(I want to emphasize that my intention is not to criticize Didit negatively. Rather, I aim to offer constructive feedback.)

IMO, you should spend a lot of time working on your privacy policy. I have identified a few points of concern that you should work on:

1. Your policy is immensely vague. "legally stipulated periods of conservation" means nothing. There are no references to which laws are being referenced, and there are no references to specific timeframes. Concrete detail is most needed here.

2. Under section 4, there is no mention of response timeframes (GDPR mandates 30 days), no indication of what to include in a request, and no acknowledgement of the right to escalate if Didit fails to respond.

3. You mention processing biometric data in passing and note consent as the legal basis. For special category data under GDPR Article 9, this deserves substantially more transparency -- what biometric data, how it is stored, whether it is retained after identity verification, and what happens if consent is withdrawn. One sentence is not adequate.

4. "Didit will have adopted appropriate data protection safeguards in advance" is very vague. You should specify the transfer mechanism and actually identify which third countries are involved.

5. Your legitimate interest claim for contact persons (section 2b) is asserted without any balancing test explanation, which is technically required under the GDPR.

Your information security policy is purely a mission statement. It is only a list of things you intend to do, without any explanation about how you either currently or will implement these things.

For example, "align with the highest standards of security" -- which standards? ISO 27001? SOC 2? NIST? "achieve the fully satisfactory resolution of incidents" -- what constitutes "satisfactory"? What is your incident response process?

If you intend to take data security and privacy seriously, both documents must be improved greatly before I as a consumer would consider handing my data over to this service.