Security and Compliance

Veriff has obtained and maintains ISO/IEC 27001:2022 Certification which further extends to the additional controls defined within ISO/IEC 27017:2015 and ISO/IEC 27018:2019*. In addition, Veriff is compliant with SOC 2 Type II, GDPR, WCAG 2.0 Accessibility Guidelines and has obtained Cyber Essentials certification. Furthermore, Veriff offers products which are compliant with the UKDIATF (UK Digital Identity and Attributes Trust Framework).

*Veriff Brazil has not yet officially received the certification, however, is compliant with the same requirements.

Veriff implements logical access control measures over systems used to process personal data. Such measures include but are not limited to:

1. 1. Application of different access levels on a “need-to-know” and “least privilege” basis to ensure that only authorized employees requiring access for the performance of their immediate work tasks have access rights to information sources, including personal data. Access is terminated when such access is no longer required.
   2. Technical enablement for logging processing operations in Veriff’s systems to a reasonable extent. In case there’s a need to get access to logs, these can be ordered via our customer support upon request.
   3. Exclusion of unauthorized access to Veriff’s information systems and platforms, e.g. by allowing guests to only use dedicated guest wireless internet access.
   4. Protected access to all systems with two-factor authentication.
   5. Application of complex password policy.
   6. Work devices are configured to automatically lock after 2 minutes of inactivity.
   7. Protected information may only be accessed, stored, shared or handled using systems and communication channels controlled and authorized for use by Veriff. It is prohibited to use Veriff’s equipment and accounts for personal use.

Veriff implements technical security measures over systems used to process personal data. Such measures include but are not limited to:

1. 1. Secure protocols (e.g. HTTPS) and network connections (e.g. VPN, IPSEC) are used to transfer personal data.
   2. Encryption of data at rest and in transit. Veriff implements industry standard AES-256 encryption to encrypt data at rest and TLSv1.2+ to encrypt data during transmission.
   3. Modern and secure hardware and software to ensure durable confidentiality, integrity, availability, and resilience of personal data.
   4. The ability to restore, in a timely manner, the availability of personal data and access to personal data in the event of a physical or technical incident by using backups. The preservation and integrity of personal data through a regular backup interval is ensured.
   5. Full backups for all data in production systems are done daily. Backups are stored and encrypted in AWS servers. Backups are periodically tested by our engineering teams to ensure the integrity of the backup procedure. Successful restoration of backed up objects counts as confirmation of the backup procedure validity. Default retention period for backups is 90 days.
   6. Regular effective testing (including external penetration and vulnerability testing) and evaluation of technical and organizational measures, including the protection of systems against potential vulnerabilities and attacks.
   7. Maintained reasonable and up-to-date antivirus and anti-malware software, and firewalls for all relevant networks, systems, and devices.

Veriff implements organizational security measures over systems used to process personal data. Such measures include but are not limited to:

1. 1. Actionable programs for information security incident management, business continuity management, and disaster recovery.
   2. Extensive internal policies and guidelines for the processing and security of personal data, which cover, among others, personal data processing and data subject request handling, access management, encryption, information security, incident recovery, vendor management, physical security, and remote work  requirements.
   3. Regular training which covers, among others, data protection, information security, and position related specifics. Depending on position and general trends, and needs for ad-hoc and tailored training are provided.
   4. Data protection officer who monitors and audits Veriff’s overall compliance with privacy laws.

Veriff implements extensive physical security controls to ensure safety of personal data processing. Such measures include but are not limited to:

1. Maintained physical controls, including access to Veriff’s offices is closed and safeguarded with personalized two factor authentication.
2. Employees must wear identifying badges.
3. Veriff’s offices have separate working areas accessible only to authorized employees.
4. Veriff’s offices have designated guest areas and the guests are allowed to access other determined areas only when accompanied by a Veriff employee. All guests must wear badges and are signed in and out at the reception desk.
5. Veriff’s offices are equipped with perimeter controls, on-site camera surveillance, and a security guard (in certain locations).