QuiCard — Orchestrating Trust: How DeepPulse Built a Modern Identity Verification Platform

INDUSTRY:

Fintech

TECH STACK:

Front end –
Flutter and Dart
Back end –
Node.js
Cloud –
AWS

Executive summary

QuiCard is a digital identity and verification platform designed to help organisations verify people and credentials quickly, securely, and compliantly—while giving individuals transparent control over their personal data. Unlike point solutions that focus on a single check (e.g., document scan or face match), QuiCard’s strength lies in orchestrating multiple verification methods and partners from one place, standardising workflows, centralising consent, and delivering real‑time visibility across checks. The impact is faster onboarding, reduced impersonation and fraud risk, and a markedly better user experience for both verifiers and individuals.

For enterprise clients, QuiCard operates as an identity‑verification control plane: it can manage multiple verification partners, template one‑off or repeat checks, and provide dashboards to monitor progress and performance. For individuals, the mobile-first experience offers a simple, secure digital ID—store, present, and track what has been shared, with clear privacy controls and deletion requests where applicable.

Context and goals

Digital identity has moved from a compliance tick‑box to a core part of customer and workforce experience. Organisations increasingly need to:

• Verify identities and credentials accurately, across geographies and regulatory regimes.
• Orchestrate different verification partners and methods without brittle custom integrations.
• Minimise friction for users by making consent and data sharing understandable and revocable.
• Evidence compliance with auditable trails, configurable retention, and strong privacy controls.

QuiCard is built to meet these needs. For individuals, it acts as a simple, secure digital ID—a place to store, present, and track what has been shared. For organisations, it provides a policy‑driven control plane across verification steps, partners, and reporting.

Discovery to MVP: reframing identity as a product experience

Our discovery focused on treating identity verification as a two‑sided product—useful to the people being verified and to the teams doing verification.

• Primary journeys (individual): create digital ID, capture documents, pass liveness, consent to specific checks, share only what’s required, and track where data went.
• Primary journeys (organisation): define verification templates (KYC/KYB, employee screening, vendor onboarding), select partners, trigger checks, monitor real‑time status, and export audit trails.
• Non‑functional needs: strong security, explicit consent, data minimisation, clear revocation, and standards‑based interfaces to interchange verifiable claims in future iterations.
• Success measures: time‑to‑clear, pass/fail accuracy, drop‑off in capture flows, and the proportion of checks completed without manual review.

Product principles

• User control by default. Individuals must be able to see, understand, and control what is shared, with whom, and for how long.
• Orchestrate, don’t reinvent. Integrate with best‑of‑breed verification partners; standardise flows and data so the organisation can swap components without rebuilding.
• Compliance made practical. Centralised consent, clear audit trails, configurable retention, and real‑time dashboards to demonstrate control at any moment.
• Friction where it counts, not where it hurts. Apply liveness and stronger assurances where risk is highest; enable convenience (e.g., re‑use of prior checks) where policy allows.

Architecture: a trust orchestration layer

Modular services define bounded contexts for identity, consent, verification orchestration, results storage, notifications, and admin/reporting. Each service is stateless behind managed load balancing and auto‑scaling for predictable performance at peak onboarding periods.

Verification orchestration is driven by policy. Templates—such as “Employee pre‑hire in Country X”—become concrete checklists (document capture, liveness, criminal/background checks, education verification). The orchestrator handles partner selection, retries, idempotency, rate limiting, and normalised result schemas so teams can change partners without reworking applications.

Consent and governance are first‑class. A dedicated consent service records purpose‑limited grants, scopes, and durations; surfaces share prompts in the app; and publishes immutable events for audit. Individuals can review historical shares and request deletion where permitted.

Security by design includes encryption in transit and at rest, isolated secrets management with periodic key rotation, biometric liveness where facial verification is used to prevent spoofing and replay, signed builds and SBOM scanning in the CI pipeline, least‑privilege access, and tamper‑evident logs.

Observability spans end‑to‑end traces for a verification flow (capture → partner call → decision), golden signals (latency, errors, saturation), and funnel analytics to reduce drop‑off.

Experience design: confidence without confusion

For individuals, the application presents a simple and secure digital ID—prove identity and credentials, securely store and share them, and track what was shared. We optimised for:

• Guided capture with inline quality hints to reduce retakes.
• Transparent consent: plain‑language reasons for each request, fine‑grained scopes, and reminders when a share is persistent or recurring.
• “Just enough” verification: dynamically request additional evidence only when policy or risk demands it.
• Accessibility: high contrast, large tap targets, and predictable navigation across devices.
• Error states that help: actionable remediation such as “retake in better light” or “tilt to reduce glare”.

Enterprise features that matter

• Templates for one‑time and repeat checks: build and reuse verification playbooks (e.g., contractor re‑verification every 12 months).
• Partner abstraction: plug in multiple verification vendors and choose by use‑case, region, or risk appetite—without rewriting the front end.
• Consent management: capture, store, and prove consent for each purpose—critical for privacy regimes and audits.
• Real‑time dashboards and alerts: see throughput, turnaround times, pass/fail rates, and partner performance; receive alerts on unusual patterns such as spikes in non‑liveness passes.
• Audit trails: immutable records of who requested what, when, why, and with which legal basis.
• Mobile‑first access: optimised for smartphones with app distribution via mainstream app stores.

Security posture and privacy model

• Biometric liveness and anti‑spoofing where facial verification is used, to block replay and presentation attacks.
• Data minimisation: collect only what a policy demands; tokenise or redact where possible; prefer storing decisions and proofs over raw materials when acceptable.
• Encryption and key hygiene: envelope encryption for high‑sensitivity artefacts, regular rotation, and HSM‑backed master keys.
• Runtime protection: WAF and automated anomaly detection for spikes in failed liveness or forgery patterns.
• Privacy controls: in‑app settings, transparency on what’s collected, and mechanisms to request deletion where applicable.

Delivery approach

1. MVP: core capture, consent, orchestration to one verification partner, and a basic verifier console.
2. Scale‑out: add partner abstraction, more templates, dashboards, and exportable audit trails.
3. Hardening: SAST/DAST gates, recovery playbooks, blue‑green deployments, and measured rollouts behind feature flags.
4. UX polish: microcopy for consent clarity, accessibility sweeps, and guided remediation for failed checks.

Automated tests cover unit, consumer‑driven contract (between services and against partner mocks), and end‑to‑end flows. Observability dashboards are reviewed with stakeholders after each release to close the loop between engineering and operations.

Performance and reliability

• Auto‑scaling absorbs spikes in onboarding (e.g., hiring drives, promotional campaigns) without manual operations.
• Back‑pressure patterns protect downstream partners when their endpoints degrade or rate‑limit.
• Latency budgets for capture and partner calls keep the experience responsive; p95 alerts fire before noticeable degradation.
• Graceful degradation: when a non‑critical partner is down, policy‑based fallbacks or queueing apply rather than blocking all verifications.

Outcomes

• Faster time‑to‑clear through standardised templates and partner orchestration.
• Lower impersonation risk enabled by liveness and biometric protections.
• Compliance readiness through integrated consent, audit trails, and disciplined data handling.
• Higher user trust, supported by transparent data‑sharing, deletion requests, and a clean, mobile‑first UX.

What made the difference

• Orchestration over point tools: treating identity verification as a configurable workflow, not a single check, kept the platform adaptable as requirements evolved.
• User‑first privacy: consent and transparency placed at the centre reduced disputes and improved satisfaction.
• Operational clarity: real‑time dashboards and standardised procedures created a common language between operations, risk, and product teams.
• Security as UX: liveness and biometric protections presented as confidence builders rather than obstacles.

Roadmap

• Richer partner marketplace: expand verification methods and regional partners while keeping a single orchestration layer and normalised results.
• Portable credentials: progress towards verifiable credentials and selective disclosure, enabling users to present proofs without oversharing.
• Policy simulation: “what‑if” tooling to predict approval rates and turnaround impacts when adding or removing checks.
• Risk analytics: behavioural signals across attempts, geovelocity alerts, and device intelligence—within strict privacy guardrails.
• Self‑service reviewer tools: assisted adjudication for edge cases; clear evidence bundles for compliance review.

Why Ennovision

Ennovision specialises in cloud engineering, application engineering, and data/AI, with delivery that blends rigorous security with measurable product outcomes. Our role in the QuiCard journey focused on building a trust‑orchestration platform: modular services, partner‑agnostic integration, consent governance, and an experience that empowers users. QuiCard’s feature set—secure digital ID, controlled data sharing, biometric protections, partner orchestration, consent management, and auditability—aligns closely with our engineering principles and execution.

If you are wrestling with fragmented verification tools, rising fraud risk, or onboarding that feels slow, consider an orchestration approach like QuiCard’s: configurable templates, integrated consent, best‑of‑breed partners, and observability that proves control. We can map your current flows to a pragmatic, phased roadmap—starting with your highest‑impact verification journeys.