| Backend token handling |
SDK access tokens must be generated or requested server-side. |
| No frontend secrets |
Sumsub App Token and Secret Key must never be exposed in frontend or mobile code. |
| HTTPS only |
All API and webhook traffic must use secure transport. |
| Access control |
Only authorized systems and users may access KYC result data. |
| Data minimization |
Store and transmit only required KYC fields. |
| Audit logging |
Log applicant identifiers, result, timestamp, sourceKey, and final handling decision. |
| Environment separation |
Keep sandbox and production credentials/configuration separate. |