How Veriff keeps your data safe

1. Processing of personal data

Your rights. Veriff recognizes every individual going through its verification flow as a data subject. The data subject is always in the center of Veriff’s service. You as the data subject, are entitled to specific information and the exercise of data privacy rights. That is why Veriff makes it clear in its Privacy Notice that Veriff is providing its verification services to other companies. Veriff collects your data via its verification service only if you have been directed there by a business customer of Veriff. Veriff’s customer, the company asking you to verify your identity, decides how and for which purposes Veriff processes your data. This also means they must tell you how they and Veriff process your data, and ensure you can exercise your rights along the way.

Veriff’s services process personal data. The EU’s General Data Protection Regulation (known as GDPR) defines personal data as any information about an individual who can be identified, directly or indirectly, by name, ID number, or other factors relating to an individual's physical, physiological, genetic, mental, economic, cultural, or social identity. The data collected by Veriff for your identification is personal data and Veriff’s customers must ensure that they have a valid legal basis for allowing Veriff to use the data for its services.

Veriff’s services may process sensitive personal data. Sensitive data is a subcategory of personal data. There are different definitions of “sensitive data” in different countries. However, it is generally centered around data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and genetic data, biometric data (for the purpose of uniquely identifying a person), health data, or data concerning a person’s sex life or sexual orientation. As part of its service, Veriff may process your sensitive data. For example, Veriff’s services can process information about your face, amounting to biometric data. This is an important note, as depending on why our customers use our services, they might need to follow heightened legal requirements. Although the requirements around biometrics processing are stringent, it is important to note that biometrics can provide a strong layer of security against bad actors, while also minimizing the amount of data processed.

Oversight by authorities. Compliance with data privacy laws across the world is under heightened scrutiny by local data protection authorities. Veriff is also supervised by local data protection authorities and ensures full cooperation with the authorities from different EU Member States and beyond.

2. Risk assessments and a dedicated team

Veriff’s dedicated privacy and compliance team, together with our data protection officers, consistently conducts data protection impact assessments. These data protection impact assessments not only fulfill legal requirements but also allow Veriff to proactively identify and address the risks related to our products and services. By leveraging our in-house legal competence and taking proactive information security measures—such as employing multi-factor authentication and advising on password manager use—Veriff ensures the highest level of data security to uphold our commitment to safeguarding your privacy and protect your data.

3. No selling or unauthorised sharing of end user data

As stated in Veriff's Privacy Notice, we’ll disclose your personal data to the customer who has authorized us to provide you with the identity verification service. Additionally, as an integral part of the identity verification service, your personal information may be disclosed to our carefully chosen sub-processors. These are service providers helping us with different data processing and cloud storage services, being essential to providing our identity verification service. Internally, any access to data is granted on a need-to-know and least-privilege basis. This means that our employees are only granted the information and access rights strictly necessary for their specific tasks—helping prevent insider threats and ensuring your data remain safe from internal and external compromise. This ensures your data is always kept safe with no unauthorized access.

4. Fixed data storage periods

The term for keeping your data is fixed in internal policies and customer agreements. Veriff never keeps data indefinitely. For example, as a standard, personal data which is processed on behalf of our customers is stored for no longer than 3 years. However, in the context of identity verification services, this may differ depending on the customer's instructions. That is why the company that asked for your identity verification is the one that can tell you the exact time for how long your data is stored and used for identity verification. Storing your data only as long as necessary is an essential security measure to help keep your data secure and reduce risks such as exposure through social media leaks or legacy systems.

5. Encryption at rest and in-transit

In Veriff, data is encrypted both at rest and in transit. Encryption is the process of converting data into an unreadable format, making it inaccessible to the user who does not have the decryption key. Encryption enables secure and confidential end-to-end protection of the data by protecting its content.

Data in transit is encrypted using Transport Layer Security (TLS) 1.2 or a newer version. TLS is the protocol that allows digital devices (such as computers and phones) to communicate over the internet securely without the transmission being vulnerable to an outside audience. Data at rest is encrypted using Advanced Encryption Standard AES-256. AES is a symmetric key cipher, meaning that the same key is used for both encryption and decryption of the data.

In addition, all internal applications hosted by Veriff and used to manage personal information are also channeled into VPN as an extra measure to reduce the attack surface and to provide an additional layer of security around the standard TLS. These practices help ensure your data is not compromised via WiFi network vulnerabilities or phishing emails.

6. Security by design and by default

Veriff has acquired and for years upheld the SOC 2 Type 2 compliance certification. It confirms that Veriff’s systems are designed to keep its customers’ data secure. When it comes to working with the identity verification service provider, such reliability is absolutely crucial because we are well aware that cases of personal data breaches and leaks might have life-altering consequences.

Veriff has also been awarded certification against the ISO/IEC 27001:2022 standard, an internationally recognized information security standard published by the International Organization for Standardization (ISO). Veriff is also certified against the UK’s Cyber Essentials scheme which is designed to help protect organizations against a whole range of the most common cyber attacks. 

You can learn more about the Cyber Essentials from the UK’s National Cyber Security Centre’s webpage. These security measures are just some examples that are put in place here in Veriff. We take all necessary precautions to give you peace of mind when using our identity verification service—even in your day-to-day interactions online. We always follow the relevant updates and implement additional measures to ensure compliance.

7. Where can you read more?

We are always excited to hear your feedback, opinions, and ideas—you can find ways to contact us in our Privacy Notice.

You can learn more of our security practices from the Security and Compliance page and from Veriff’s Trust Center, where we detail how we protect your data.

Securing the digital world: Veriff’s vision for a safer, trust-first future

At Veriff, we know that fraud doesn’t stand still—so neither can we. As identity threats grow more sophisticated—from biometric deepfakes and AI-generated impersonations to evolving social engineering tactics—Veriff is at the forefront, proactively safeguarding the digital world. We don’t wait for tomorrow’s risks to arrive—we anticipate them.

Our commitment begins with cutting-edge technology. Veriff continuously evolves its trust infrastructure, supported by AI models, real-time risk analysis, and advanced threat detection systems. But technology alone isn’t enough. True digital safety requires a broader vision.

That’s why we go further—collaborating with regulators, contributing to global trust frameworks, and partnering with industry leaders to shape a secure and trustworthy digital landscape. Because for us, building trust online isn’t optional—it’s essential.

Trust is also about privacy and compliance. Veriff aligns its data protection practices with leading global standards, including the European Union’s General Data Protection Regulation (GDPR), while staying agile amid emerging frameworks such as the EU’s AI Act.

Looking ahead, Veriff’s vision is clear: a world where individuals move freely and securely through digital spaces—supported by identity verification that is seamless, privacy-first, and globally scalable.

We’re not just responding to the threats of today. We’re shaping the internet of tomorrow—one where trust fuels progress and people come first.