PRIVACY COMITTMENT

Security & Privacy

Wicket is committed to the responsible use and application of facial authentication technology, and to that end, takes security and privacy very seriously. Learn more about how we design our technology for that commitment below.

SOC2_D_HQ
ISO27001_D@1.5x
GDPR_D@1.5x
NISTCSF_D@1.5x
Our Approach to Privacy

Wicket restores trust in biometric identification by keeping data privacy at the forefront of our products and by following industry best practices for system security.

PRIVACY-FIRST TECHNOLOGY

Privacy FAQs

We understand that, as with any new technology, there are questions and misunderstandings about how biometric technology is used. While many users are accustomed to the personal use of FR, there is a broader conversation that may leave some organizations and users uncertain as to whether facial recognition technology is right for them.

At Wicket, building a privacy-first experience and communicating that experience as transparently as possible is vital to our team. We take your trust in us very seriously and design our software to protect and securely store your personal data.

What does Wicket do to protect user privacy?

Wicket does several things to ensure user privacy. To name a few, Wicket:

  1. Designed use of the program to be opt-in only
  2. Creates embeddings (a series of numbers) to protect the user identities and ensures face photos aren’t stored on edge devices
  3. Does not own customer data; customers own their user data
  4. Makes biometric decisions at the edge, minimizing the risk of data interception
  5. Does not sell Personally Identifiable Information (PII) to third parties
  6. Does not record live video, nor is our technology intended to function as a “live viewer”
  7. Has a strong infosec program with regular 3rd-party evaluation

What is Facial Authentication, and how is it different from Facial Recognition?

A facial recognition system is a technology capable of matching a human face to a digital image of that face. While Wicket’s computer vision algorithms could technically be classified as a facial recognition system, we prefer to use the term Facial Authentication. Facial recognition systems like those used by law enforcement or security agencies (to identify an unknown individual by running an image through an extensive database) are based on a surveillance model.

Wicket differs from this approach in two ways: 

Firstly, Wicket has an opt-in-only model. We do not use our technology to keep people out, but rather to let known faces (registered users) in—only people who have explicitly opted into Wicket-powered services can use them. Not only that, but users must willingly provide images of their own face to use our services.

Secondly, Wicket’s Facial Authentication system is designed to protect the privacy of those who do not want to be captured at all. To ensure unwilling participants aren’t scanned by Wicket, users must physically present to a Wicket sensor to gain access to confirm that the user is:

  1. Enrolled in a Wicket-powered service (by opting in)
  2. Eligible for access to that service
  3. Granted or denied the service based on their eligibility

In short, Facial Authentication verifies the identity of an individual who has already provided consent to be in the system via an opt-in procedure.

What does opt-in only mean?

Opt-in only means just that.

To use Wicket facial authentication, all users must explicitly opt in prior to uploading an image into our system. Wicket does not take pictures of users for enrollment without user knowledge; users take and submit their own selfie and provide Wicket with permission to use it to give them access to facial authentication-enabled features, such as facial ticketing, facial payments, and facial access.

What happens when someone who hasn’t opted in presents to a Wicket sensor?

Wicket has implemented controls to ensure that images are not captured or stored without consent. Wicket ensures that all authentication solutions (access control, ticketing, payments, etc.) are equipped with identification zone technology that allows front, rear, and side boundaries to be configured so that only the person making an access attempt is targeted within the frame.

In all cases where Wicket makes a decision on a non-enrolled user, that data is non-identifiable and is not used by Wicket except to attempt a match against enrolled users. If no match is found, the images are purged from the system per the client’s or Wicket’s terms and conditions, whichever retention policy is shorter.

Who owns the biometric data?

Wicket operates as a Data Processor, while each customer serves as the Data Controller. Customers retain full ownership of their data, which is stored in a secure cloud environment maintained by Wicket. 

What happens to user pictures and PII?

All personally identifiable information (PII) is directly provided by the Customer or User. PII is then translated from an image to a mathematical representation of the face for identification. Wicket only captures and stores PII for the stated use of our products and minimizes exposure of this Customer and User data at all times.

The Wicket platform is designed to minimize the storage of PII, and robust access controls—aligned with recognized security frameworks—are in place to protect all data. 

When we receive user PII, we use encryption (at rest and in transit) to ensure the information is safe, and any images and data captured at the actual event are automatically deleted from all systems within a timeframe determined by the organizer.

Is user data at risk if a Wicket device is stolen?

In all product cases, all decisions and analyses are made locally (i.e., Edge-Decision) on the device instead of sending data back and forth to a cloud server (i.e., Cloud-Decision). Local decisions help minimize the possibility of information being intercepted.

Because Wicket turns user photos into templates (mathematical representations), no PII is stored on the device, keeping your identity safe, even in the case of a compromised device.

Additionally, all devices are password-protected and remotely managed, and can be wiped and disabled as soon as they are reported missing.

How long does Wicket retain captured data?

Wicket products require that different data and images be captured and held for varying time frames, depending on the customer’s use case. Data is only stored for the purpose of the product and is automatically purged according to the data policies of Wicket customers for the intended use of that data.

Images of the faces of individuals that present themselves to an Access touch-point are captured and retained for logging purposes. This data is purged from the system according to the specified data configuration of the customer. 

All images retained as part of access decisions are purged from the system per the client’s or Wicket’s terms and conditions, whichever retention policy is shorter.

What steps has Wicket taken to minimize bias in their algorithm?

The Wicket algorithm enhancements were developed entirely in-house by our team of scientists with a concrete goal to address the issue of bias. With our Wicket technology, match or verification is done based on a set of data points converted to a unique identifier and is not based on matching a picture. For this reason, performance is limited only by the quality of the source stills or images, which are based on a) pose or which way the person is looking, b) occlusion or facial hair, hats, glasses, or masks, and c) illumination or lighting. Therefore, efficacy and accuracy are not dependent upon age, skin tone, gender, etc.

We also submitted to NIST testing, viewed as the industry gold standard. The results show Wicket has a 99.7% accuracy rate across all demographic categories and is top 3 for accuracy of matched decisions in the U.S. at the time of submission.

What does Wicket’s Information Security program look like?

Wicket has maintained a formal Information Security (InfoSec) Program since 2019 that consists of a managed cloud services provider, automated security compliance software, managed detection and response (MDR) services for vulnerability remediation, static code analysis tools, security benchmarking tools, and various other procedures and documentation that support a robust defense in depth.

Wicket also performs ongoing third-party penetration tests from trusted security vendors.

Has Wicket been independently audited?

Yes. Two separate audit firms have independently audited Wicket’s platform, and we continue annual audits against multiple security frameworks. Our SOC2 Type 2 attestation report demonstrates our compliance with the security, availability, and confidentiality standards set by the American Institute of Certified Public Accountants (AICPA) as well as the core subcategories of the NIST Cybersecurity Framework. Wicket’s Information Security Management System (ISMS) received initial ISO 27001 certification in April 2023 and undergoes surveillance audits each year until re-certification. In addition, we achieved GDPR compliance in June 2023. Refer to the Resources section in the Trust Center for artifacts related to these third party audits.

Our current SOC2 Type II, NIST Cybersecurity Framework, and GDPR reports, as well as our ISO 27001 certificate, are available in our Trust Report.