What types of documents can Turing Verify check?

Turing Verify supports 7 document categories including diplomas, university degrees, professional certificates, government IDs, financial documents, transcripts, and employment documents.

How accurate is Turing Verify at detecting fake documents?

Turing Verify uses a 50-pattern forensic analysis framework (V50-MASTER+ID) that examines visual, typographic, metadata, data integrity, and AI-generation signals. Each verification includes a detailed per-pattern confidence breakdown.

How long does document verification take?

Most documents are verified in seconds. The AI runs a multi-stage forensic analysis pipeline including visual inspection, metadata analysis, and cross-referencing against known patterns.

Is Turing Verify free to use?

Yes. Turing Verify offers a free tier with 3 verifications per month. Paid plans start at EUR 9/month (Personal, 15 verifications), EUR 29/month (Pro, 150 verifications), and EUR 99/month (Business, 500 verifications with API access).

Is Turing Verify GDPR-compliant?

Yes. Turing Verify runs inference on EU-resident infrastructure and is fully GDPR-compliant. Documents are processed in memory and are not permanently stored unless the user explicitly opts in. A full sub-processor register and DPA are available on the Trust page.

Who uses Turing Verify?

Turing Verify is used by HR and talent teams screening candidates, university admissions offices verifying transcripts and foreign degrees, banks and insurers running KYC and claims fraud checks, and licensing boards authenticating professional credentials.

Can Turing Verify detect AI-generated fake documents?

Yes. Turing Verify is specifically designed to detect AI-generated forgeries, Photoshop edits, and sophisticated digital manipulations using multi-model forensic analysis.

Security & Vulnerability Disclosure

Responsible disclosure policy, incident response runbook, and advisories

Last Updated: April 20, 2026Version 1.0security.txt →

Turing Verify processes sensitive document data. We welcome reports of security vulnerabilities from researchers, customers, and the public. This page is the canonical reference for our disclosure process, breach notification procedure, and published advisories. It complements our Privacy Policy and Trust & Sub-Processors page.

1. Reporting a Vulnerability

Please report suspected vulnerabilities to [email protected]. Use our PGP key on request. When reporting, include:

A clear description of the issue and its impact.
Reproduction steps or a minimal proof-of-concept.
Affected URLs, endpoints, or components.
Your name or handle for acknowledgement (optional).

Safe harbor

Good-faith research carried out in accordance with this policy will not be pursued legally. Do not access, modify, or exfiltrate data beyond what is strictly necessary to prove a finding. Do not degrade service availability, and never target other users' data or accounts.

2. Our Response Commitments

Acknowledge receipt within 2 business days.
Triage & severity assignment within 5 business days using a CVSS-aligned rubric.
Status updates at least every 7 days until resolution.
Credit reporters in published advisories where desired.

We do not currently operate a paid bug-bounty, but we acknowledge valid reports on this page and in release notes where appropriate.

3. 72-Hour Breach Notification Runbook (GDPR Art. 33 / 34)

If we discover a personal data breach that is likely to result in a risk to data subjects' rights and freedoms, the following runbook executes:

T+0 — Detect & contain. On-call engineer isolates affected systems, preserves logs, and opens an incident channel.
T+0 to T+4h — Forensic scope. DPO convenes incident response; determine affected records, data categories, and transfer chains.
T+4h to T+24h — Classify risk. Evaluate likelihood and severity under GDPR Art. 33(3). Document decision rationale in the breach register.
T+24h to T+72h — Notify authority. File a Data Breach Notification with the Autoriteit Persoonsgegevens (our EU lead supervisory authority) and any other competent authorities.
T+72h onward — Notify data subjects. If Art. 34 applies, notify affected users without undue delay through email and this page.
Post-incident — Publish advisory. Add an entry to Section 5 below with root cause, scope, remediation, and a timestamped timeline.

4. Security Contacts & Escalation

Vulnerability reports: [email protected]
Suspected breach: [email protected] (also accepted at [email protected])
Data Protection Officer: [email protected]
EU Representative (Art. 27): Turing Europe B.V., Laan van Meerdervoort 51, 2517 AE The Hague, Netherlands
Machine-readable policy: /.well-known/security.txt (RFC 9116)

5. Public Advisories

No advisories have been published at this time. Advisories will appear here as issues are discovered, resolved, and disclosed. The absence of entries reflects current disclosure state and is not a statement that no security work has been performed.

6. Security Controls Summary

Detailed controls are published on our Trust & Sub-Processors page (EU data residency, encryption at rest and in transit, least-privilege access, scoped service tokens, dependency scanning, signed deploys, and private service mesh).

← Back to Turing Verify

1. Reporting a Vulnerability

Please report suspected vulnerabilities to [email protected]. Use our PGP key on request. When reporting, include:

A clear description of the issue and its impact.

Reproduction steps or a minimal proof-of-concept.

Affected URLs, endpoints, or components.

Your name or handle for acknowledgement (optional).

Safe harbor

2. Our Response Commitments

Acknowledge receipt within 2 business days.

Triage & severity assignment within 5 business days using a CVSS-aligned rubric.

Status updates at least every 7 days until resolution.

Credit reporters in published advisories where desired.

We do not currently operate a paid bug-bounty, but we acknowledge valid reports on this page and in release notes where appropriate.

3. 72-Hour Breach Notification Runbook (GDPR Art. 33 / 34)

If we discover a personal data breach that is likely to result in a risk to data subjects' rights and freedoms, the following runbook executes:

T+0 — Detect & contain. On-call engineer isolates affected systems, preserves logs, and opens an incident channel.

T+0 to T+4h — Forensic scope. DPO convenes incident response; determine affected records, data categories, and transfer chains.

T+4h to T+24h — Classify risk. Evaluate likelihood and severity under GDPR Art. 33(3). Document decision rationale in the breach register.

T+24h to T+72h — Notify authority. File a Data Breach Notification with the Autoriteit Persoonsgegevens (our EU lead supervisory authority) and any other competent authorities.

T+72h onward — Notify data subjects. If Art. 34 applies, notify affected users without undue delay through email and this page.

Post-incident — Publish advisory. Add an entry to Section 5 below with root cause, scope, remediation, and a timestamped timeline.

4. Security Contacts & Escalation

Vulnerability reports: [email protected]

Suspected breach: [email protected] (also accepted at [email protected])

Data Protection Officer: [email protected]

EU Representative (Art. 27): Turing Europe B.V., Laan van Meerdervoort 51, 2517 AE The Hague, Netherlands

Machine-readable policy: /.well-known/security.txt (RFC 9116)