Construindo confiança: O alto padrão de serviços de confiança da Veriff, segurança, privacidade e confidencialidade

Veriff has demonstrated, through the issuance of the SOC 2 Type 2 report by an external AICPA auditor, that general IT controls have been implemented.

This assures the service delivered to our clients is secured for the Identity Verification System Service, in compliance with the Trust Service Criterias of  Security, Availability and Confidentiality.

This breaks down as follows:

Security

The system is protected against unauthorized access (both physical and logical).

In this sense  our best practices are:

• Veriff will implement appropriate physical, technical, and organizational measures to ensure the security of the service and protect customer data from unauthorized modifications, disclosure, acquisition, destruction, loss, theft, misuse, alteration or authorized access.
• Veriff will notify customers in the event of a security incident, without undue delay, and will investigate and take steps to remedy any non-compliance with data processing.

We are meeting the following Standard System Requirements for:

• Logical access
• Physical access
• Employee provisioning and deprovisioning
• Access reviews
• Encryption
• Risk and vulnerability management
• Incident handling standards
• Change management
• Vendor management

Availability

The system is available for operation and use as committed or agreed.

Disaster recovery and business continuity policies and procedures are in place, along with operational practices to assure service availability.

We are meeting the following Standard System Requirements for:

• System monitoring
• Backup and recovery standard
• Physical and environmental protections

Confidentiality

Information that is designated “confidential” is protected according to policy or agreement.

Our best practices are:

• Veriff will hold customer data in confidence as per the Service Agreement signed with Veriff’s  clients.
• Veriff will treat customer data with the same degree of care as it accords its own confidential information of like kind.
• Veriff has implemented a deterministic data lifecycle management. Veriff shall, within an agreed number of days after the date of termination of the services, delete and use all reasonable efforts to procure the deletion of all other copies of customer data processed by Veriff or any subprocessors.

We are meeting the following requirements for:

• Data classification
• Retention and destruction standards
• Data handling standards
• Internal confidentiality standards
• Information sharing standards

System components to provide the services

Infrastructure

Veriff has designed and is offering its services using a fully cloud-hosted system architecture. By design, no data is stored on Veriff’s own premises. Veriff utilizes Amazon Web Services (AWS) to provide the resources to host the Veriff´s Online Identity Verification Service.

The company leverages the experience and resources of AWS to scale quickly and securely as necessary to meet current and future demand.

However, the company is responsible for designing and configuring the Veriff Online Identity Verification Service architecture within AWS to ensure the availability, security, and resiliency requirements are met.

ISO/IEC 27017:2015 is covering our cloud services.

Software

Consists of the programs and software that support Veriff’s Online Identity Verification Services (operating systems [OSs], middleware, and utilities).

Veriff uses software and ancillary software to build, support, secure, maintain and monitor Veriff´s Online Identity Verification Services such as AWS simple storage services (S3), Microsoft Sentinel, Snyk.

The list of software and ancillary software used to build, support, secure, maintain, and monitor the Veriff Online Identity Verification.

More details of our software can be found here.

People

The company develops, manages and secures Veriff’s online identity verification services via separate departments with clear segregation of roles in Executive Management, Engineering, Information Security, Product Management, Human Resources, etc.

Procedures

Procedures include the automated and manual procedures involved in the operation of Veriff’s Online Identity Verification Services.

Procedures are developed and documented by the Business Quality team along with respective teams for a variety of processes, including those relating to product management, engineering, technical operations, security, information technology (IT), and HR.

These procedures are drafted in alignment with the overall information security policies and are updated and approved as necessary for changes in the business, but no less than annually.

The main procedures in scope are logical and physical access, systems operations, change management and risk mitigation.

Data

This refers to transaction streams, files, data storages, tables, and output used or processed by  Veriff.

The client defines and controls the data end users are requested to submit via Veriff’s services. Processed personal data is stored in Amazon Web Services servers, mainly located in EEA region. Once stored in the secure environment, the data is accessed remotely by Veriff’s clients. Our clients can have access to their own data only meaning that we have implemented data clustering practices in all AWS buckets. As a result, clients are not able to view other client’s data. Personal data is managed, processed, and stored in accordance with relevant data protection and other regulations such as GDPR and with specific requirements formally established in client agreements.

The company has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Databases housing sensitive customer data are encrypted at rest and in transit.

Veriff processes data in accordance with its Privacy Policy.