9. Security Requirements

Client systems must protect KYC credentials, applicant data, and review results across SDK, API, webhook, and operational workflows.

Requirement Description
Backend token handling SDK access tokens must be generated or requested server-side.
No frontend secrets Sumsub App Token and Secret Key must never be exposed in frontend or mobile code.
HTTPS only All API and webhook traffic must use secure transport.
Access control Only authorized systems and users may access KYC result data.
Data minimization Store and transmit only required KYC fields.
Audit logging Log applicant identifiers, result, timestamp, sourceKey, and final handling decision.
Environment separation Keep sandbox and production credentials/configuration separate.