How We Operate

Please report any concerns or vulnerabilities by emailing [email protected].

People Are In Control

Privacy is Paramount

Verified is committed to putting people in control of their own data. User consent is foundational to how our technology works. We are compliant with major regulatory frameworks for privacy like GDPR and CCPA.

A company must request that a user share verified data.

The user sees which company is making the request, and which data they're being asked to share.

The user can choose whether to share data and which data to share.

Based on the company's request, data points can be either required or optional and allow or not allow user input.

No sensitive data is shared without full user consent.

The user sees exactly which data they're being asked to share and can choose whether to share it or not.

The user can see their data anytime in their Verified account.

The user has full control over their data and can access it via their account. They can also delete their account anytime.

How We Stay Secure

Security Practices

We take data security extremely seriously. We are SOC 2 Type II certified. To request a copy of our certification report, please reach out to us at [email protected].

All sensitive data is stored in a separate, isolated environment with strict access control, encrypted in transit and at rest, and tokenized so that as much data processing as possible is done with nonsensitive aliases.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Annual Risk Assessments
Vendor and Risk Management

Annual Risk Assessments

We undergo at least annual risk assessments to identify any potential threats, including considerations for fraud.
Background Checks
Organizational Security

Background Checks

We perform background checks on all new team members in accordance with local laws.
Business Continuity and Disaster Recovery
Cloud Security

Business Continuity and Disaster Recovery

We use our data hosting provider’s backup services to reduce any risk of data loss in the event of a hardware failure. We utilize monitoring services to alert the team in the event of any failures affecting users.
Cloud Infrastructure Security
Cloud Security

Cloud Infrastructure Security

All of our services are hosted with Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. They employ a robust security program with multiple certifications. For more information on our provider’s security processes, please visit the AWS Security, GCP Security, and Azure Security informational web pages.
Confidentiality
Organizational Security

Confidentiality

All team members are required to sign and adhere to an industry standard confidentiality agreement prior to their first day of work.
Data Hosting Security
Cloud Security

Data Hosting Security

All of our data is hosted on Amazon Web Services (AWS) databases. These databases are all located in the United States. Please reference the AWS Security specific documentation for more information.
Encryption at Rest
Cloud Security

Encryption at Rest

All databases are encrypted at rest.
Encryption in Transit
Cloud Security

Encryption in Transit

Our applications encrypt in transit with TLS/SSL only.
Incident Response
Cloud Security

Incident Response

We have a process for handling information security events which includes escalation procedures, rapid mitigation and communication.
Information Security Program
Organizational Security

Information Security Program

We have an Information Security Program in place that is communicated throughout the organization. Our Information Security Program follows the criteria set forth by the SOC 2 Framework. SOC 2 is a widely known information security auditing procedure created by the American Institute of Certified Public Accountants.
Least Privilege Access Control
Access Security

Least Privilege Access Control

We follow the principle of least privilege with respect to identity and access management.
Logging and Monitoring
Cloud Security

Logging and Monitoring

We actively monitor and log various cloud services.
Password Managers
Access Security

Password Managers

All company issued laptops utilize a password manager for team members to manage passwords and maintain password complexity.
Password Requirements
Access Security

Password Requirements

All team members are required to adhere to a minimum set of password requirements and complexity for access.
Permissions and Authentication
Access Security

Permissions and Authentication

Access to cloud infrastructure and other sensitive tools are limited to authorized employees who require it for their role. Where available we have 2-factor authentication (2FA) and strong password policies to ensure access to cloud services are protected.
Roles and Responsibilities
Organizational Security

Roles and Responsibilities

Roles and responsibilities related to our Information Security Program and the protection of our customer’s data are well defined and documented. Our team members are required to review and accept all of the security policies.
Security Awareness Training
Organizational Security

Security Awareness Training

Our team members are required to go through employee security awareness training covering industry standard practices and information security topics such as phishing and password management.
Third-Party Audits
Organizational Security

Third-Party Audits

Our organization undergoes independent third-party assessments to test our security and compliance controls.
Third-Party Penetration Testing
Organizational Security

Third-Party Penetration Testing

We perform an independent third-party penetration at least annually to ensure that the security posture of our services is uncompromised.
Vendor Risk Management
Vendor and Risk Management

Vendor Risk Management

Vendor risk is determined and the appropriate vendor reviews are performed prior to authorizing a new vendor.
Vulnerability Scanning
Cloud Security

Vulnerability Scanning

We perform vulnerability scanning and actively monitor for threats.
Compliance

Policies and Plans

All personnel are required to read, accept, and follow all Verified policies and plans.

Acceptable Use Policy

Defines standards for appropriate and secure use of the company’s hardware and electronic systems including storage media, communication tools and internet access.

Access Control and Termination Policy

Defines requirements for access and removal of access to company data, systems, facilities, and networks.

Business Continuity and Disaster Recovery Plan

Guides the company in the event of a significant business disaster or other disruption to normal service.

Change Management Policy

Defines how changes to applications and systems are planned and implemented. The goal of change management is to increase awareness and understanding of proposed changes across the company and ensure that all changes are made in a thoughtful way that minimize negative impact to services and customers.

Code of Conduct

Outlines the companies expectations measured against the highest possible standards of ethical business conduct. Committing to the highest standards helps the company hire great people, build great products, and attract loyal customers.

Configuration and Asset Management Policy

Provides procedures supporting effective organizational asset management, specifically focused on electronic devices within the organization and baseline configurations for company assets and systems.

Data Classification Policy

Provides the basis for protecting the confidentiality of data at the company by establishing a data classification system.

Data Retention and Disposal Policy

Addresses how a customer's data is retained and disposed of and to ensure this is carried out in a consistent manner.

Encryption and Key Management Policy

Provides guidance on the types of devices and media that need to be encrypted, when encryption must be used, the minimum standards of the software used for encryption, and the requirements for generating and managing keys at the company. Mistakes in selecting keys, implementing the encryption/decryption process, and managing keys and other secrets are common causes of data exposure.

Information Security Policy

Addresses the basic information security policy topics which maintain the security, confidentiality, integrity, and availability of company applications, systems, infrastructure, and data.

Internal Control Policy

Guides the company in the maintenance of a system of internal controls in order to safeguard its assets against loss, promote operational efficiency, and encourage adherence to prescribed managerial policies.

Network Security Policy

Defines basic rules and requirements for network security and ensure the protection of information within and across networks and supporting information processing facilities. This document is applied to the security of all services, architecture, software and systems that make up the company's product/service. Users of this document are all employees and applicable contractors who work on network engineering, security, and maintenance at the company.

Performance Review Policy

Provides a means for discussing, planning and reviewing the performance of each team member. This provides both the employee and the department manager with the opportunity to discuss job tasks, identify and correct weaknesses, encourage and recognize strengths, and discuss methods for improving performance. Performance evaluations may influence salaries, job responsibilities, promotions and transfers, and it is critical that supervisors are objective in conducting performance reviews and in assigning overall performance ratings.

Physical Security Policy

Specifies the requirements for physically protecting assets and their data via physical controls and safeguards. The company maintains reasonable steps to ensure that its facilities, information systems, and data are accessed only by authorized personnel or authorized third party visitors to prevent unauthorized access, damage, theft, and interference. All physical security requirements are applicable to both remote and in-office work.

Risk Assessment Policy

Guides the company in performing risk assessments to account for threats, vulnerabilities, likelihood, and impact to company assets, team members, customers, vendors, suppliers, and partners based upon the company services considering security, availability, and confidentiality needs.

Secure Development Policy

Defines basic rules for secure development of software and systems. This document is applied to the development and maintenance of all services, architecture, software and systems that make up the company's product/service. Users of this document are all employees and applicable contractors who work on development and maintenance at the company.

Security Incident Response Plan

Provides a systematic incident response process for all Information Security Incidents that affect any of the company's information technology systems, network, or data, including company data held or services provided by third- party vendors or other service providers.

Vendor Management Policy

Guides the company in the execution, management, and termination of vendor and other third party agreements. This policy applies to all company assets utilized by employees and contractors acting on behalf of the company or accessing its applications, infrastructure, systems or data.

Vulnerability Management Policy

Defines an approach for vulnerability management to reduce system risks and integrate with patch management. This policy applies to all company assets utilized by personnel acting on behalf of the company or accessing its applications, infrastructure, systems or data.

Want to Learn More?

Reach out to us and we'll be glad to provide more information.

Contact Us

Contact Us

By sending us a message, you agree to our Terms and acknowledge our Privacy Policy.
Thank you! Your message was sent.
Oops! Something went wrong while submitting the form.