Appendix A: Sample RFP Questions for Liveness Vendor Selection

---

Security & Certification

1. Do you hold iBeta Level 1 and/or Level 2 certification? Provide certificate and report.
2. What is your APCER per PAI species (print, screen photo, screen video, mask)?
3. What is your BPCER at the operating threshold recommended for banking?
4. Do you have deepfake detection capability? Against which deepfake types?
5. How do you detect virtual camera injection attacks?
6. What device integrity checks do you perform (root, jailbreak, emulator)?
7. Have you submitted to NIST FRVT PAD? Provide results.
8. How do you handle adversarial machine learning attacks?

Technical

1. What is your SDK size (Android AAR, iOS framework)?
2. What is your end-to-end latency (P50, P95, P99)?
3. Do you support passive liveness, active liveness, or both?
4. What is your minimum device/camera requirement?
5. Do you support web browser-based liveness?
6. What is your on-device vs server-side processing split?
7. How do you handle poor lighting, blur, and partial occlusion?

Privacy & Compliance

1. Where is biometric data processed and stored?
2. Do you support data residency in India / EU / specific regions?
3. Are you GDPR Article 9 and DPDPA compliant for biometric data?
4. What is your data retention policy for biometric samples?
5. Provide your Data Processing Agreement (DPA) template.

Performance & Reliability

1. What is your uptime SLA?
2. What is your maximum concurrent verification capacity?
3. How do you handle failover and disaster recovery?
4. What is your average drop-off rate for genuine users?

Business

1. What is your pricing model (per-transaction, tiered, flat)?
2. What support tiers do you offer?
3. What is your model update frequency?
4. What are your SLA penalty terms?
5. Provide 3 banking client references.
6. What is your contract termination and data portability process?