ID.me conforms to the Privacy Trust Criteria set forth in the FICAM Trust Framework Provider Adoption Process.
Relying Parties may only request the minimum set of personal data that is reasonably required to deliver a defined benefit or service. Collection, storage, and release of any data is always performed with the express consent of the user. Before ID.me transmits any data on behalf of a user, the user must always review the specific data fields that the relying party is requesting. Lastly, the use must provide explicit authorization and consent for ID.me to release the data. ID.me's architecture and complete deference to user control is compatible with GDPR and all similar emerging privacy regimes that empower users to control their data.
ID.me uses a defense-in-depth strategy designed to secure Personally Identifiable Information (PII).
The NIST Risk Management Framework (including Kantara Initiative Identity management controls) structures our information security program. ID.me has implemented rigorous technical and policy controls to protect the privacy and security of user’s information in alignment with NSTIC principles, the Kantara Trust Framework, GSA FICAM, NIST 800-63-2, NIST 800-53 control family, National Strategy for Trusted Identities in Cyberspace (NSTIC) Privacy Principles, Fair Information Practice Principles, and NIST’s Cybersecurity Framework.