Data Security and Privacy by Design
At ZipID, safeguarding personal information and applying facial authentication responsibly isn’t an afterthought—it’s foundational. We embed privacy and security into every layer of our product, guided by industry best practices and a deep commitment to protecting your trust.
A Closer Look at Our
Security Commitments
At ZipID, we embed privacy and security at the architectural level—from the first line of code, not as an afterthought. We collect only what we need, retain it only as long as necessary, and restrict access to the minimum required to perform the task. Learn more about how we think about privacy and security by design below.
It is imperative that our technology not only meet our customers’ needs but also ensure their privacy and safety. We take your trust in us very seriously and design our software to protect and securely store personal data. We help keep identities safe by making sure only our customers see and use the data to which they are legally entitled.
All data is collected, transacted and stored within the ZipID secure environment. Each customer has its own secure folder, as does each individual Form I-9. ZipID requires data and images be captured and held for varying time frames, depending on federal law and the customer’s use case. In accord with federal law, all captured data is retained or purged on a scheduled basis. All new data is held for 30 days online, with data more than 30 days old retained offline for additional security but available to customers upon request.
All customers and employees must actively opt in. Any customer may request a purge or return of data immediately and at any time upon request. All Employees may download and retain their transaction upon conclusion and approval of sending their information to the customer (employer). All users must explicitly opt in to our workflow prior to beginning the Form I-9 workflow.
All personally identifiable information (PII) is directly provided by the customer or new hire within ZipID’s secure portal. But for the selfie, only PII required to complete the Form I-9 for that employee is captured as required by federal law. ZipID only captures and stores PII for the stated federal law requirements and to assure user identity within the use of our products, always minimizing exposure of customer and employee data. This data is never sold, transferred, or otherwise used for any third-party purpose aside from our core products or partner integrations.
ZipID’s highly accurate AI-based optical reader technology assures that ID information extracted for the purpose of Form I-9 autofill creates confidence that data in each Form I-9 field is accurate. Even with use of OCR technologies, ZipID provides an extra layer of accuracy, enabling employees and customers to check extracted data and make “tracked” changes as need be. In addition, in the background, our OCR is checking and verifying IDs against fraud. While ZipID does not guarantee that our OCR will detect fraud on every submitted ID, we have great confidence that the OCR is providing useful information to employers to augment legal authorization determinations of their new hires , including "identity risk alerts".
We use mathematical representations of faces instead of actual photos to produce matching “confidence scores" that the new hire is who they say they are. No third party has access to ID images or photos. In addition, all data is encrypted at rest and in transit to keep identities safe, even if our AWS infrastructure is compromised. ZipID algorithms are developed and optimized to assure accuracy. Our recent algorithms submitted to the National Institute of Science and Technology (NIST), viewed as the industry gold standard, show that ZipID has a 99.8% accuracy rate and is top 3 for accuracy of matched mugshot:mugshot decisions in the U.S. as of March 2025, which is the closest test to ZipID selfie:ID image match.
Infrastructure Security
ZipID uses Amazon Web Services and embedded security products within their trusted ecosystem to host and deploy our applications using containers run on AWS managed services. Every customer has its own dedicated folder, and within each folder every Form I-9 is separated. All data is encrypted in transit and at rest. Moreover, no data leaves our platform, assuring data of both employers and employees is safe.
ZipID performs ongoing third-party penetration tests from trusted security vendors during both development and post-deployment of our product. All activity is made within ZipID’s cloud server. Assuring personal data never leaves the ZipID cloud server minimizes the possibility of information being intercepted or hacked. Additionally, all data is encrypted at industry standard levels at rest and in transit within our instance.
Frequently Asked Questions
Is ZipID ICE-compliant I-9 software?
Yes. ZipID is designed to satisfy all five federal electronic I-9 system requirements under 8 CFR § 274a.2, including compliant audit trails, electronic signature protocols, and secure storage standards — including the March 2026 ICE reclassification of substantive violations.
As of January 2, 2025, I-9 paperwork violations carry fines of $288 to $2,861 per form under 8 CFR § 274a.10(b)(2). Knowingly hiring unauthorized workers carries fines up to $28,619 per worker for repeat offenses. ICE audit rates in 2025 ran at least ten times higher than in 2024.
ZipID uses NIST-validated biometric facial recognition at 99.998% accuracy to match a live selfie to the photo on the new hire's government-issued ID. OCR extracts and autofills document data, and fraud detection checks for tampered, synthetic, or spoofed documents.
ZipID plans to become a certified E-Verify third-party agent by August 2026. E-Verify completion is currently part of the I-9 workflow after the employer signs the form, with ZipID toggling to E-Verify, and then data from the E-Verify case is autofilled into the Additional Information box on the I-9 form, for preservation and audit purposes.
What is NIST and why does it matter for I-9 verification?
NIST — the National Institute of Standards and Technology — is a federal agency that sets the accuracy and performance benchmarks for biometric and identity verification technologies. For I-9 compliance, NIST standards matter because they provide an independent, government-validated measure of whether a facial recognition system is accurate enough to trust. ZipID uses NIST-tested algorithms rated at 99.8% accuracy, meaning employers can be confident that the identity match on every new hire meets the highest federal standard — not just a vendor's own claim.
ZipID completes the entire Form I-9 process — including identity verification, document capture, and E-Verify — in under 8 minutes, for both remote and in-person new hires.
ZipID's 1:1 facial recognition — which matches a live selfie to the photo on a government-issued ID — is rated at 99.8% accuracy using NIST-validated algorithms. This means fewer than 2 mismatches per 1,000 verifications. The system also includes liveness detection to prevent spoofing, ensuring the selfie is from a real, present person and not a photo or deepfake.
CR — Optical Character Recognition — is technology that reads and extracts text from physical documents like government-issued IDs. ZipID uses AI-powered OCR to instantly capture and interpret data from a new hire's ID, then automatically populate the required fields on Form I-9 — eliminating manual data entry, typos, and transcription errors. Unlike basic OCR tools, ZipID's AI layer also cross-checks extracted data for logical consistency, validates security features, and flags tampered, synthetic, or spoofed documents — turning a simple document scan into a fraud detection checkpoint.
ZipID uses NIST-validated biometric facial recognition at 99.8% accuracy to match a live selfie to the photo on the new hire's government-issued ID. OCR extracts and autofills document data, and fraud detection checks for tampered, synthetic, or spoofed documents.
It is completely the employer's choice. Facial authentication can assure that a new hire is who they say they are, and the ID they present matches their live self.
This is especially important for remote workers, or industries subject to immigration fraud or economic espionage from foreign adversaries who may pose as Americans for access to proprietary information.
How long does it take to complete an I-9 with ZipID?
ZipID completes the entire Form I-9 process — including identity verification, document capture, and E-Verify — in under 8 minutes, for both remote and in-person new hires.
ZipID is an I-9 compliance and identity verification platform that combines facial recognition, OCR document capture, and fraud detection to verify new hire identities and complete Form I-9 in under 8 minutes — with a legally compliant audit trail built in. It is the only I-9 platform built by the person who helped write the federal identity doctrine behind the law.
Who built ZipID?
ZipID was founded by Janice Kephart, former counsel to the 9/11 Commission and a national security identity expert with 25 years of federal and private sector experience, as a lawyer and policy and technology identity expert. Kephart authored the federal identity doctrine and biometric entry-exit recommendations that underlie today's I-9 compliance framework. She has testified before Congress 19 times on identity-related issues, and is an I-9 expert.