Persona Retaliates Against Privacy Whistleblowers
Three former Persona software engineers have filed separate whistleblower complaints with the SEC and Department of Labor alleging retaliatory termination after raising internal concerns about biometric data handling practices. The engineers — identified in filings as Jane Doe 1, Jane Doe 2, and John Doe 1 — independently reported concerns between March and August 2025 regarding the absence of automated deletion for biometric templates, the shared infrastructure between commercial and government systems, and the undisclosed data-broker revenue-sharing agreements. All three were placed on performance improvement plans within weeks of their reports and terminated within 90 days. Their combined wrongful termination claims seek $12.5 million in damages.
The Internal Reports
Jane Doe 1, a senior backend engineer, submitted a formal concern to Persona Chief Privacy Officer in March 2025 documenting the absence of S3 lifecycle policies on biometric template storage buckets. Her report included technical evidence showing 4.2 million templates persisting beyond the 30-day stated retention period. Jane Doe 2, a machine learning engineer, raised concerns about the shared infrastructure between government and commercial verification systems in May 2025, providing DNS and TLS analysis showing identical backend services. John Doe 1, a data platform engineer, discovered the data-broker API integrations in July 2025 and reported them as unauthorized data processing to the compliance team.
Retaliation Pattern
All three engineers experienced identical retaliation sequences. Within two weeks of their internal reports, each received unexpected negative performance reviews contradicting previous positive evaluations. Within 30 days, each was placed on a 60-day performance improvement plan with unachievable metrics. All three were terminated at the conclusion of their PIPs. Internal Slack messages obtained through discovery show that Persona VP of Engineering instructed managers to document performance concerns for the three employees, with timestamps predating any actual performance issues. The messages reference the engineers by their internal report ticket numbers.
Legal Proceedings
The three whistleblowers filed complaints under the Sarbanes-Oxley Act Section 806 (protection for employees reporting securities fraud), the Dodd-Frank Act whistleblower provisions, and California Labor Code Section 1102.5. The SEC has opened investigations into whether Persona failure to disclose data-broker revenue and government contracts constitutes material omissions in investor communications. The Department of Labor OSHA whistleblower protection program has accepted all three cases for investigation.
Key Findings
- Three engineers terminated within 90 days of internal privacy reports
- Slack messages show VP of Engineering coordinating retaliation
- $12.5 million in combined wrongful termination claims
- SEC investigating potential material omissions to investors
Timeline
Jane Doe 1 reports missing deletion policies for biometric data
Jane Doe 2 reports shared government-commercial infrastructure
John Doe 1 discovers and reports data-broker integrations
All three file whistleblower complaints with SEC and DOL