We know creators are paying close attention to identity verification right now. Here are the answers to the questions we hear most, in plain terms.
Who is Sumsub and where are they based?
Sumsub is a specialist identity verification provider founded in 2015 and headquartered in London, United Kingdom (30 St. Mary Axe). They're an independent company — not part of any government program, not affiliated with any social media platform — and they're used by 4,000+ businesses worldwide, primarily in fintech, regulated financial services, crypto exchanges, online marketplaces, and creator platforms. They're SOC 2 Type II, ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27018 certified.
What exactly does Sumsub keep, and for how long?
Sumsub captures and processes the data needed to confirm your identity — your ID document, your selfie for a liveness check, and the basic identity fields (name, date of birth) extracted from the ID. They retain that data only for the period required for verification and to meet financial-services record-keeping rules, then it's deleted. Xsolla does not store copies of your document or your selfie.
Will my ID or selfie be shared with the government, ICE, or any law-enforcement agency?
No. Sumsub processes your verification data on Xsolla's behalf — for the sole purpose of confirming your identity for payout eligibility. Your data isn't sold, isn't part of any marketing program, and isn't proactively shared with government agencies. Like any UK/EU-regulated processor, Sumsub will only respond to legally compelled requests from law enforcement that meet the strict standards of UK and EU law — the same standard your bank operates under.
Has Sumsub ever had a security incident?
Sumsub publicly disclosed a security incident in February 2026 affecting their internal customer-support ticketing system. The incident was limited to that system — it did not affect Sumsub's verification workflow, customer-facing APIs, or production infrastructure. The data exposed did not include ID documents, biometric data, financial information, or government-issued ID information. We reviewed the disclosure as part of our vendor assessment, and Sumsub has implemented additional controls since, including enhanced monitoring and restricted access for support personnel.
Why don't you use "on-device" verification like other platforms are moving to?
On-device verification — where a phone estimates your age locally without sending any photo to a server — is an emerging approach for age verification on social platforms, where the platform only needs to know "are you over 18?" Our use case is different: we need to verify who you are, not just how old you are, because the result feeds directly into tax reporting and payouts to a real bank account or wallet. That requires actual document review by a regulated provider — which is the industry standard for financial identity verification at every bank, broker, and crypto exchange.
What if you change verification providers in the future?
If we ever change providers, we'll tell creators before the switch and explain what changes — if anything — for you. Vendor selection is reviewed regularly against our security, privacy, and compliance standards.
Why does this feel different from age verification I've seen on other platforms?
Two reasons. First, this verification is tied to receiving money — it's the same reason your bank, PayPal, or a crypto exchange asks for ID. It's not a check on whether you can use the platform. Second, you only go through it when you choose to apply for paid campaigns or request a payout, so it's optional in practice for creators who don't take those actions.