What types of documents can Turing Verify check?

Turing Verify supports 98+ document types including diplomas, university degrees, professional certificates, government IDs, financial documents, award certificates, and trade association memberships from 25+ countries.

How accurate is Turing Verify at detecting fake documents?

Turing Verify achieves 99.8% accuracy using a 50-pattern forensic analysis framework that examines visual, typographic, data integrity, and external verification signals.

How long does document verification take?

Most documents are verified in under 30 seconds. The AI runs a multi-stage forensic analysis pipeline including visual inspection, metadata analysis, and cross-referencing against known patterns.

Is Turing Verify free to use?

Yes. Turing Verify offers a free tier with 3 verifications per month. Paid plans start at EUR 9/month (Personal, 15 verifications), EUR 29/month (Pro, 150 verifications), and EUR 99/month (Business, 500 verifications with API access).

Is Turing Verify GDPR-compliant?

Yes. Turing Verify runs inference on EU-resident infrastructure and is fully GDPR-compliant. Documents are processed in memory and are not permanently stored unless the user explicitly opts in. A full sub-processor register and DPA are available on the Trust page.

Who uses Turing Verify?

Turing Verify is used by HR and talent teams screening candidates, university admissions offices verifying transcripts and foreign degrees, banks and insurers running KYC and claims fraud checks, and licensing boards authenticating professional credentials.

Can Turing Verify detect AI-generated fake documents?

Yes. Turing Verify is specifically designed to detect AI-generated forgeries, Photoshop edits, and sophisticated digital manipulations using multi-model forensic analysis.

Trust & Sub-Processors

EU data residency, security controls, and the live sub-processor register

Last Updated: April 6, 2026Version 1.0🇪🇺 Hosted in EU · Amsterdam

This page is the canonical, public source of truth for Turing Verify's data residency, sub-processor register, and security posture. It complements our Privacy Policy and is referenced by our customer DPAs. We update it as our infrastructure evolves and announce material changes at least 30 days before they take effect.

1. EU Data Residency

Primary storage — European Union

All primary application infrastructure (frontend, API, PostgreSQL database, object storage) is pinned to europe-west4 — Amsterdam, Netherlands on Railway. Your account data, verification records, and uploaded document cache never leave the European Union for storage.

Frontend service: europe-west4 (Amsterdam)
Backend API service: europe-west4 (Amsterdam)
PostgreSQL database: europe-west4 (Amsterdam) with EU-resident encrypted backups
Document cache volume: europe-west4 (Amsterdam), 72-hour TTL

2. International Transfers

Cross-border transfers for AI inference

To produce a verification verdict, document content is transmitted to AI model providers (Anthropic, OpenAI) whose inference infrastructure is currently located in the United States. Content is processed transiently — it is not retained for training or any other purpose beyond the immediate API request — and the transfer is governed by Standard Contractual Clauses and the EU-U.S. Data Privacy Framework. Our backend ships with a configurable EU inference router (INFERENCE_REGION=eu) that pins Anthropic calls to an EU-resident gateway (AWS Bedrock eu-central-1 / Vertex europe-west) and OpenAI calls to Azure OpenAI EU (France Central / Sweden Central) or Mistral La Plateforme — eliminating the cross-border transfer entirely. Production cut-over for EU customer traffic is in progress.

All other US-resident sub-processors (payments, email, OAuth) are covered by the same SCC + EU-U.S. DPF safeguards. The full register is below.

3. Sub-Processor Register

Each sub-processor below is bound by a Data Processing Agreement and processes data only on our instructions. New or replaced sub-processors are announced on this page at least 30 days before they go live; customers may object in writing during that window.

Processor	Purpose	Data	Location	Safeguard
Railway	Application hosting, database, object storage	Account data, verification records, document cache	EU — Amsterdam (europe-west4)	Intra-EU; DPA
Anthropic	AI document analysis (paid tier)	Document content (transient)	United States	SCCs + EU-U.S. DPF; zero-retention API
OpenAI	AI document analysis (free tier)	Document content (transient)	United States	SCCs + EU-U.S. DPF; zero-retention API
Stripe	Payment processing and billing	Billing identifiers, subscription metadata	United States / EU	SCCs + EU-U.S. DPF; PCI-DSS Level 1
Resend	Transactional email delivery	Email address, message content	United States	SCCs + EU-U.S. DPF
Google	OAuth authentication (sign-in)	Name, email, profile picture	United States	SCCs + EU-U.S. DPF
LinkedIn (Microsoft)	OAuth authentication (sign-in)	Name, email, profile picture	United States	SCCs + EU-U.S. DPF
Cloudflare	CDN, DDoS protection, TLS termination	IP address, request metadata	Global edge (EU points of presence preferred)	SCCs; data minimization

4. Security Controls

We implement technical and organizational measures aligned with ISO/IEC 27001 controls:

Encryption: TLS 1.3 in transit; AES-256 at rest for database and object storage
Authentication: OAuth-only sign-in (Google, LinkedIn) — no passwords stored
Access control: Least-privilege IAM, audited admin access, scoped service tokens
Network: Private service mesh, secrets in encrypted vaults, no public DB ingress
Application: Strict CSP, HSTS, dependency scanning, signed deploys
Operations: Documented incident response, 72-hour breach notification (GDPR Art. 33), tested backup restoration

5. Document Retention

Uploaded document images are cached in the EU for up to 72 hours after verification, then permanently deleted. Verification metadata (verdict, scores, annotations) is retained until you request deletion. Full retention schedule: Privacy Policy §5.

6. Compliance & Certifications

GDPR: Compliant — EU representative appointed under Art. 27 (Turing Europe B.V., The Hague, Netherlands); DPO designated
ISO/IEC 27001: Controls aligned; formal certification audit scheduled
EU-U.S. Data Privacy Framework: Used as transfer mechanism for US sub-processors that participate
SOC 2: On 2026 roadmap

7. Data Processing Addendum (DPA)

Business and Pro customers may execute our standard DPA, which incorporates the EU Standard Contractual Clauses by reference. Request a copy from [email protected].

8. Change Notifications

To be notified of additions or replacements to the sub-processor register at least 30 days in advance, email [email protected]with the subject "Subscribe: sub-processor updates".

Contact

Data Protection Officer: [email protected]
EU Representative (Art. 27): Turing Europe B.V., Laan van Meerdervoort 51, 2517 AE The Hague, Netherlands
General Support: [email protected]

← Back to Turing Verify

1. EU Data Residency

Primary storage — European Union

Frontend service: europe-west4 (Amsterdam)

Backend API service: europe-west4 (Amsterdam)

PostgreSQL database: europe-west4 (Amsterdam) with EU-resident encrypted backups

Document cache volume: europe-west4 (Amsterdam), 72-hour TTL

2. International Transfers

Cross-border transfers for AI inference

All other US-resident sub-processors (payments, email, OAuth) are covered by the same SCC + EU-U.S. DPF safeguards. The full register is below.

3. Sub-Processor Register

Processor	Purpose	Data	Location	Safeguard
Railway	Application hosting, database, object storage	Account data, verification records, document cache	EU — Amsterdam (europe-west4)	Intra-EU; DPA
Anthropic	AI document analysis (paid tier)	Document content (transient)	United States	SCCs + EU-U.S. DPF; zero-retention API
OpenAI	AI document analysis (free tier)	Document content (transient)	United States	SCCs + EU-U.S. DPF; zero-retention API
Stripe	Payment processing and billing	Billing identifiers, subscription metadata	United States / EU	SCCs + EU-U.S. DPF; PCI-DSS Level 1
Resend	Transactional email delivery	Email address, message content	United States	SCCs + EU-U.S. DPF
Google	OAuth authentication (sign-in)	Name, email, profile picture	United States	SCCs + EU-U.S. DPF
LinkedIn (Microsoft)	OAuth authentication (sign-in)	Name, email, profile picture	United States	SCCs + EU-U.S. DPF
Cloudflare	CDN, DDoS protection, TLS termination	IP address, request metadata	Global edge (EU points of presence preferred)	SCCs; data minimization

4. Security Controls

We implement technical and organizational measures aligned with ISO/IEC 27001 controls:

Encryption: TLS 1.3 in transit; AES-256 at rest for database and object storage

Authentication: OAuth-only sign-in (Google, LinkedIn) — no passwords stored

Access control: Least-privilege IAM, audited admin access, scoped service tokens

Network: Private service mesh, secrets in encrypted vaults, no public DB ingress

Application: Strict CSP, HSTS, dependency scanning, signed deploys

Operations: Documented incident response, 72-hour breach notification (GDPR Art. 33), tested backup restoration

6. Compliance & Certifications

GDPR: Compliant — EU representative appointed under Art. 27 (Turing Europe B.V., The Hague, Netherlands); DPO designated

ISO/IEC 27001: Controls aligned; formal certification audit scheduled

EU-U.S. Data Privacy Framework: Used as transfer mechanism for US sub-processors that participate

SOC 2: On 2026 roadmap