Security and privacy
Security at the level of a state document
insta ID is designed so that sensitive data stays where it belongs — on the card chip and on your device.
Principles
The private key stays on the chip
The signing key never leaves the card. Every operation requires the card to be physically present.
Personal data is not stored on the server
Name, ID number, date of birth and photo from the chip do not persist in a database. They are processed in memory and discarded.
Nothing in the cloud
No cloud signing, no remote HSM. Signing happens 100% on the device.
The PIN is not remembered
The PIN is entered fresh for each session and cleared from memory afterwards.
GDPR and data protection
Because eID data is processed only transiently and never stored, the GDPR footprint is minimal. The backend keeps only accounts, licenses and audit metadata — no identity content.