Security at Wicket
Our current SOC2 Type II report and ISO 27001 certificate are available in our Trust Report.
Wicket Values Your Security
Wicket restores trust in the use of biometric identification by keeping data security at the forefront of our products and following industry best practices related to system security.
To use Wicket facial authentication, all users must explicitly opt in prior to uploading an image into our system. All users can opt out at any time. Depending on the customer’s requirements, all captured data is purged on
a scheduled basis. In all cases where Wicket makes a decision on a non-registered User, that data is non-identifiable and is not used by Wicket except to match that person against a registered User.
Data Privacy & Security
In all product cases, all decisions and analyses are made locally (i.e., Edge-Decision) on the device instead of sending data back and forth to a cloud server (i.e., Cloud-Decision). Local decisions help minimize the possibility of information being intercepted. Additionally, all data is encrypted at industry standard levels at rest and in transit.
Wicket algorithms are developed and optimized in-house by our team of scientists in Cambridge, MA, and are designed to address bias. We submitted to NIST testing, viewed as the industry gold standard. The results show Wicket has a 99.7% accuracy rate across all demographic categories and is top 3 for accuracy of matched decisions in the U.S.
Personally Identifiable Information
ONLY WHEN NEEDED
All PII is directly provided by the Customer or User. PII is then translated from an image to a mathematical representation of the face for identification. Wicket only captures and stores PII for the stated use of our products
and minimizes exposure of this Customer and User data at all times. This data is never sold, transferred, or otherwise utilized for any third-party purpose aside from our core products or partner integrations.
A SECURE STACK
Wicket utilizes Amazon Web Services and embedded security products within their trusted ecosystem to host and deploy our applications using containers run on AWS managed services. Wicket also uses Alert Logic, a managed detect and respond provider for threat and intrusion detection.
Wicket performs ongoing third-party penetration tests from trusted security vendors. Wicket also uses static code analysis tooling to secure our product at every step of the development process.
Data & Image Retention
Wicket products require that different data and images be captured and held for varying time frames, depending on the customer’s use case. Data is only stored for the purpose of the product and is automatically purged according to the data policies of Wicket customers for the intended use of that data.
Images of the faces of individuals that present themselves to an Access touch-point are captured and retained for logging purposes. This data is purged from the system according to the specified data configuration of the
It is imperative that our technology not only meet our customers’ needs but also ensure their privacy and safety. We take your trust in us very seriously and design our software to protect and securely store your personal data.
Your Face is Safe
All users must actively opt-in, and users who wish to opt-out of the program may do so immediately and at any time.
Customer Owned Lists
Customers exclusively own the database where information lives, and all Personally Identifiable Information (PII) lives on the cloud, preventing 3rd party access or sharing.
We use mathematical representations of faces instead of actual photos, meaning devices store no photos and keep your identity safe, even when compromised.
VS FACIAL RECOGNITION
It is misleading to refer to the system process as ‘Facial Recognition’ in its traditional sense. Facial recognition systems like those used by law enforcement or security agencies (to identify an unknown individual by running an image through an extensive database) are based on a ‘One to Many’ or ‘1:N’ analysis. Wicket access control and ticketing products utilize a ‘One to One’ or ‘1:1’ match where the system is simply verifying the identity of an individual who has already provided consent to be in the system.