Security Overview

VeriPlus implements enterprise-grade security measures to protect your data and ensure compliance with global data protection regulations.

Security Commitment

We treat security as our highest priority:

• Data Encryption: All data encrypted at rest and in transit
• Infrastructure: SOC 2-audited cloud infrastructure
• Access Controls: Role-based access with MFA
• Compliance: GDPR, CCPA, ISO 27001 aligned
• Monitoring: 24/7 security monitoring and incident response
• Audits: Regular penetration testing and security audits

Data Encryption

Encryption at Rest

All data stored using AES-256 encryption:

Key Rotation: Encryption keys rotated every 90 days

Encryption in Transit

All API communication uses TLS 1.3:

✅ https://api.veriplus.co.uk (TLS 1.3)
❌ http://api.veriplus.co.uk (Rejected)

Certificate: SHA-256 with RSA encryption

Cipher Suites: Modern, secure ciphers only (no weak ciphers)

End-to-End Encryption

Sensitive data encrypted before leaving your application:

// Example: Client-side encryption before upload
const encryptedData = await encrypt(sensitiveData, publicKey);
 
await fetch('/api/v3/applicants', {
  body: JSON.stringify({ data: encryptedData })
});

Use Case: Extra security for highly sensitive applications

Infrastructure Security

Cloud Provider

Provider: AWS (Amazon Web Services)

Regions:

• Primary: EU-West-1 (Ireland)
• Failover: EU-Central-1 (Frankfurt)

Certifications:

• SOC 2 Type II
• ISO 27001
• PCI DSS Level 1
• HIPAA compliant (available for Enterprise)

Network Security

DDoS Protection: AWS Shield Advanced

Web Application Firewall: AWS WAF with custom rules

Rate Limiting:

• Per-IP rate limits
• Per-API-key rate limits
• Automatic blocking of suspicious IPs

IP Allowlisting: Enterprise feature for restricting API access

Database Security

PostgreSQL 14 with:

• Encrypted connections (SSL required)
• Row-level security
• Audit logging
• Automated backups (daily)
• Point-in-time recovery

Access: Database not publicly accessible, internal VPC only

File Storage

MinIO S3-Compatible Storage:

• Server-side encryption (SSE-S3)
• Bucket policies (private by default)
• Signed URLs (time-limited access)
• Object versioning
• Lifecycle policies (auto-deletion)

Access Controls

Authentication

API Keys:

• SHA-256 hashed
• Prefix-based identification
• Automatic rotation support
• Granular permissions (Enterprise)

User Accounts:

• Bcrypt password hashing (cost factor 12)
• Password complexity requirements
• Password history (prevent reuse)
• Multi-factor authentication (MFA)

Multi-Factor Authentication (MFA)

Supported Methods:

• Time-based OTP (Google Authenticator, Authy)
• SMS (optional, not recommended for high security)
• Backup codes

Required For:

• Admin accounts (mandatory)
• API key generation
• Sensitive operations (delete, export)

Role-Based Access Control (RBAC)

Permission Model:

• Resource-based (applicants, verifications, etc.)
• Action-based (create, read, update, delete)
• Granular control (Enterprise)

Session Management

Session Security:

• JWT tokens (RS256 signed)
• 24-hour expiry
• Refresh token rotation
• Device tracking
• Automatic logout on suspicious activity

Session Invalidation:

• Manual logout
• Password change
• Role change
• Admin-initiated (Enterprise)

Security Monitoring

24/7 Monitoring

What We Monitor:

• Failed login attempts
• Unusual API activity
• Data access patterns
• Infrastructure health
• Security threats

Automated Responses:

• Block suspicious IPs
• Lock accounts after 5 failed logins
• Alert on privilege escalation
• Notify on data export

Incident Response

Response Time:

• Critical incidents: 15 minutes
• High priority: 1 hour
• Medium priority: 4 hours
• Low priority: 24 hours

Incident Types:

• Data breach attempt
• DDoS attack
• Unauthorised access
• API abuse

Communication:

• Email notification to admins
• Status page updates
• Post-incident report

Audit Logging

All Actions Logged:

• User logins/logouts
• API requests
• Data access (read/write/delete)
• Configuration changes
• Permission changes

Log Retention: 12 months

Access: Admins can export logs for compliance audits

Vulnerability Management

Security Testing

Regular Testing:

• Quarterly penetration testing (external firm)
• Monthly vulnerability scans
• Continuous automated security testing
• Annual security audit

Bug Bounty Program: Responsible disclosure program for security researchers

Patch Management

Update Cadence:

• Critical patches: Within 24 hours
• High priority: Within 7 days
• Medium priority: Within 30 days

Testing: All patches tested in staging before production

Dependency Security

Automated Scanning:

• GitHub Dependabot
• Snyk vulnerability scanning
• npm audit (weekly)

Policy: No known critical vulnerabilities in production

Data Retention

Retention Periods

Right to Deletion: GDPR/CCPA requests honored within 30 days

Data Deletion

Automatic Deletion:

• Temporary files deleted after 24 hours
• Expired upload URLs deleted immediately
• Old backups deleted after 30 days

Manual Deletion:

• User-initiated via API or dashboard
• Permanent deletion (not reversible)
• Audit trail maintained

Compliance & Certifications

GDPR Compliance

• Data Processing Agreement (DPA) available
• EU data residency (Ireland + Frankfurt)
• Right to access, rectification, deletion
• Data portability
• Privacy by design
• GDPR-compliant contracts

CCPA Compliance

• California Consumer Privacy Act compliant
• Consumer rights honored
• "Do Not Sell" respected
• Privacy policy transparency

ISO 27001 Alignment

Information security management aligned with ISO 27001:

• Risk assessment and treatment
• Security policies and procedures
• Access control
• Incident management

PCI DSS

Not applicable (we don't store credit card data)

Payment Processing: Stripe (PCI DSS Level 1 certified)

Data Privacy

Data Minimization

We only collect data necessary for compliance:

Collected:

• Name, DOB, nationality (required for verification)
• ID document images (required for verification)
• Selfie (required for biometric match)

NOT Collected:

• Social Security Numbers
• Credit card numbers
• Health information
• Unnecessary personal data

Third-Party Sharing

We DO NOT:

• Sell your data
• Share data with advertisers
• Use data for marketing

We DO Share With:

• Verification providers (Dataspike) - for processing only
• Cloud infrastructure (AWS) - for hosting only
• Payment processor (Stripe) - for billing only

All Sharing: Governed by Data Processing Agreements (DPAs)

Geographic Restrictions

Data Residency:

• EU customers: Data stored in EU (Ireland + Frankfurt)
• US customers: Data stored in US (optional)
• UK customers: Data stored in UK or EU

Cross-Border Transfer: Standard Contractual Clauses (SCCs) for EU-US transfers

Physical Security

Data Centers (AWS):

• 24/7 physical security
• Biometric access control
• CCTV surveillance
• Environmental controls (fire, flood)
• Power redundancy (generators, UPS)

Disaster Recovery

Business Continuity

Recovery Objectives:

• RTO (Recovery Time Objective): 4 hours
• RPO (Recovery Point Objective): 1 hour

Backup Strategy:

• Automated daily backups
• Continuous replication to secondary region
• Point-in-time recovery (30 days)
• Tested monthly

High Availability

Infrastructure:

• Multi-AZ deployment (99.99% uptime)
• Automatic failover
• Load balancing
• Database replication

SLA (Enterprise):

• 99.9% uptime guarantee
• Downtime credits

Security Best Practices for Customers

1. Secure API Keys: Store in environment variables, never commit to Git
2. Use HTTPS: All requests must use HTTPS
3. Rotate Keys: Rotate API keys every 90 days
4. Enable MFA: Require MFA for all admin accounts
5. Monitor Usage: Set up alerts for unusual API activity
6. Implement Rate Limiting: Prevent abuse of your integration
7. Verify Webhooks: Always validate webhook signatures
8. Report Issues: Contact [email protected] for vulnerabilities

Reporting Security Issues

Responsible Disclosure:

• Email: [email protected]
• PGP Key: Available on request
• Expected response: Within 24 hours
• Reward: Recognition (no monetary bounty currently)

Please Include:

• Detailed description
• Steps to reproduce
• Potential impact
• Your contact information

Security Resources

• Security Documentation: veriplus.co.uk/security
• Privacy Policy: veriplus.co.uk/privacy
• Data Processing Agreement: veriplus.co.uk/dpa
• Status Page: status.veriplus.co.uk

Next Steps