never persisted to disk. Embeddings are persisted, encrypted.

Encrypted embeddings. Nothing else.

• The 512-dim embedding vector, encrypted with Fernet AES-128-CBC using a per-tenant key
• The user_id you provided at enrollment
• Enrollment timestamp and embedding ID
• Verification audit log (one row per /verify call: user_id, action, verdict, JWT identifier, timestamp)

No raw imagery. No demographic data.

• No photos, no video, no frame buffers
• No demographic inferences (age, gender, ethnicity)
• No location data beyond IP geolocation at verify time
• No cross-tenant correlation — embeddings are per-tenant, isolated

Erasure on demand. Verifiable.

Users can request deletion via DELETE /v1/delete. The endpoint zeros the stored embedding and revokes any active JWTs. The response includes a deletion proof — a signed timestamp the user (or their representative) can verify. GDPR Article 17 and CCPA compliant. SLA: deletion within 24 hours of request.

Explicit. Per-action.

At enrollment the user is presented with the camera permission prompt from their browser, plus an in-app consent screen specifying that a biometric reference will be stored encrypted. At each subsequent /verify call, the camera prompt fires again. Consent is not implicit. Consent is per-session.

Per-tenant keys. Rotated quarterly.

Each tenant has its own embedding-encryption key. Keys are rotated quarterly. Old keys are retained for the duration of legal retention, then destroyed. Embeddings are re-encrypted under the new key during rotation; no plaintext embeddings exist on disk at any point.