At Orba One, we’re creating a more inclusive world, where identity inclusion is the key to access. We help our clients enable their users to access services quickly, easily—and most important of all—securely. The information we collect and use helps us with that mission—and that’s it. No surprises.
To provide our Identity Services, we need to collect certain information about our clients’ users. The exact information needed depends on the check that’s being carried out on behalf of our client. For example, when verifying the identity of a user, we’ll ask for an image of their identity document as well as a picture or video of their face. We’ll then seek to verify whether the identity document is likely to be genuine and whether the person in the photo or video is likely the same person pictured in the identity document. We will also look to identify signs of fraud (for example, someone wearing a mask to impersonate another person or to conceal their own real identity). If the user is successful on both the document and facial verification checks, Orba One’s client will likely consider the user to have proven their identity.
In some cases, we may also further check whether we have previously verified a user on behalf of a specific client by comparing the picture of their face to the pictures previously provided by that client. This helps our clients not only verify identity but further protects them and their users by helping them understand when a user may be generating multiple identities.
To do all of this, we closely examine the information contained in the images, including the machine-readable data (such as an identity document’s barcode) and the image metadata (such as the name of the camera model used to take the image).
The Orba One Identity Lifecycle below shows you how we collect that information
Clients are organizations that have asked Orba One to verify an identity or carry out checks related to that identity. Once we have verified an identity or run a check, we share the results with the client in an Orba One Report, as described further below. The client then decides how they want to proceed with the user based on the results. In some cases, the client might ask for additional information before making a decision. Also, some clients only ask us to carry out a check if an earlier check was passed or not passed. This ensures we only do the minimum number of checks needed.
The User Users are individuals whose identities we verify or otherwise check on behalf of our clients. We collect users’ information from clients or directly from the users themselves. This information might include an image of an identity document (e.g. a passport or a driver's license), photos (at times, taken in quick succession for anti-fraud purposes) or a video of the user, and the biometric facial identifiers in those images. This enables us to help the client verify that the user is the true owner of the identity document and has not shown signs of fraud. In some circumstances, we may also collect device identifiers to help us understand whether a device has previously been used in relation to suspected fraudulent activity. Similarly, we also collect identity information that has been leaked or otherwise made available on the internet to further combat fraud. Lastly, we will briefly collect (but not retain) IP addresses to determine the city and country in which a user is located so that we may provide them with a localized service, where required to meet our legal obligations.
Data Providers Data providers are used to provide additional information to carry out specific checks. For example, if we need to verify a user’s Tax registration number, we might ask for additional information from the appropriate governmental driving body. We also keep logs of how our clients, users, and data providers interact with our Identity Services. This might include timestamps of when the information was submitted to Orba One, and information about the device used to submit that information. Sometimes, we receive information we don’t need to provide our Identity Services. For example, instead of a picture of their identity document, a user might upload a completely unrelated image. When this happens, we seek to delete this data.
Passing an Orba One Check
If we’re able to verify the identity of a user and the user is able to pass all requested checks, we notify the client who can then continue with their onboarding process.
Not Passing the Orba One Check
If we’re unable to verify the identity of a user or the user isn’t able to pass all requested checks, we recommend to the client that they conduct additional checks before continuing with the onboarding process. We sometimes help with those additional checks too.
Developing Our Identity Services
To further develop our Identity Services, we train our computers to recognize specific patterns in the information and make predictions about new sets of information based on those patterns. This is known as machine learning. We’ve gathered a substantial and unique set of images from around the world, from which we can train our machine learning models to locate and extract the information in documents, detect fraudulent documents, and engage in facial verification. We also train our human analysts to perform those tasks so they can assist when our machine learning models aren’t best suited for the task or are still learning. Sometimes, we’ll also re-run and re-submit checks to ensure our Identity Services are working properly, particularly when testing a new feature or service for quality assurance. Together, these developments help make Orba One’s Identity Services stronger and safer for all clients and users. We use the information to provide and maintain our Identity Services on behalf of clients on the basis that the user has consented to the processing or otherwise requested Identity Services, the client has a legitimate or lawful reason for requesting Identity Services, or the processing is necessary to carry out a task in the public interest or for reasons of substantial public interest. We also use the information to further develop our Identity Services on the basis that the processing is necessary for the legitimate interest of the client or Orba One’s, the processing is necessary to carry out a task in the public interest or for reasons of substantial public interest, the processing is necessary for scientific research purposes, or the user has provided their consent.
When providing our Identity Services, we will frequently extract and compare numerical biometric data from facial images to understand whether two faces are likely to be a match. We do this on behalf of our clients for two reasons. Primarily, we will check whether a user owns their identity document by comparing an image of their face to the facial image contained in the identity document. We will also check whether those facial images show signs of fraud - for example, by comparing a person’s numerical biometric data to those of known masks. When we do this, we do not retain the extracted numerical biometric data for any length of time beyond this comparison. In addition, we may also check whether we have previously verified a user on behalf of a specific client to help that client understand when a user may be generating multiple identities. We do this by comparing the facial image of a user to the facial images of other users previously verified on behalf of that specific client. To provide this check quickly, we store the numerical biometric data extracted from the previously collected facial images until the client deletes those original images.
When we verify an identity or carry out a check on behalf of a client, we provide an Orba One Report to that client. This Orba One Report details our recommendation and the reasoning behind it. The reasons are generated from the different machine learning models and human-powered processes that are used to verify an identity or perform a check. By providing our clients with these detailed Orba One Reports, our aim is to empower our clients to make informed decisions about users and to provide specific help to users that are having difficulty in passing an Orba One check.
Orba One takes appropriate administrative, physical, technical and organizational measures designed to help protect information about users from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. For more information about information security at Orba One, please see our security document. If you think you have identified a security vulnerability or bug in our Identity Services, please report it to the Orba One security team at [email protected]
We perform our Identity Services on behalf of our clients for a variety of different reasons. Those reasons are identified by our clients, and we rely on them to tell us when they no longer need us to store the information we’ve collected on their behalf. Once instructed, either through our agreement with the client or through an ad hoc request, we delete the information we have collected about users when performing the requested Identity Services. If you, as a user, would like to make a specific request to have your information deleted, please make that request directly to the client that carried out your related check. For more information about how to do this, please see below under “Your Rights”. Where we have a legitimate legal reason, we may also store information for longer than described above – for example, where we are under a binding legal order not to destroy information.
If you would like to access a copy of your information, have your information deleted, or otherwise exercise control over how your information is used, please contact Orba One at [email protected]. Please be aware, most requests may require us to notify the relevant client (as described above in the Orba One Identity Lifecycle) so the client may fulfill the request instead (and not Orba One). This is necessary where Orba One is acting on the client’s behalf.
As Orba One provides its Identity Services on behalf of its clients, Orba One will not disclose any information related to a specific check pursuant to a government or law enforcement request unless there is a binding legal order to do so or our client has consented to the disclosure. This is necessary for us to comply with our legal obligations. Any government or law enforcement body requesting information related to a specific check may contact us at [email protected], and we will seek to put you in contact with the relevant client.