SOC 2 compliance demonstrates that Veriff has adequate controls in place governing information security in our environment.
The Service Organization Controls (SOC) are a standard developed by the Association of International Certified Professional Accountants (AICPA) to enforce the implementation of trust service criterias of security, availability, privacy, confidentiality and processing integrity.
These reports are intended to meet the needs of a broad range of users that need detailed information and assurances about the controls at service organizations.
These can be relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
These reports can play an important role in:
The organization can tailor their service needs to the set of criterias provided by AICPA to demonstrate IT controls are in place to mitigate and eliminate the risks associated with the provision of services.
A company compliant with SOC 2 is required to prove how the IT controls and operating procedures have been implemented to ensure customer data is in compliance with the chosen Trust Service Criterias.
Normally, service organizations that process or store sensitive data for their clients are required to meet SOC 2 requirements.
This standard is an international standard required by many different companies, regardless of their size or sector.
Veriff has demonstrated, through the issuance of the SOC 2 Type 2 report by an external AICPA auditor, that general IT controls have been implemented.
This assures the service delivered to our clients is secured for the Identity Verification System Service, in compliance with the Trust Service Criterias of Security, Availability and Confidentiality.
This breaks down as follows:
Security
The system is protected against unauthorized access (both physical and logical).
In this sense our best practices are:
We are meeting the following Standard System Requirements for:
Availability
The system is available for operation and use as committed or agreed.
Disaster recovery and business continuity policies and procedures are in place, along with operational practices to assure service availability.
We are meeting the following Standard System Requirements for:
Confidentiality
Information that is designated “confidential” is protected according to policy or agreement.
Our best practices are:
We are meeting the following requirements for:
System components to provide the services
Infrastructure
Veriff has designed and is offering its services using a fully cloud-hosted system architecture. By design, no data is stored on Veriff's own premises. Veriff utilizes Amazon Web Services (AWS) to provide the resources to host the Veriff´s Online Identity Verification Service.
The company leverages the experience and resources of AWS to scale quickly and securely as necessary to meet current and future demand.
However, the company is responsible for designing and configuring the Veriff Online Identity Verification Service architecture within AWS to ensure the availability, security, and resiliency requirements are met.
ISO/IEC 27017:2015 is covering our cloud services.
Software
Consists of the programs and software that support Veriff's Online Identity Verification Services (operating systems [OSs], middleware, and utilities).
Veriff uses software and ancillary software to build, support, secure, maintain and monitor Veriff´s Online Identity Verification Services such as AWS simple storage services (S3), Microsoft Sentinel, Snyk.
The list of software and ancillary software used to build, support, secure, maintain, and monitor the Veriff Online Identity Verification.
More details of our software can be found here.
People
The company develops, manages and secures Veriff's online identity verification services via separate departments with clear segregation of roles in Executive Management, Engineering, Information Security, Product Management, Human Resources, etc.
Procedures
Procedures include the automated and manual procedures involved in the operation of Veriff's Online Identity Verification Services.
Procedures are developed and documented by the Business Quality team along with respective teams for a variety of processes, including those relating to product management, engineering, technical operations, security, information technology (IT), and HR.
These procedures are drafted in alignment with the overall information security policies and are updated and approved as necessary for changes in the business, but no less than annually.
The main procedures in scope are logical and physical access, systems operations, change management and risk mitigation.
Data
This refers to transaction streams, files, data storages, tables, and output used or processed by Veriff.
The client defines and controls the data end users are requested to submit via Veriff's services. Processed personal data is stored in Amazon Web Services servers, mainly located in EEA region. Once stored in the secure environment, the data is accessed remotely by Veriff's clients. Our clients can have access to their own data only meaning that we have implemented data clustering practices in all AWS buckets. As a result, clients are not able to view other client’s data. Personal data is managed, processed, and stored in accordance with relevant data protection and other regulations such as GDPR and with specific requirements formally established in client agreements.
The company has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Databases housing sensitive customer data are encrypted at rest and in transit.
Veriff processes data in accordance with its Privacy Policy.