Notifications
Clear all
Topic starter
10/06/2026 10:34 pm
TL;DR: Claims about ownership, Russia ties, data transfer, and disclosure are false, while pointing to its Trust Center, UBO filings, and public corporate records as evidence of transparency and compliance, according to SumSub. For IAM and security teams, the broader issue is not the vendor dispute itself, but how quickly trust, ownership, and data-location assumptions become governance questions.
NHIMG editorial — based on content published by Sumsub: a rebuttal of public allegations about ownership, Russia ties, data handling, and transparency
Questions worth separating out
Q: How should security teams assess a vendor’s ownership claims during due diligence?
A: Security teams should require verifiable corporate records, not just a written statement.
Q: Why do data residency claims matter in third-party risk reviews?
A: Data residency claims determine where personal or regulated data can be stored, processed, and accessed, which affects legal exposure and operational control.
Q: What do security teams get wrong about Trust Centers?
A: Teams often treat a Trust Center as proof rather than evidence.
Practitioner guidance
- Require ownership proof during supplier onboarding Collect UBO records, PSC filings, and corporate structure documents before any supplier receives access to regulated identity, fraud, or trust data.
- Tie vendor approval to current trust artefacts Review certifications, attestation reports, privacy notices, and sub-processor lists as a single evidence pack.
- Build offboarding checks for third-party providers Treat suppliers as governed identities with entry, review, and exit states.
What's in the full analysis
Sumsub's full article covers the operational detail this post intentionally leaves for the source:
- The company’s line-by-line rebuttal of ownership, Russia, and data-processing allegations
- The specific corporate filings and trust artefacts Sumsub points to as supporting evidence
- The legal and compliance framing Sumsub uses to respond to public claims
- The company’s description of how its trust centre supports customer diligence
👉 Read Sumsub’s response to allegations about ownership, transparency, and data handling →
Vendor transparency claims: what it means for IAM and due diligence?
Explore further
11/06/2026 2:39 am
Vendor transparency is a governance control, not a communications function. When a supplier handles identity-adjacent or other sensitive data, its ownership structure, operating jurisdiction, and disclosure record become part of the risk posture. Security teams that treat these as reputational issues miss the control point entirely. The practitioner conclusion is that due diligence must test evidence quality, not narrative confidence.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which shows how quickly supplier opacity becomes an identity governance problem when delegated access is involved.
A question worth separating out:
Q: Who should own vendor transparency decisions when allegations arise?
A: Procurement, legal, security, and risk owners should share the decision, because transparency disputes are both contractual and operational. The key is to define who can pause onboarding, who can demand evidence, and who can approve exceptions before the supplier becomes embedded in sensitive workflows.
👉 Read our full editorial: Sumsub’s transparency rebuttal shows the governance gap in vendor due diligence
