Skip to content
VEREID
Get started
Security

Built for SOC 2, run for production

We treat security and compliance as engineering work, not paperwork. Here is what we ship today and what we are committed to landing on a public timeline.

Compliance roadmap

Our SOC 2 trajectory — on a clock

SOC 2 Type I

Type I report within six months of general availability. Scope: Security + Confidentiality + Privacy trust services criteria. Auditor disclosed at signing.

SOC 2 Type II

Type II report within eighteen months of GA, covering a minimum six-month operating period.

GDPR + DPA

GDPR-compliant from day one. Standard DPA available on all paid plans; custom DPAs on Enterprise. EU traffic to /v1/verify is geo-gated until counsel sign-off and EU data residency are both live.

ISO 27001

Targeted within twenty-four months of GA. Aligned with SOC 2 control set.

PCI DSS

We never touch card data — all payments are handled by Stripe. We carry a current Stripe Service Provider SAQ-A attestation.

Penetration testing

Independent ZAP active + Burp manual pen-test pre-launch; annual external pen-test and continuous attack-surface monitoring thereafter. Summary letter on request.

Engineering controls

What we actually do

Encryption

TLS 1.2 or higher in transit on all ingress and egress paths. AES-256 at rest with AWS KMS envelope encryption. Per-data-class CMKs: one for the operational database and secrets, a separate one for the PII vault and the WORM-replicated audit bucket. Keys rotate automatically on AWSs rotation schedule; export is administratively disabled.

Identity and access

Mandatory hardware-backed MFA on every engineering account. Production access is broker-gated and time-boxed via short-lived AWS SSO sessions; every action is CloudTrail-logged into the audit account. No long-lived production secrets live on engineer laptops.

Network

All public ingress flows through CloudFront and WAFv2 with the AWS Managed Core Rule Set plus a per-route rate limit. Lambda workers run with the narrowest IAM permissions that let them function; the FastAPI service runs on ECS Fargate behind an Application Load Balancer in private subnets.

Software supply chain

CI runs npm audit, pip-audit, ECR Inspector, and a distroless-base-image policy. Builds are signed and attested with GitHub Actions OIDC. Every dependency upgrade flows through code review.

Data minimization

We retain biometric templates for a maximum of thirty days after a successful match — the templates auto-purge from S3 via lifecycle rules and a daily verifier job. ID images we are required to retain for AML purposes live in an Object-Lock 7-year bucket with no public access.

Incident response

On-call is named and paged via PagerDuty. We carry runbooks for the top twelve incident classes (credential exposure, biometric leak, sanctions-feed corruption, etc.) with named owners. We will notify any affected customer within twenty-four hours of a confirmed PII incident — that commitment is in our DPA.