Veriff
The future of veriff

Building trust: Veriff’s high standard of trust services, security, privacy and confidentiality

SOC 2 compliance demonstrates that Veriff has adequate controls in place governing information security in our environment.

What are the Service Organization Controls (SOC)?

The Service Organization Controls (SOC) are a standard developed by the Association of International Certified Professional Accountants (AICPA) to enforce the implementation of trust service criterias of security, availability, privacy, confidentiality and processing integrity. 

These reports are intended to meet the needs of a broad range of users that need detailed information and assurances about the controls at service organizations. 

These can be relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. 

These reports can play an important role in:

  • Oversight of the organization
  • Vendor management programs
  • Internal corporate governance and risk management processes
  • Regulatory oversight

The organization can tailor their service needs to the set of criterias provided by AICPA to demonstrate IT controls are in place to mitigate and eliminate the risks associated with the provision of services. 

What are the main requirements of SOC2?

A company compliant with SOC 2 is required to prove how the IT controls and operating procedures have been implemented to ensure customer data is in compliance with the chosen Trust Service Criterias. 

Normally, service organizations that process or store sensitive data for their clients are required to meet SOC 2 requirements. 

This standard is an international standard required by many different companies, regardless of their size or sector.

How does Veriff comply with the SOC2?

Veriff has demonstrated, through the issuance of the SOC 2 Type 2 report by an external AICPA auditor, that general IT controls have been implemented. 

This assures the service delivered to our clients is secured for the Identity Verification System Service, in compliance with the Trust Service Criterias of  Security, Availability and Confidentiality. 

This breaks down as follows:

Security 

The system is protected against unauthorized access (both physical and logical). 

In this sense  our best practices are:

  • Veriff will implement appropriate physical, technical, and organizational measures to ensure the security of the service and protect customer data from unauthorized modifications, disclosure, acquisition, destruction, loss, theft, misuse, alteration or authorized access. 
  • Veriff will notify customers in the event of a security incident, without undue delay, and will investigate and take steps to remedy any non-compliance with data processing.

We are meeting the following Standard System Requirements for: 

  • Logical access  
  • Physical access  
  • Employee provisioning and deprovisioning  
  • Access reviews
  • Encryption  
  • Risk and vulnerability management
  • Incident handling standards
  • Change management
  • Vendor management 

Availability 

The system is available for operation and use as committed or agreed. 

Disaster recovery and business continuity policies and procedures are in place, along with operational practices to assure service availability. 

We are meeting the following Standard System Requirements for: 

  • System monitoring
  • Backup and recovery standard
  • Physical and environmental protections

Confidentiality 

Information that is designated “confidential” is protected according to policy or agreement.  

Our best practices are:  

  • Veriff will hold customer data in confidence as per the Service Agreement signed with Veriff's  clients. 
  • Veriff will treat customer data with the same degree of care as it accords its own confidential information of like kind.
  • Veriff has implemented a deterministic data lifecycle management. Veriff shall, within an agreed number of days after the date of termination of the services, delete and use all reasonable efforts to procure the deletion of all other copies of customer data processed by Veriff or any subprocessors.

We are meeting the following requirements for: 

  • Data classification
  • Retention and destruction standards
  • Data handling standards
  • Internal confidentiality standards
  • Information sharing standards

System components to provide the services

Infrastructure

Veriff has designed and is offering its services using a fully cloud-hosted system architecture. By design, no data is stored on Veriff's own premises. Veriff utilizes Amazon Web Services (AWS) to provide the resources to host the Veriff´s Online Identity Verification Service. 

The company leverages the experience and resources of AWS to scale quickly and securely as necessary to meet current and future demand. 

However, the company is responsible for designing and configuring the Veriff Online Identity Verification Service architecture within AWS to ensure the availability, security, and resiliency requirements are met.

ISO/IEC 27017:2015 is covering our cloud services.

Software 

Consists of the programs and software that support Veriff's Online Identity Verification Services (operating systems [OSs], middleware, and utilities). 

Veriff uses software and ancillary software to build, support, secure, maintain and monitor Veriff´s Online Identity Verification Services such as AWS simple storage services (S3), Microsoft Sentinel, Snyk. 

The list of software and ancillary software used to build, support, secure, maintain, and monitor the Veriff Online Identity Verification.

More details of our software can be found here.

People

The company develops, manages and secures Veriff's online identity verification services via separate departments with clear segregation of roles in Executive Management, Engineering, Information Security, Product Management, Human Resources, etc. 

Procedures

Procedures include the automated and manual procedures involved in the operation of Veriff's Online Identity Verification Services. 

Procedures are developed and documented by the Business Quality team along with respective teams for a variety of processes, including those relating to product management, engineering, technical operations, security, information technology (IT), and HR. 

These procedures are drafted in alignment with the overall information security policies and are updated and approved as necessary for changes in the business, but no less than annually.

The main procedures in scope are logical and physical access, systems operations, change management and risk mitigation. 

Data

This refers to transaction streams, files, data storages, tables, and output used or processed by  Veriff. 

The client defines and controls the data end users are requested to submit via Veriff's services. Processed personal data is stored in Amazon Web Services servers, mainly located in EEA region. Once stored in the secure environment, the data is accessed remotely by Veriff's clients. Our clients can have access to their own data only meaning that we have implemented data clustering practices in all AWS buckets. As a result, clients are not able to view other client’s data. Personal data is managed, processed, and stored in accordance with relevant data protection and other regulations such as GDPR and with specific requirements formally established in client agreements.

The company has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Databases housing sensitive customer data are encrypted at rest and in transit. 

Veriff processes data in accordance with its Privacy Policy.

Learn more

For more insight into Veriff’s commitment to security and compliance, explore our Trust Centre.