How We Operate
Please report any concerns or vulnerabilities by emailing [email protected].
Privacy is Paramount
Verified is committed to putting people in control of their own data. User consent is foundational to how our technology works. We are compliant with major regulatory frameworks for privacy like GDPR and CCPA.
A company must request that a user share verified data.
The user sees which company is making the request, and which data they're being asked to share.
The user can choose whether to share data and which data to share.
Based on the company's request, data points can be either required or optional and allow or not allow user input.
No sensitive data is shared without full user consent.
The user sees exactly which data they're being asked to share and can choose whether to share it or not.
The user can see their data anytime in their Verified account.
The user has full control over their data and can access it via their account. They can also delete their account anytime.
Security Practices
We take data security extremely seriously. We are SOC 2 Type II certified. To request a copy of our certification report, please reach out to us at [email protected].
All sensitive data is stored in a separate, isolated environment with strict access control, encrypted in transit and at rest, and tokenized so that as much data processing as possible is done with nonsensitive aliases.
Annual Risk Assessments
Background Checks
Business Continuity and Disaster Recovery
Cloud Infrastructure Security
Confidentiality
Data Hosting Security
Incident Response
Information Security Program
Least Privilege Access Control
Password Managers
Password Requirements
Permissions and Authentication
Roles and Responsibilities
Security Awareness Training
Third-Party Audits
Third-Party Penetration Testing
Vendor Risk Management
Vulnerability Scanning
Policies and Plans
All personnel are required to read, accept, and follow all Verified policies and plans.
Defines standards for appropriate and secure use of the company’s hardware and electronic systems including storage media, communication tools and internet access.
Defines requirements for access and removal of access to company data, systems, facilities, and networks.
Guides the company in the event of a significant business disaster or other disruption to normal service.
Defines how changes to applications and systems are planned and implemented. The goal of change management is to increase awareness and understanding of proposed changes across the company and ensure that all changes are made in a thoughtful way that minimize negative impact to services and customers.
Outlines the companies expectations measured against the highest possible standards of ethical business conduct. Committing to the highest standards helps the company hire great people, build great products, and attract loyal customers.
Provides procedures supporting effective organizational asset management, specifically focused on electronic devices within the organization and baseline configurations for company assets and systems.
Provides the basis for protecting the confidentiality of data at the company by establishing a data classification system.
Addresses how a customer's data is retained and disposed of and to ensure this is carried out in a consistent manner.
Provides guidance on the types of devices and media that need to be encrypted, when encryption must be used, the minimum standards of the software used for encryption, and the requirements for generating and managing keys at the company. Mistakes in selecting keys, implementing the encryption/decryption process, and managing keys and other secrets are common causes of data exposure.
Addresses the basic information security policy topics which maintain the security, confidentiality, integrity, and availability of company applications, systems, infrastructure, and data.
Guides the company in the maintenance of a system of internal controls in order to safeguard its assets against loss, promote operational efficiency, and encourage adherence to prescribed managerial policies.
Defines basic rules and requirements for network security and ensure the protection of information within and across networks and supporting information processing facilities. This document is applied to the security of all services, architecture, software and systems that make up the company's product/service. Users of this document are all employees and applicable contractors who work on network engineering, security, and maintenance at the company.
Provides a means for discussing, planning and reviewing the performance of each team member. This provides both the employee and the department manager with the opportunity to discuss job tasks, identify and correct weaknesses, encourage and recognize strengths, and discuss methods for improving performance. Performance evaluations may influence salaries, job responsibilities, promotions and transfers, and it is critical that supervisors are objective in conducting performance reviews and in assigning overall performance ratings.
Specifies the requirements for physically protecting assets and their data via physical controls and safeguards. The company maintains reasonable steps to ensure that its facilities, information systems, and data are accessed only by authorized personnel or authorized third party visitors to prevent unauthorized access, damage, theft, and interference. All physical security requirements are applicable to both remote and in-office work.
Guides the company in performing risk assessments to account for threats, vulnerabilities, likelihood, and impact to company assets, team members, customers, vendors, suppliers, and partners based upon the company services considering security, availability, and confidentiality needs.
Defines basic rules for secure development of software and systems. This document is applied to the development and maintenance of all services, architecture, software and systems that make up the company's product/service. Users of this document are all employees and applicable contractors who work on development and maintenance at the company.
Provides a systematic incident response process for all Information Security Incidents that affect any of the company's information technology systems, network, or data, including company data held or services provided by third- party vendors or other service providers.
Guides the company in the execution, management, and termination of vendor and other third party agreements. This policy applies to all company assets utilized by employees and contractors acting on behalf of the company or accessing its applications, infrastructure, systems or data.
Defines an approach for vulnerability management to reduce system risks and integrate with patch management. This policy applies to all company assets utilized by personnel acting on behalf of the company or accessing its applications, infrastructure, systems or data.