Security

Engineered for the systems that depend on it.

Verify runs as production infrastructure inside other teams’ contract workflows. Below is the posture that supports that.

Controls

Posture, not promises.

Tenant isolation

Every customer operates in a logically isolated environment. Data access is scoped to the requesting workspace to prevent cross-tenant access.

Encryption in transit

TLS for all connections, terminated by our cloud platform.

Encryption at rest

Application data is stored in a managed database (MongoDB Atlas) with encryption at rest. Uploaded files are access-controlled, are never served from public URLs, and are deletable on demand.

Access controls

Tenant-scoped authorization, least-privilege service credentials, and a separate constant-time-compared secret for administrative endpoints.

Authentication

Salted bcrypt password hashing, signed JWT sessions with a pinned signing algorithm, and rate-limited login, signup, and password-reset endpoints.

Audit records

Verification, screening, and billing activity is recorded as immutable event records. Payment webhooks are signature-verified and processed idempotently.

Data deletion & retention

Contracts are deletable on demand, which removes their extracted text, identified parties, generated reports, and stored file. Person-verification records auto-expire after up to 365 days; device-intelligence signals after up to 180 days.

Vendor risk

Subprocessors are minimized and publicly disclosed; we share only the data each provider needs. Sanctions lists are matched within Verify, so party data is not sent to them.

No training on customer data

Customer contracts, counterparty records, and verification outputs are not used to train AI or foundation models.

Vulnerability disclosure

Dependency scanning and a coordinated disclosure process for reported security issues.

Audit log

What gets recorded.

Verification, screening, and billing activity is recorded with actor, action, target, and outcome, scoped per tenant, and retained for review.

Sample · administrative actions

14:03:22

auth

session.authenticatedauth

user · IP recorded

14:04:11

access

record.viewedaccess

counterparty record · scope: read

14:07:48

export

record.exportedexport

counterparty record · format: JSON · destination: user

14:18:30

auth

session.expiredauth

idle timeout

Server-timestamped. Recorded per tenant.

Webhook delivery

Signed and verifiable, in preview.

Outbound webhook delivery is in private preview. The intent is HMAC-signed deliveries with per-tenant secrets, timestamp validation, and idempotent receivers.

Today, the same typed event stream is retrievable per counterparty via the API timeline. The canonical signing scheme will be documented at v1.

Compliance

SOC 2 readiness in progress.

Documentation available to teams under review. Request via the contact below.

Security Overview

available on request

Subprocessors

published at /subprocessors

Data Processing Agreement

DPA · available on request

Questions

Things buyers ask.

Contact

Reach the security team.

Report issues, request documentation, or coordinate review with us directly.

viridiana@verify.inc →Read our commitments →