PRIVACY COMITTMENT
Wicket is committed to the responsible use and application of facial authentication technology, and to that end, takes security and privacy very seriously. Learn more about how we design our technology for that commitment below.
Wicket restores trust in biometric identification by keeping data privacy at the forefront of our products and by following industry best practices for system security.
We understand that, as with any new technology, there are questions and misunderstandings about how biometric technology is used. While many users are accustomed to the personal use of FR, there is a broader conversation that may leave some organizations and users uncertain as to whether facial recognition technology is right for them.
At Wicket, building a privacy-first experience and communicating that experience as transparently as possible is vital to our team. We take your trust in us very seriously and design our software to protect and securely store your personal data.
Wicket does several things to ensure user privacy. To name a few, Wicket:
While Wicket’s computer vision algorithms are technically a facial recognition system, we prefer to use the term Facial Authentication. Facial recognition systems like those used by law enforcement or security agencies (to identify an unknown individual by running an image through an extensive database) are based on a surveillance model.
Wicket differs from this approach in two ways:
Firstly, Wicket has an opt-in-only model. We do not use our technology to keep people out, but rather to let known faces (registered users) in—only people who have explicitly opted into Wicket-powered services can use them.
Secondly, Wicket’s Facial Authentication system is designed to protect the privacy of those who do not want to be captured at all. To ensure unwilling participants aren’t scanned by Wicket, users must physically present to a Wicket sensor to gain access to confirm that the user is:
In short, Facial Authentication verifies the identity of an individual who has already provided consent to be in the system via an opt-in procedure.
Opt-in only means just that.
To use Wicket facial authentication, all users must explicitly opt in prior to uploading an image into our system. Wicket does not take pictures of users for enrollment without user knowledge; users take and submit their own selfie and provide Wicket with permission to use it to give them access to facial authentication-enabled features, such as facial ticketing, facial payments, and facial access.
In all cases where Wicket makes a decision on a non-registered User, that data is non-identifiable and is not used by Wicket except to match that person against a registered User.
Wicket operates as a Data Processor, while each customer serves as the Data Controller. Customers retain full ownership of their data, which is stored in a secure cloud environment maintained by Wicket.
All personally identifiable information (PII) is directly provided by the Customer or User. PII is then translated from an image to a mathematical representation of the face for identification. Wicket only captures and stores PII for the stated use of our products and minimizes exposure of this Customer and User data at all times.
The Wicket platform is designed to minimize the storage of PII, and robust access controls—aligned with recognized security frameworks—are in place to protect all data.
Depending on the customer’s requirements, all captured data retained as part of access decisions are purged from the system per the client’s or Wicket’s terms and conditions, whichever retention policy is shorter.
This data is never sold, transferred, or otherwise utilized for any third-party purpose aside from our core products or partner integrations.
In all product cases, all decisions and analyses are made locally (i.e., Edge-Decision) on the device instead of sending data back and forth to a cloud server (i.e., Cloud-Decision). Local decisions help minimize the possibility of information being intercepted.
Because Wicket turns user photos into templates (mathematical representations), no PII is stored on the device, keeping your identity safe, even in the case of a compromised device.
Additionally, all devices are password-protected and remotely managed, and can be wiped and disabled as soon as they are reported missing.
The Wicket algorithm enhancements were developed entirely in-house by our team of scientists with a concrete goal to address the issue of bias. With our Wicket technology, match or verification is done based on a set of data points converted to a unique identifier and is not based on matching a picture. For this reason, performance is limited only by the quality of the source stills or images, which are based on a) pose or which way the person is looking, b) occlusion or facial hair, hats, glasses, or masks, and c) illumination or lighting. Therefore, efficacy and accuracy are not dependent upon age, skin tone, gender, etc.
We also submitted to NIST testing, viewed as the industry gold standard. The results show Wicket has a 99.7% accuracy rate across all demographic categories and is top 3 for accuracy of matched decisions in the U.S. at the time of submission.
Wicket has maintained a formal Information Security (InfoSec) Program since 2019 that consists of a managed cloud services provider, automated security compliance software, managed detection and response (MDR) services for vulnerability remediation, static code analysis tools, security benchmarking tools, and various other procedures and documentation that support a robust defense in depth.
Wicket also performs ongoing third-party penetration tests from trusted security vendors.
Two separate audit firms have independently audited Wicket’s platform, and we continue annual audits against multiple security frameworks. Our SOC2 Type 2 attestation report demonstrates our compliance with the security, availability, and confidentiality standards set by the American Institute of Certified Public Accountants (AICPA) as well as the core subcategories of the NIST Cybersecurity Framework. Wicket’s Information Security Management System (ISMS) received initial ISO 27001 certification in April 2023 and undergoes surveillance audits each year until re-certification. In addition, we achieved GDPR compliance in June 2023. Refer to the Resources section in the Trust Center for artifacts related to these third-party audits.
Wicket products require that different data and images be captured and held for varying time frames, depending on the customer’s use case. Data is only stored for the purpose of the product and is automatically purged according to the data policies of Wicket customers for the intended use of that data.
Images of the faces of individuals that present themselves to an Access touch-point are captured and retained for logging purposes. This data is purged from the system according to the specified data configuration of the customer.
All images retained as part of access decisions are purged from the system per the client’s or Wicket’s terms and conditions, whichever retention policy is shorter.
Our current SOC2 Type II, NIST Cybersecurity Framework, and GDPR reports, as well as our ISO 27001 certificate, are available in our Trust Report.
