persona-logo
Published June 22, 2026
Last updated June 22, 2026

An independent code review of Persona’s data practices

We worked with Trail of Bits, an independent security firm, to examine our source code and assess whether our systems align with our public statements on how we process your data.
Rick Song
Rick Song
6 min

We believe trust is earned through demonstration and transparency, not promises. That’s why we worked with Trail of Bits, an independent security firm that has spent years reviewing the code behind widely-used software from cryptography libraries to critical open-source infrastructure.

Persona regularly undergoes independent third-party audits across our security, privacy, and product programs. Some certifications are designed to demonstrate that our products are safe, effective, and fit for purpose. Others, such as ISO 27001, reflect the maturity of our broader information security, operational, and risk management practices. We also conduct regular privacy impact assessments in coordination with privacy bodies around the world.

But most audits don’t actually look at the code. They focus on policies, consent flows, retention schedules, internal controls, and interviews with our legal, privacy, and engineering teams. That work matters, but it usually stops short of an outside party reading the actual code to check that our systems do what we say they do.

This review was different. Trail of Bits directly examined the source code of our platform and infrastructure to assess a specific set of claims I’ve made in the past about how our platform handles data. They found no evidence that violates those claims.

Our breakdown of the findings

Persona’s identity checks are configured by customers

Trail of Bits confirmed that Persona’s identity checks are a menu of things the platform can do, not a set applied to every person. Most customers use a small fraction of available checks such as government ID and selfie verification. More sensitive verifications, such as checks to comply with anti-money laundering regulations, are gated behind extra due diligence and a demonstrated, permissible reason to use them.

We intentionally limit our platform to what is necessary for each customer's specific business use case to prevent excess user data from being processed irresponsibly. As previously stated, no Persona customer comes close to using all of the checks. 

Persona’s maximum biometric data retention is 3 years

Trail of Bits reviewed the code that governs data retention and found no evidence that Persona retains biometric data, as defined by GDPR, and confirmed the existence of a hard-coded three-year maximum limit for retention.

Organizations have the ability to configure how long they retain this data within this limit, and we advise customers to delete data immediately after verification unless necessary to comply with regulations.

Data processing always happens inside Persona's own systems, and only to verify that you are who you say you are.

Persona’s watchlist endpoints verify only against public sources with no proprietary databases

Trail of Bits found no evidence the endpoint does more than standard attribute matching on name, birth date, country, and address against publicly available sources, with no proprietary databases, and returns the result. They also found no biometric processing.

Customers use Persona's watchlist endpoints to perform industry-standard sanctions and screening checks to comply with regulations

Persona does not have a backdoor for law enforcement access

Trail of Bits went through our admin tools, login systems, and infrastructure and found no evidence of any channel or backdoor that would allow law enforcement into Persona or into your data. 

Customers that operate in financial services may file anti-money laundering reports to various government agencies through our platform as required to comply with regulations. 

Persona does not link your face to financial or law enforcement databases

Across the systems they reviewed, Trail of Bits traced how biometric data flows in and out and found no evidence that it is transmitted to financial or law enforcement databases. They also did not find any connection to or usage of Fivecast ONYX by the onyx.withpersona-gov.com application.

Customers may use Persona to verify your information against government issuing databases (e.g. the DMV) solely to confirm you are who you say you are.

What this review can and can't tell you

The researchers at Trail of Bits spent three engineering weeks reviewing the source code of our platform and infrastructure, with access to the complete history of that code, our internal documentation, and a live test environment. You can read the full attestation letter of the specific claims verified and their findings here.

However, we also want to be upfront about the scope of their review. A company determined to hide something could do it in a way that wouldn't show up in the code. We also didn't give them access to any of our customers’ data. That limits the scope of what they can review, but was a strict requirement to ensure the privacy of personal data.

And while no code review can prove the absence of something with absolute certainty, this review found no evidence that the code and environment violate claims we’ve made about what our system does.

Why this matters to us

Charles and I started Persona because proving who you are online is broken. It's getting harder than ever to be a real person online, and too much of Tech handles your most sensitive data as an afterthought. A problem as sensitive as your identity deserves a team whose only focus is solving it the right way.

With AI, it's never been easier to flood platforms with fake people, stolen identities, and bots. It's a slow rot you can feel everywhere online: in astroturfed opinions and bot-run accounts, in fraud rings and phishing scams that get more convincing every month, and in a growing sense that you can't trust the stranger on the other side. For the internet to remain a place for real humans, online identity has to be better.

But we're also very aware of the risks of solving this problem poorly, of how the same technology can enable surveillance or lead to even more data breaches. That's why we believe it's important to be clear about our principles for how we operate and build:

  • We don’t sell or share your data. We never will, and we legally can’t. We collect data solely to verify your identity.

  • We collect only what's needed and keep only what's required. Our customers decide how long personal data is retained, within privacy limits we enforce.

  • We're open about what we do and how we do it. Honestly, we haven't done a good job here, but we’re trying to do better starting with this and will continue to do more.

Given the track record Tech has built over the past decade, you'd be right not to take us at our word. That's why we brought in Trail of Bits — because your concerns deserved more than "trust us."

Whether you’re someone who’s verified with Persona, a customer wondering about how we operate, or just someone who wants the internet to stay a place for people, I hope this helps.

— Rick

The information provided is not intended to constitute legal advice; all information provided is for general informational purposes only and may not constitute the most up-to-date information. Any links to other third-party websites are only for the convenience of the reader.
Rick Song
Rick Song
Rick Song is a co-founder and CEO at Persona. He is passionate about the future of digital identity and building a better online identity infrastructure.
Continue reading