Huwiyya
Self-hosted AI identity verification platform for Syrian banking. Document and biometric verification, sanctions screening, and a banking-grade audit trail — with full RTL support.

Huwiyya — Identity Verification Platform for Syrian Banking
Huwiyya (هوية) is a banking-grade identity verification platform built for the Syrian financial sector. It runs entirely on self-hosted AI — no biometric data, evidence, or embeddings ever leave your infrastructure — and pairs document and biometric verification with a defensible, tamper-evident audit trail. The platform is Arabic-default with full RTL support, and ships with English, German, Turkish, and Kurdish localisation.
Self-Hosted AI · Full RTL Support · Banking-Grade Audit Trail
How It Works
Every verification starts with a partner request and ends with a fully audited decision.
- Partner Triggers Verification: A bank or partner initiates via the REST API or an incoming webhook, creating an auditable verification case.
- Secure Session Issued: The platform creates a one-time session link, delivered to the end user through the partner's own channel.
- Mobile Capture Flow: The user opens the mobile app for guided document photo, selfie, and liveness video capture, with on-device quality pre-checks for focus, glare, framing, and lighting.
- Self-Hosted AI Checks: OCR, document classification, face match, liveness, and fraud signals are all processed on your infrastructure — no external cloud.
- Result & Audit Stored: The final decision is delivered to the partner via API and webhook, with the full evidence chain and audit trail stored securely.
Platform Capabilities
Everything needed to verify customer identity to the highest banking standards.
- Syrian National ID: AI-assisted document verification with OCR extraction, tamper detection, and field validation for Syrian National ID cards.
- Syrian Passport: Full MRZ parsing, passive authentication checks, and structured field extraction for Syrian passports.
- AI Document Classification: Automatic classification of Syrian ID vs Passport using self-hosted computer-vision models.
- OCR & Field Extraction: AI-enhanced OCR with confidence scoring and structured field extraction, plus fully audited manual correction with before/after state capture.
- Face Matching: Biometric comparison between the document portrait and a live selfie using self-hosted face recognition.
- Liveness Detection: Passive and active liveness checks with presentation-attack detection to prevent spoofing.
- Sanctions Screening: Automated screening against OFAC SDN, EU Consolidated, UN Security Council, and UK HMT sanctions lists, with Arabic name transliteration.
- Partner API & Webhooks: REST API with idempotency, HMAC-signed outbound webhooks, retry queues, and delivery history.
- GPS Evidence Tracking: Device GPS coordinates captured during evidence upload and stored with every document, selfie, and video for forensic audit.
- Audit Trail: Every action, AI score, and state change is immutably logged with actor identity and timestamp.
- Risk Flags & Manual Review: Low-confidence cases automatically escalate to reviewer queues with full AI context visible.
- Multilingual & RTL: Arabic-default with full RTL support, plus English, German, Turkish, and Kurdish.
Security & Compliance
Built for regulated environments and defensible audit trails. Security is not a feature — it is the foundation, and legal review is recommended before production deployment.
- Encryption at Rest & in Transit: All evidence is encrypted at rest with TLS in transit; no unencrypted biometric data at any layer.
- OAuth 2.0 mTLS (RFC 8705): Partners authenticate with certificate-bound access tokens; the token and certificate thumbprint are validated on every request.
- Multi-Factor Authentication: TOTP-based MFA with QR enrollment and AES-256-GCM encrypted secrets for admin and partner accounts.
- Role-Based Access Control: Super Admin, Reviewer, and Partner roles are strictly separated, and tenant data is never mixed.
- Tamper-Evident Audit Logs: Every login, action, and AI decision is logged with actor identity and timestamp.
- Configurable Retention & Legal Hold: Per-tenant retention schedules, legal hold, and policy-driven deletion with a full audit log.
- Human Review Fallback: Low-confidence or flagged cases always route to a human reviewer — no blind auto-approvals.
Self-Hosted AI Engine
AI-assisted, human-accountable. Self-hosted inference powers every verification step with full auditability and human oversight — with no external cloud APIs. The engine handles document classification, OCR enhancement, structured field extraction, fraud signal detection, face matching, liveness detection, and sanctions screening.
Every AI output is stored with its model version, confidence score, and inference timestamp. Thresholds are configurable and treated as policy changes, and low-confidence or policy-flagged cases always route to manual review.
Two Portals, One Platform
Super Admin Portal
Global tenant management, compliance policy configuration, manual review queues, evidence access, audit-trail search, webhook delivery logs, and retention settings — covering partner onboarding, AI threshold tuning, audit-log export, and legal hold.
Partner Portal
Create and track verification requests, manage API credentials and webhook endpoints, review verification outcomes, export reports, and view partner-scoped audit logs — with policy-gated evidence access and OAuth client management.
Built for Regulated Financial Services
- Commercial banks
- Fintech platforms
- Digital onboarding
- Regulated financial services
- High-risk account opening
At a Glance
- 2 document types — Syrian National ID and Passport.
- 5 languages — Arabic, English, German, Turkish, and Kurdish.
- 11 verification states across the full case lifecycle.
- 5 self-hosted AI services powering classification, OCR, face match, liveness, and screening.
- 100% self-hosted AI inference — no biometric data, evidence, or embeddings sent to external providers.