Security and Compliance
Veriff is dedicated to its compliance with the highest standard of privacy and information security requirements to ensure secure handling of personal data. Below is an overview of the main technical and organizational measures applied by Veriff when processing personal data. Please note that this list is not exhaustive. For more information, please feel free to contact firstname.lastname@example.org.
Veriff has obtained and maintains Association of International Certified Professional Accountants (AICPA) developed SOC2 type II and ISO/IEC 27001:2013 (extending also to ISO/IEC 27017:2015 and ISO/IEC 27018:2019) certifications. Additionally, Veriff is compliant with WCAG 2.0 Accessibility Guidelines.
2. LOGICAL ACCESS CONTROLS
Veriff implements logical access control measures over systems used to process personal data. Such measures include but are not limited to:
- Application of different access levels on a “need-to-know” and “least privilege” basis to ensure that only authorized employees requiring access for the performance of their immediate work tasks have access rights to information sources, including personal data. Access is terminated when such access is no longer required.
- Technical enablement for logging processing operations in Veriff’s systems to a reasonable extent. In case there’s a need to get access to logs, these can be ordered via our customer support upon request.
- Exclusion of unauthorized access to Veriff’s information systems and platforms, e.g. by allowing guests to only use dedicated guest wireless internet access.
- Protected access to all systems with two-factor authentication.
- Application of complex password policy.
- Work devices are configured to automatically lock after 2 minutes of inactivity.
- Protected information may only be accessed, stored, shared or handled using systems and communication channels controlled and authorized for use by Veriff. It is prohibited to use Veriff’s equipment and accounts for personal use.
3. TECHNICAL SECURITY MEASURES
Veriff implements technical security measures over systems used to process personal data. Such measures include but are not limited to:
- Secure protocols (e.g. HTTPS) and network connections (e.g. VPN, IPSEC) are used to transfer personal data.
- Encryption of data at rest and in transit. Veriff implements industry standard AES-256 encryption to encrypt data at rest and TLSv1.2+ to encrypt data during transmission.
- Modern and secure hardware and software to ensure durable confidentiality, integrity, availability, and resilience of personal data.
- The ability to restore, in a timely manner, the availability of personal data and access to personal data in the event of a physical or technical incident by using backups. The preservation and integrity of personal data through a regular backup interval is ensured.
- Full backups for all data in production systems are done daily. Backups are stored and encrypted in AWS servers. Backups are periodically tested by our engineering teams to ensure the integrity of the backup procedure. Successful restoration of backed up objects counts as confirmation of the backup procedure validity. Default retention period for backups is 90 days.
- Regular effective testing (including external penetration and vulnerability testing) and evaluation of technical and organizational measures, including the protection of systems against potential vulnerabilities and attacks.
- Maintained reasonable and up-to-date antivirus and anti-malware software, and firewalls for all relevant networks, systems, and devices.
4. ORGANIZATIONAL MEASURES
Veriff implements organizational security measures over systems used to process personal data. Such measures include but are not limited to:
- Actionable programs for information security incident management, business continuity management, and disaster recovery.
- Extensive internal policies and guidelines for the processing and security of personal data, which cover, among others, personal data processing and data subject request handling, access management, encryption, information security, incident recovery, vendor management, physical security, and remote work requirements.
- Regular training which covers, among others, data protection, information security, and position related specifics. Depending on position and general trends, and needs for ad-hoc and tailored training are provided.
- In-house data protection officer who monitors and audits Veriff’s overall compliance with privacy laws.
5. PHYSICAL SECURITY
Veriff implements extensive physical security controls to ensure safety of personal data processing. Such measures include but are not limited to:
- Maintained physical controls, including access to Veriff’s offices is closed and safeguarded with personalized two factor authentication.
- Employees must wear identifying badges.
- Veriff’s offices have separate working areas accessible only to authorized employees.
- Veriff’s offices have designated guest areas and the guests are allowed to access other determined areas only when accompanied by a Veriff employee. All guests must wear badges and are signed in and out at the reception desk.
- Veriff’s offices are equipped with perimeter controls, on-site camera surveillance, and a security guard (in certain locations).