Built on industry-leading security practices to protect your sensitive compliance data.
Certified
Compliant
SLA Guaranteed
All data transmitted between your browser and our servers is encrypted using TLS 1.3 with perfect forward secrecy. We enforce HTTPS for all connections and use HSTS headers to prevent protocol downgrade attacks.
All data stored in our databases is encrypted using AES-256 encryption. Database backups are also encrypted. Encryption keys are managed using AWS KMS with automatic key rotation.
Sensitive fields (such as employee SSNs and addresses) are encrypted at the application layer before being stored in the database, providing an additional layer of protection.
Verafi is hosted on Vercel and uses Supabase for database services. Both providers maintain SOC 2 Type II certification and comply with industry security standards. Infrastructure is distributed across multiple availability zones for high availability.
Our infrastructure employs network segmentation, firewalls, DDoS protection, and intrusion detection systems. Database servers are not publicly accessible and can only be reached through secure application servers.
Database backups are performed automatically every 6 hours and retained for 30 days. Backups are encrypted and stored in geographically separate locations. We regularly test backup restoration procedures.
We maintain a comprehensive disaster recovery plan with a Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 1 hour. Disaster recovery procedures are tested quarterly.
We support and strongly recommend MFA for all user accounts. MFA can be enabled using authenticator apps (TOTP) or SMS. Admin accounts are required to use MFA.
User permissions are managed through granular role-based access controls. Users are granted the minimum access necessary to perform their job functions (principle of least privilege).
User sessions expire after 24 hours of inactivity. Sessions are invalidated immediately upon logout. We detect and prevent concurrent sessions from suspicious locations.
Passwords must be at least 12 characters and include uppercase, lowercase, numbers, and special characters. Passwords are hashed using bcrypt with per-user salts. We check against known compromised password databases.
We maintain 24/7 security monitoring with automated alerts for suspicious activity, including failed login attempts, unusual data access patterns, and potential security incidents.
All user actions are logged, including logins, data access, configuration changes, and file uploads. Audit logs are retained for 1 year and are available to account administrators.
We employ intrusion detection systems (IDS) to identify and respond to potential security threats in real-time. Suspicious activity triggers immediate investigation by our security team.
System availability is monitored continuously with automated alerts for downtime. We publish a public status page at status.verafi.com showing real-time system health.
We conduct annual third-party penetration tests by certified security professionals. All identified vulnerabilities are remediated according to severity: Critical (24 hours), High (7 days), Medium (30 days).
All software dependencies are automatically scanned for known vulnerabilities. We use Dependabot and Snyk to monitor for security advisories and apply patches promptly.
Our codebase undergoes static application security testing (SAST) and dynamic application security testing (DAST). All code changes are reviewed for security implications before deployment.
We maintain a responsible disclosure program for security researchers. Validated vulnerabilities are acknowledged and rewarded. Report security issues to security@verafi.com.
All employees undergo background checks before being granted access to production systems or customer data. This includes criminal background checks and employment verification.
All employees complete security awareness training during onboarding and annually thereafter. Training covers data protection, phishing awareness, secure coding practices, and incident response.
Employee access to production systems and customer data is strictly limited based on job function. All access is logged and reviewed regularly. Access is immediately revoked upon termination.
All employees and contractors sign confidentiality agreements protecting customer data. These agreements remain in effect after employment ends.
We maintain a documented incident response plan covering detection, containment, eradication, recovery, and post-incident analysis. The plan is tested through tabletop exercises quarterly.
In the event of a security breach affecting customer data, we will notify affected customers within 72 hours of discovery, as required by applicable data protection laws (GDPR, CCPA).
During security incidents, we provide timely updates through email and our status page. We maintain transparency about the nature of the incident, affected systems, and remediation steps.
After every security incident, we conduct a thorough post-mortem to identify root causes and implement preventive measures. Lessons learned are incorporated into our security practices.
We maintain SOC 2 Type II certification, demonstrating our commitment to security, availability, processing integrity, confidentiality, and privacy. Annual audits are conducted by independent third-party auditors.
Our information security management system (ISMS) is compliant with ISO 27001 standards, covering security policies, risk management, and continuous improvement processes.
We comply with the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), including rights to access, deletion, portability, and notification of data breaches.
While Verafi is not primarily a healthcare application, our security practices align with HIPAA requirements for those customers who may handle health-related information.
If you discover a security vulnerability or have security concerns, please contact our security team immediately:
Email: security@verafi.com
PGP Key: Available at verafi.com/pgp
Response Time: Critical issues within 4 hours
We take all security reports seriously and will investigate promptly. We appreciate responsible disclosure and will keep you informed throughout the investigation.