For security, privacy & legal teams

Security and privacy, built into the ceremony.

Sonavera puts explicit consent, tenant boundaries, protected biometric templates, limited outputs, and disclosed retention around each identity check—so your team can evaluate concrete controls, not broad promises.

This page is an executive summary of product controls. The current platform legal documents govern each ceremony.

Six controls surround a consented, tenant-scoped Sonavera ceremony.
ConsentedCeremonytenant scoped
BeforePurpose disclosed
GateConsent current
ScopeTenant isolated
DataTemplates protected
ResultEvidence minimized
AfterDeletion scheduled
AdmissionValid consent required
IsolationTenant-scoped matching
OutputCompact signed evidence
LifecycleDisclosed deletion boundary

Control map

A control at each boundary.

The ceremony carries its privacy context from disclosure through deletion instead of treating consent, security, and retention as separate paperwork.

01

The notice is specific

When fresh consent is required, the user sees who requested the check, its purpose, enabled checks, disclosed material processors, and the applicable retention boundary.

02

Consent gates processing

Ceremony startup rejects a missing, inactive, malformed, or superseded consent receipt instead of silently continuing.

03

Matching is tenant-scoped

Resolver sessions constrain database work to a validated tenant schema, with live database tests pinning the isolation boundary.

04

Templates are protected

Stored biometric vectors use tenant-specific transforms, AES-GCM protection, encrypted data keys, and versioned key material.

05

Results are minimized

Signed outputs carry compact evidence claims—not raw media, biometric embeddings, resolver vectors, or a tenant action recommendation.

06

Deletion is operational

The platform stamps a deletion deadline, sweeps eligible artifacts, and records the deletion outcome for accountability.

Tenant isolation

The boundary is structural.

Resolver database sessions set a validated tenant-specific schema for the transaction and reassert it after commits. Candidate matching stays inside that boundary. Stored vectors add tenant-specific transforms and encryption key versions.

Two tenant matching flows remain separated with no shared candidate pool.
Tenant Aisolated
Request
Resolver
Protected records
No shared candidate pool
Tenant Bisolated
Request
Resolver
Protected records

Signed-result boundary

Your app receives evidence—not the ceremony.

Signed artifacts carry compact, policy-referenced claims. Sonavera reports what happened; your backend validates the artifact and decides what the evidence means for your product.

A signed Sonavera result includes compact evidence and excludes raw ceremony data.
Signed evidence resultpolicy-referenced

Inside the result

  • Ceremony lifecycle and timestamps
  • Normalized check outcomes
  • Policy and evidence references
  • Tenant-safe coarse context

Outside the result

  • Raw audio, video, or biometric vectors
  • Face or voice embeddings
  • Prior-match identifiers
  • Allow or deny recommendations

Retention

A deadline, not a slogan.

At admission, each ceremony receives an artifact-deletion deadline bounded by its governing consent and the applicable retention policy. The platform carries that deadline into scheduled deletion and a durable deletion record.

1

Disclose

When collecting fresh consent, show the Sonavera-held artifact period or delete-no-later-than boundary.

2

Stamp

Bind the applicable consent and tenant policy to the ceremony record.

3

Purge

Automatically remove eligible ceremony artifacts when their deadline arrives.

4

Record

Keep a minimal consent and deletion record separate from the deleted artifacts.

Integration controls

Trust your backend, not a redirect.

Sonavera supports familiar integration shapes while keeping the authoritative decision path on systems you control.

01 / OIDC

Bound authorization

Authorization Code with S256 PKCE, required state, and required nonce bind the browser flow to the initiating client.

02 / API redirect

Backend source of truth

The browser return is advisory. Your backend retrieves the authoritative ceremony result with backend-held credentials.

03 / Webhooks

Verifiable callbacks

Signed webhook deliveries let your backend verify the callback before it drives downstream behavior.

Common review questions

Direct answers, clear limits.

Does Sonavera make the final allow or deny decision?

No. Sonavera reports ceremony lifecycle and normalized evidence. The relying organization validates the result and applies its own policy to the protected action.

Does the relying organization receive raw biometric data?

No. The signed-result contract excludes raw audio and video, face and voice embeddings, resolver vectors, prior-match identifiers, raw IP-derived identifiers, and raw browser or network fingerprints.

How are service providers disclosed?

The consent experience records the platform’s disclosed material-processor list. It is a policy disclosure, not a runtime attestation that every optional provider was invoked. Current subprocessor information and provider-retention notes are in the platform legal center.

What certifications or regulatory statuses does this page claim?

None. Product architecture is not a certification. We will distinguish implemented controls, current legal terms, and roadmap work in diligence rather than infer SOC 2, ISO 27001, HIPAA, GDPR, penetration-test, or audit status.

Is this page the governing privacy or biometric notice?

No. This is a readable product overview. The versioned Privacy & Biometric Notice, Biometric Consent Text, Retention Policy, and Subprocessor Policy presented through the platform legal center remain authoritative.

Bring us your security questionnaire.

We will map questions to implemented controls, current legal terms, and open diligence items—without overstating the evidence.