Trust Center

We empower 2.000+ organizations in Europe to provide outstanding business services —earning and keeping your trust is at the heart of this effort.

The Verified Trust Center connects you to the latest information on the security, reliability, privacy, and compliance of our products and services.

Security

We believe all businesses have potential to do amazing things. Our mission is to unleash the potential in every business of every size and industry, and in turn, help advance these businesses through the power of software.

We know that your mission is as important to you as our mission is to us, and information is at the heart of all our businesses and lives. This is why customer trust is at the center of what we do and why security is our top priority. We’re transparent with our security program so you can feel informed and safe using our products and services.

The information on this page applies to Verified core services, Smart Flows and APIs unless otherwise noted.

Data encryption

We protect your data with encryption in transit with TLS v1.3. We also support TLS v1.2 in case needed. We encrypt your data with AES 256 at rest.

Cloud product security

Security is built into the fabric of our cloud products. We employ numerous controls to safeguard your data including encryption in transit and at rest across our cloud services, external vulnerability research such as our continuous penetration test program, and more.

Security operations and best practices

Our dedicated security team approaches security holistically with a common controls framework. Security threats are prevented using our Verified Trust Management System (VTMS), secure software development practices, and industry-accepted operational practices.

Platform and network security

We perform rigorous security testing including threat-modeling, automated scanning, and third-party audits. If an incident occurs, we resolve the issue quickly using our security incident response practices,following the ITIL framework, and keep you informed with real-time system status on status.verified.eu

Availability and continuity

We maintain high levels of availability with multiple redundant AWS data centers in Sweden and robust Disaster Recovery and Business Continuity programs.

Key security offerings

  • Data encryption in transit
  • Data encryption at rest
  • SSO with multiple authentication schemes (OIDC and SAML)

eID

Supporting your digital business transformation with cloud-based eIDAS compliant electronic signatures

Verified’s powerful workflows and electronic signature and authentication solutions allow your business to complete transactions, agreements and approvals faster all while being compliant with eIDAS standards. Verified is providing you with real-time signer certificates at the time of signing, reducing the need for in-house digital certificate management and hence reducing the operational management complexity your business might need to handle.

Electronic signatures

Electronic signature is a broad term for any kind of signature in an electronic format. They are a legal way to get approval or consent on electronic documents or forms and can be considered as a replacement of a written signature. There are different levels of assurance among electronic signatures, which are most often differentiated into electronic and digital signatures. Commonly, electronic signatures come with no level of assurance regarding the authenticity of the signer. For example, acknowledging the delivery of a parcel by signing on a device offered by the delivery service provider acknowledges that the parcel had been delivered, but does not provide any further authentication of the signature and hence the person who accepted the parcel.

A digital signature provides more advanced levels of assurance regarding the authenticity of the signer. The advanced levels of assurance are provided by so called trusted service providers, which are having the license to issue electronic IDs/digital IDs.

eIDDiagram

When signing a document with an eID, higher levels of security are realized through fast and easy validation of a person’s identity, also ensuring that only the correct signer has access to the information provided and no one else.

It also provides evidence regarding the origin, identity and status of an electronic document or transaction and acknowledges an informed consent by the signer. Documents signed with an eID support the provision of proof that an electronic document or transaction was not forged or modified intentionally or unintentionally from the time it was signed. Tamper-sealed protection secures an audit trail of any potential changes made within an electronic document or transaction by adding electronic logs from the moment a document is created. This is done by a unique hash for the electronic document or transaction and encrypting it with the sender’s private key. If the electronic document or transaction has changed, the hash will change as well.

eIDAS

Verified complies with the eIDAS Regulation set by the European Union on electronic identification and trust services for electronic transactions in the European Single Market. The eIDAS Regulation’s intent is to enable convenient and secure electronic transactions across EU borders for citizens, businesses, and public sector institutions. Regulation (EU) No 910/2014 (eIDAS Regulation) went into force on 1 July, 2016, being mandatory and fully adopted in all EU member states, with precedent over any conflicting national laws.

eIDAS ensures that each form of electronic signature is admissible as evidence in EU courts and shall not be denied legal effect solely because it is in electronic form. However, the enforceability of an agreement made using electronic signatures is depending on the type of electronic signature used and its embedded evidence. A scanned image of a written signature is more likely to be challenged in court versus a qualified electronic signature meeting multiple EU technical standards and containing significant embedded signer information.

eIDAS differentiates four different levels of electronic signatures, of which level 1 (lowest level) is not in scope of the eIDAS regulation. We will focus on eIDAS assurance levels 2 till 4 in the following paragraphs.

Basic Electronic Signatures

Do you need to accept a delivery package? Check a digital box on a desktop screen? Scan a manually signed document? Then the basic electronic signature will suffice. This may either be a signature that’s manually put on a desktop screen (after which it’s digitally saved) or a click on an ‘I accept’ button.

Generally, this type of signature is mainly used in lower-value processes, as there is no foolproof way to confirm the identity of the signer. If someone would copy another person’s signature and put it on the document, it would be difficult to prove (or even discover) that. Using the basic electronic signature in legally valid documents could obviously pose an issue, depending on the process in place. Therefore, a signature on insurance, financial, or real estate documents, for example, should meet stricter requirements so it can be connected to the signer with (more) certainty.

According to eIDAS, at the basic level, an electronic signature can be defined as:

“Data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.”

Taking this definition literally, you can sign a document simply by scanning your signature or ticking a box in a document opened on your device of choice. Technically, the data is in electronic form and attached to a file, but there are problems with this model which eIDAS is trying to address.

As you might already have guessed, this isn’t covering the purpose of signing a document at all. The document can still be tampered with, and a “signature” can easily be forged (i.e., we cannot be sure who ticked the box to confirm the terms and conditions were accepted). Simply put: Neither integrity nor authenticity of the document are guaranteed.

Advanced Electronic Signatures

Under eIDAS, this is a type of electronic signature that must meet specific requirements providing a higher level of signer ID verification, security, and tamper-sealing. The main requirements are:

  • Uniquely linked to the signer, enabling its identification
  • The signer can use the signature creation data under their sole control with a high level of confidence
  • Any subsequent changes in the signed data can be detectable

Using digital signatures that are applied with a digital certificate satisfies all of the above requirements. Digital certificates are obtained after a thorough verification of an individual’s identity by a trusted third party (e.g. certificate authority). Digital certificates, and their resulting signatures, are unique to the individual and virtually impossible to spoof, achieving the two requirements above.

Because the signatory is the sole holder of the private key which is used to apply the signature (see our article on Public Key Infrastructure to get an understanding of how public and private keypairs work), you can be assured that the signer is the person who they say they are. Finally, part of the signature verification process, which automatically occurs when a recipient opens the document, includes checking to see if any changes have been made to the document since it was signed.

Qualified Electronic Signatures

This is the only electronic signature type to have special legal status in EU member states, being the legal equivalent of a written signature. It must meet advanced electronic signature requirements and be backed by a qualified certificate, meaning a certificate issued by a trust service provider that is on the EU Trusted List (ETL) and certified by an EU member state. The trust service provider must verify the identity of the signer and vouch for the authenticity of the resulting signature. Furthermore, the signature has been given by approved means like a qualified signature creation device.

The legal framework of the country you are operating in defines if there is a need for a qualified signature or if an advanced electronic signature is considered as legally binding. However, depending on the type of business you are in, a qualified electronic signature might be the right one to choose for you. For instance, any business that is exposed to a high risk of scam or fraud might consider having a more secure signing system implemented. This could be businesses operating in the financial, insurance, healthcare or telecommunications sector, as well as governmental institutions.

What is the difference?

As explained above, electronic signatures are classified by the level of assurance they offer. Each of the three types of electronic signatures can be legally effective under eIDAS. A basic level of integrity is always guaranteed in the sense that content can’t be altered after signing the document. But the levels of security differ significantly, and if you ever need to prove to a court a signature is genuine and was intentionally put on a particular document, there’s a difference in the evidence you must provide.

Level 2Level 3Level 4
TypeBasic electronicAdvanced electronicQualified electronic
Characteristics
  • Quick and easy
  • Linked to signer
  • Increased legally binding proof
  • More trustworthy than basic electronic signature
  • Highest level of security
  • Personal link to signer
  • Digital equivalent of a written signature
  • Legal obligation
Use cases
(local regulations regarding the legal validity and the availability of level 4 signatures apply)
  • Customer on-boarding
  • Signing when receiving a parcel
  • Loan application
  • Employment contracts
  • Insurance documents
  • Documents from public authorities
  • Loan application
  • Employment contracts
  • Insurance documents
  • Documents from public authorities
Verified Native SolutionsTouch ID
Email
SMS OTP
SMS OTP
Mail OTP
BankID Sweden
BankID Norway
FTN
NemID
BankID Norway

Type

Level 2

Basic electronic

Level 3

Advanced electronic

Level 4

Qualified electronic

Characteristics

Level 2

  • Quick and easy

Level 3

  • Linked to signer
  • Increased legally binding proof
  • More trustworthy than basic electronic signature

Level 4

  • Highest level of security
  • Personal link to signer
  • Digital equivalent of a written signature
  • Legal obligation

Use cases
(local regulations regarding the legal validity and the availability of level 4 signatures apply)

Level 2

  • Customer on-boarding
  • Signing when receiving a parcel

Level 3

  • Loan application
  • Employment contracts
  • Insurance documents
  • Documents from public authorities

Level 4

  • Loan application
  • Employment contracts
  • Insurance documents
  • Documents from public authorities

Verified Native Solutions

Level 2

Touch ID
Email
SMS OTP

Level 3

SMS OTP
Mail OTP
BankID Sweden
BankID Norway
FTN
NemID

Level 4

BankID Norway

Verified currently offers the following integrations:

Native methods native

Integrated ID-hubs and third party ID hubs hubs

PAdES

PDF Advanced Electronic Signatures (PaDES) is a specific regulation under eIDAs for formatting advanced electronic signatures for PDF documents.

PAdES recognized that documents signed electronically may be used and/or archived for many years, depending on the retention period set for a particular document. This means that at any given time in the future it must be possible to validate a document, confirming that the signature was valid at the time a document was signed. This concept is also known as Long-Term Archivable (LTA). When LTA is enabled, the certificate sign-time status is captured and stored within the PDF document. With this it is ensured that the validity of a signature can be determined at a later date in time, irrespective of certificates being expired, revoked or the issuing authority no longer existing. With the record being stored inside the PDF document it is authenticated by the document’s signature, reducing the risk of fraud, error or any potential future conflict related to expired or revoked certificates. LTA is recommended for all kinds of signatures that need to meet the legal requirements related to qualified signatures.

All signature methods available within Verified are LTA enabled, verifying the validity of a signature at the time of signing following the PAdES standard. Verified seals all PDF documents that are downloaded from the Verified platform digitally with a certificate issued by Entrust. Every application that supports electronic signature validation, i.e. Acrobat Reader, will validate the certificate used to seal the document, using the sign-time stored in the document. This is valid for all documents that have been downloaded since the enablement of LTA.

PadES

Architecture

Security is front of mind when designing our applications and business processes. The Verified’s Cloud security architecture is designed with consideration of a broad range of industry standards and frameworks and in tandem with our internal threat modeling process. It is designed to balance the need for flexibility with the need for effective controls to ensure confidentiality, integrity, and availability of our customers' data.

Applications

Development security, data security & information lifecycle management.

Security

Encryption, threat and vulnerability management, security incident management

Infrastructure

Asset management, access control, operations, communications security

Data Center & Offices

Verified is using the industry leading cloud provider AWS which has relevant physical security controls in place, validated by external assessments such as SOC 1/ISAE 3402, SOC 2, SOC 3. Physical and environmental security

Corporate

Security governance, organization of security, personnel security, supplier & third-party data management, mobile security, business continuity, audit/compliance, data privacy.

Network

We practice a layered approach to network access, with controls at each layer of the stack.

We control access to our sensitive networks through the use of virtual private cloud (VPC) routing, firewall rules, and software defined networking. All connectivity is encrypted by default.

Staff connectivity requires device certificates, multi-factor authentication, and use of proxies for sensitive network access. Access to customer data requires explicit review and approval.

We have also implemented intrusion detection and prevention systems in both our office and production networks to identify potential security issues.

The Verified platform

Threat modeling is used to ensure that we are designing in the right controls for the threats we face.

During the product planning and design phase, we use threat modeling to understand the specific security risks associated with a product or feature. Generally speaking, threat modeling is a brainstorm session between engineers, security engineers, architects, and product managers of an application or service. Threats are identified and prioritized, and that information feeds controls into the design process and supports targeted review and testing in later phases of development.

We use the STRIDE Threat Model framework. STRIDE is an acronym for a common set of security concerns: Spoofing, Tampering, Reputation, Information Disclosure, Denial of Service, and Elevation of Privilege. We utilize threat modeling early in the design process and often can ensure that relevant security configuration and controls are designed to mitigate threats specific to each product or feature we develop.

Reliability

The users of Verified are running their most important business operations with the service. Hence it is integral that Verified offer the highest degree of reliability in combination with back-up plans for what happens when something stops working.

Verified’s Cloud Hosting Infrastructure

Our cloud infrastructure takes advantage of elastic scale, multi-level redundancy, and failure options across the Amazon Web Services Stockholm Region to reduce latency, maintain reliability, and scale with your organization’s needs.

Platform Performance

We continuously look for ways to improve product and platform performance by monitoring key performance metrics, such as load times, search responsiveness, and attachments.

Product and Data Safeguards

Your business demands uniform reliability and uptime. Our Business Continuity and Disaster Recovery programs ensure the impact on our customers is minimized in the event of a disruption to our operations. Should you need to recover your data, rest assured knowing our backup program automatically performs daily application and database backups for Verified cloud products.

Quality Controls

We are relentless when it comes to preventing possible points of failure. We implement controls at every point of the development based on ISO 27002 and ISO 22301 standards and practices. We also utilize industry-verified quality control processes, such as chaos engineering, staging environments, and internal dogfooding, enabling us to proactively identify issues.

The criticality of our products will vary from customer to customer. From talking to our customers, we know that our products end up being part of key business processes. We run our business on our own product suite, so we understand the importance of reliability and recoverability.

Platform-wide Availability and Redundancy

We host all of our cloud applications with our cloud hosting partner AWS. AWS data centers have been designed and optimized to host applications, have multiple levels of redundancy built in, and run on a separate front-end hardware node on which application data is stored.

We care about high availability of your data and services. We focus on product resiliency through standards and practices that allow us to minimize downtime.

Our resiliency practices are based on ISO 27001 and ISO 22301. Verified core services, Smart Flows and APIs are hosted with the industry-leading cloud hosting provider Amazon Web Services Stockholm Region, resulting in optimal performance with redundancy and failover options globally. We also maintain multiple availability zones across the European Union.

Backups

Application database backups for Verified happen on a daily automated basis. All snapshot and backup data is encrypted. Backup data is not stored offsite but is replicated to multiple data centers within AWS Sweden. We perform quarterly testing of our backups.

Business Continuity and Disaster Recovery

We have comprehensive, tested business continuity and disaster recovery plans.

We are determined to not #@!% our customers, and strive to maintain strong Business Continuity (BC) and Disaster Recovery (DR) capabilities to ensure that the effect on our customers is minimized in the event of any disruptions to our operations.

Our Disaster Recovery Program consists of a few key practices to ensure the appropriate levels of governance, oversight, and testing:

Governance

Leadership involvement is key to how we run our DR Program. With leadership involved, we have both business and technical drivers accounted for in our strategy for resilience.

Oversight and maintenance

We take a disciplined governance, risk, and compliance approach when monitoring and managing our DR program. It enables us to operate more efficiently and effectively when monitoring, measuring, reporting, and remediating key activities within our DR program. Site Reliability Engineers are committed to ongoing Disaster Recovery meetings and represent their critical services. They discuss identified DR gaps with the risk and compliance team and focus on the appropriate levels of remediation as necessary.

Testing

We conduct regular testing and strive for continual improvement as part of our DR lifecycle to ensure your data and the use of your data is highly available and performant.

Backup and restore procedures are in place and tested on a regular basis. This means that when data needs to be restored, we’re prepared to get you up and running with well-trained support staff and fully tested procedures.

In addition to assurance of resiliency through governance, oversight, and testing, Verified emphasizes on continual improvement throughout the DR Program.

We publish our service availability status in real-time to ensure you can access your data when you want.

Product security

One of our industry’s challenges is to ship secure products while maintaining a healthy speed to market. Our goal is to achieve the right balance between speed and security. There are a range of security controls we implement to keep our products and your data safe.

Encryption in transit

All customer data stored within Verified cloud products and services is encrypted in transit over public networks using Transport Layer Security (TLS) 1.3 to protect it from unauthorized disclosure or modification. Our implementation of TLS enforces the use of strong ciphers and key-lengths where supported by the browser.

Encryption at rest

Data drives on servers holding customer data and attachments in Verified use AES-256 encryption at rest. Data encryption at rest helps guard against unauthorized access and ensures that data can only be accessed by authorized roles and services with audited access to the encryption keys.

Encryption key management

Verified uses the AWS Key Management Service (KMS) for key management. The encryption, decryption, and key management process is inspected and verified internally by AWS on a regular basis as part of their existing internal validation processes. An owner is assigned for each key and is responsible for ensuring the appropriate level of security controls is enforced on keys.

Tenant Isolation on Verified Enterprise Version

Tenant isolation ensures that, even though customers are sharing a common IT infrastructure, they are logically segregated so that the actions of one tenant cannot compromise the data or service of another tenant.

This concept ensures that, in this shared environment :

  • Each customer’s data is kept logically segregated from other tenants when at-rest; and
  • Any requests that are processed by Verified have a “tenant-specific” view so other tenants are not impacted.

Product Security Testing

Our approach to vulnerability management for our products consists of internal and external security testing.

Internal Testing

This approach spans planning, development and testing phases, each test building on previous work and progressively getting tougher. We have an established approach to static and dynamic code analysis at both the development and testing phases. In the development phase, we focus on embedding code scanning to remove any functional and readily identifiable, non-functional security issues.

In the testing phase, both our development and security engineering team switch to an adversarial approach to attempt to break features using automated and manual testing techniques.

Our security engineering team has developed a wide range of security testing tools to automate common tasks and make specialized testing tools available to our product teams. These tools are beneficial for the security team and they empower developers to “self-serve” security scans and take ownership of the output.

Our security engineering team are subject matter experts, but it’s ultimately every developer in our company who is responsible for their own code.

External Testing

When a vulnerability is identified by one of our users during standard use of a product, we welcome notifications and respond promptly to any vulnerabilities submitted. We keep the submitter updated as we investigate and respond to the issue.

Specialist security consultants are used to complete penetration tests.

Our approach to penetration testing is highly targeted and focused. Tests will generally be:

  • White box: Testers are provided design documentation and briefings from product engineers to support their testing
  • Threat-based: Testing focuses on a particular threat scenario, such as assuming a compromised instance exists, and testing lateral movement from that starting point

We do not make these reports or extracts available externally due to the extensive information made available to the testers in conducting these assessments.

Product Vulnerability Management

We take innovative approaches to building quality software.

We step outside the traditional realm of Quality Assurance (QA) to ensure new features are introduced quickly and safely by adopting the notion of Quality Assurance. We focus on fostering a “whole team” mentality to quality by changing the role of QA to a facilitator rather than the person who does the actual QA work. We also are actively working to empower and educate developers to test their own features to our quality standards.

While we consistently strive to reduce the number of vulnerabilities in our products, we recognize that they are, to an extent, an inevitable part of the development process.

Operational practices

As much as securing our products is a priority, we also understand the importance of being conscious of the way we conduct our internal day-to-day operations. The concept of “building security in” is the same philosophy we use with our internal processes and influences how our business is conducted.

Access to Customer Data

Access to customer data stored within applications is restricted and only happens based on a service and support request initiated by our customers.

Within our SaaS platform, we treat all customer data as equally sensitive and have implemented stringent controls governing this data. Awareness training is provided to our internal employees and contractors during the on-boarding / induction process which covers the importance of and best practices for handling customer data.

Within Verified, only authorized Verified employees have access to customer data stored within our applications. Authentication is done via individual passphrase-protected public keys, and the servers only accept incoming SSH connections from Verified locations. All access to data is logged to offer a complete audit-trail.

Unauthorized or inappropriate access to customer data is treated as a security incident and managed through our incident management process. This process includes instructions to notify affected customers if a breach of policy is observed.

Support Access

Our global support team has access to our cloud-based systems and applications to facilitate maintenance and support processes. Hosted applications and data are only able to be accessed for the purpose of application health monitoring and performing system or application maintenance, and upon customer request via our support system.

Our support teams will only access customer data when necessary to resolve an open ticket.

Training and Awareness

Our security training and awareness program doesn’t just check compliance boxes but results in a genuine uplift in knowledge across the company.

Our awareness program is built on the premise that security is the responsibility of everyone. These responsibilities are extracted from our internal Security Policy Program, and the training and awareness program is used as the primary vehicle for communicating these responsibilities to our staff.

Candidates and contractors are required to sign a confidentiality agreement prior to starting with us, and subsequently, during the onboarding process, security awareness courses are delivered to these new hires.

Keeping in line with the theme of ‘continuous improvement’, we disseminate security messages through company-wide messages and blog posts. These messages generally carry a message that is relevant at that time, e.g. a newly discovered and published threat, and reinforces the importance of following security good practices.

Change Management

We have embraced open source style change management.

Traditional change management processes rely on a pyramid-style change control hierarchy. When someone wants to make a change, it has to be presented to a board that either approves or denies it. Each change, whether going into our code or infrastructure, has a requirement to be reviewed by one or more peers to identify any issues the change may cause. We increase the number of reviews based on the criticality of the change or product. We trust our development teams and engineers to identify security issues and performance issues, and to flag the change before we allow it to go through.

Employee Hiring

Verified as a company attracts and hires only the best and the brightest to work for us. During recruiting, we perform employment, visa, background, criminal records and financial checks. On acceptance of an offer, we ensure each new hire has an on-boarding plan and access to on-going training based on their role.

Customer Exit Procedure

If a contract between Verified and one of our customers using our cloud products ends, customer data will be removed from our cloud environment according to the timelines below.

Scenarios where customer contract can end include:

  • Missed payments: Where an existing customer misses a payment for their product subscription (whether monthly or annually);
  • Subscription cancellation: Where an existing customer cancels their subscription;

Missed payments

When a customer misses a payment or the payment cannot be made, they are unsubscribed from all products 30 days after the due date for the payment. Once this occurs, their data is retained in backup for 180 days, after which it is deleted. Customers can ensure their data is not deleted by rectifying any missed payments within 15 days. It is not possible to restore customer data after this timeline even if payment has been made.

Data retention and destruction

Your account and associated users will be deactivated when your subscription ends. Verified retains data for deactivated accounts after the end of your current subscription period for 180 days.

Your data cannot be recovered after it’s deleted. We strongly recommend creating a Verified data backup from the archive. This can be done manually or via the API.

Security processes

We acknowledge that there is always margin for error. We are proactive in detecting security issues, which allows us to address identified gaps as soon as possible to minimize the damage.

Security Incident Management

Our routines, speed and efficiency aim to keep any incident impact as low as possible, in the unlikely event of a security incident.

The security team at Verified aggregates logs from various sources in the hosting infrastructure. Our internal processes define how these alerts are triaged, investigated further, and escalated appropriately. Our customers and the wider community are encouraged to report suspected security incidents through Verified Support.

In the event of a serious security incident, Verified has access to the expertise internally - and through external subject matter experts - to investigate incidents and mitigate them until closure. The database of our security incidents is cataloged against the ITIL Framework.

Vulnerability Management

We have an extensive vulnerability management program to ensure that we are actively seeking out weaknesses that may be present in our environment.

Apart from our product-specific vulnerability management practices, our security team performs on-going network vulnerability scans of both our internal and external infrastructure using an industry leading vulnerability scanner.

We also use specialist security consulting firms to complete penetration tests on high-risk products and infrastructures. Internal processes are in place to review any reported vulnerabilities and act on them.

Compliance

We run our security program in compliance with a range of well-known industry standards. We appreciate that these attestations matter, as they provide independent assurance to our customers that we are on the right track.

StandardSponsorStauts
ISO2700International Organization for StandardisationVerified is currently in the process of getting ISO27001 certified. We are aiming to get the accreditation by Q2/2021.

ISO/IEC 27001 also leverages the comprehensive security controls detailed in ISO/IEC 27002. The basis of this certification is the development and implementation of a rigorous security management program, including the development and implementation of an Information Security Management System (ISMS). This widely-recognized and widely-respected international security standard specifies that companies that attain certification also:
BankIDBankIDVerified is a compliant partner and issuer of BankID in Norway and Sweden. Merchants get their certificates issued through Verified. Verified adheres to the current requirements of BankID to keep this status/position. BankID meets the banks’ own high standards for Internet banking security
Standard

ISO2700

Sponsor

International Organization for Standardisation

Stauts

Verified is currently in the process of getting ISO27001 certified. We are aiming to get the accreditation by Q2/2021.

ISO/IEC 27001 also leverages the comprehensive security controls detailed in ISO/IEC 27002. The basis of this certification is the development and implementation of a rigorous security management program, including the development and implementation of an Information Security Management System (ISMS). This widely-recognized and widely-respected international security standard specifies that companies that attain certification also:

Standard

BankID

Sponsor

BankID

Stauts

Verified is a compliant partner and issuer of BankID in Norway and Sweden. Merchants get their certificates issued through Verified. Verified adheres to the current requirements of BankID to keep this status/position. BankID meets the banks’ own high standards for Internet banking security

We also perform comprehensive security audits, which is done at least annually.

Outputs arising from these audit and certification programs, coupled with our internal process outputs, such as vulnerability management, are all fed into a continuous improvement cycle which helps us keep sharpening the overall security program.

GDPR Compliance

We invest significant strategic resources in maintaining compliance with the GDPR and we also aim to help our customers comply with the processes and policies outlined. Where applicable, we institute appropriate international data transfer mechanisms by executing Standard Contractual Clauses through our updated Data Processing Agreements.

We are wholly invested in our customers' success and the protection of customer data. One way that we deliver on this promise is by helping Verified’s customers and users understand, and where applicable, comply with the General Data Protection Regulation (GDPR). The GDPR is the most significant change to European data privacy legislation in the last 20 years and went into effect on May 25, 2018.

Verified does not store any of its customers data outside the EU/EEA region. The latest EU court ruling has validated Verified’s management decision to move all data processing activities into the EU/EEA region.

In case a customer has a specific need for international data transfer, we can support this need by executing Standard Contractual Clauses and our updated Data Processing Agreement.

We offer data portability and data management tools including:

Profile deletion tool: We help customers respond to user requests to delete personal information, such as names and email addresses, from a Verified account and we also help end users delete their personal information.

Import and export tools: Customers may access, import, and export their Customer Data using Verified’s tools.

We have ensured Verified staff that access and process Verified customer personal data have been trained in handling that data and are bound to maintain the confidentiality and security of that data.

We hold any vendors that handle personal data to the same data management, security, and privacy practices and standards to which we hold ourselves.

We have committed to carrying out data impact assessments and consulting with EU regulators where appropriate.

Privacy

We commit to meeting the highest bar for personal data privacy, and support your organization in meeting data privacy obligations around the world. We appreciate our customers’ concerns about privacy – and we understand that these concerns are probably the same concerns we ourselves have when using SaaS-based applications. So, fundamentally, we try to treat your personally identifiable and other sensitive data the same way we would want our service providers to treat our data.

Verified and its subsidiaries comply with the EU GDPR guidelines for the collection, use, and retention of personal information.

Our approach to privacy is laid out in detail in our Privacy Policy.

Privacy Rights Requests

GDPR provides every individual with the right to seek records about themselves that are maintained within a company or organization. In this section we would like to inform you about your privacy rights under GDPR and how you can exercise them with Verified.

What are your privacy rights?

  1. The right to be informed – we inform you about how we process your personal information in our Privacy Policy.

  2. The right of access– this is a right to ask us for a copy of the information that we, as a controller, hold about you, along with certain other information.

  3. The right to data portability – this is a right to ask us to provide you with a copy of your information you have provided in a structured, commonly used, and machine readable form in certain circumstances.

  4. The right to rectification – this is a right to change or correct any personal information that you believe we are holding about you that is inaccurate or incomplete.

  5. The right to erasure (deletion) – this is the right to have your personal information deleted if it is no longer required for the purposes for which it was collected or if other certain conditions apply (commonly called “the right to be forgotten”).

  6. The right to restrict processing – this is a right to request the restriction or suppression of your personal information in limited circumstances. We do not believe that this right will ordinarily apply to our processing of your personal information.

  7. The right to object – this is a right to object to the processing of your personal information in certain limited circumstances, such as when we are relying on ‘legitimate interests’ to process your personal information.

  8. The right to make a complaint to your Data Protection Authority – this is a right to complain to a data protection authority about our use of your Personal Information. For more information, please contact your local data protection authority. Contact details for data protection authorities in the EEA are available here.


When can you exercise your privacy rights?

GDPR makes the distinction between those who act as ‘controllers’ and those who act as ‘processors’ of personal information. Put simply, a controller is the organization who determines how and why your personal information is to be used for certain purposes. A processor is an organization who acts as a service provider and only processes personal information on behalf of the controller under the controller’s instruction.

This is important to highlight, as for most of our services, our clients are the data controller and we are acting as their data processor.

Under the law, it is up to the controller to make sure you can exercise your rights over your personal information. If you have questions about how your personal information is handled by our clients (the business or organization contacting you through the service), you will need to review their privacy notices and, if necessary, contact them directly.

How can you exercise your privacy rights?

You can exercise your privacy rights by using this form.

Shared Responsibility

In the cloud, the security of your data on our systems is a joint responsibility. At a high level, Verified handles security of the applications themselves, the systems they run on, and the environments those systems are hosted in. We ensure these systems and environments are compliant with relevant standards.

You – our customers – manage the information within your accounts, manage the users accessing your accounts and related credentials, and control which apps you install and trust. You ensure your business is meeting its compliance obligations in using our systems.

The decisions you make about how you set up our products have a significant influence on the way security is implemented. Key decisions are:

Granting access. Our products are designed to enable collaboration. Collaboration requires access. But you do need to be careful about granting permissions to access your data to other users, and to apps.

Understanding the classification of the data that goes into the system, and ensuring that users that have access to the system are authorized to access that data are key considerations in this context. Where applicable, using role-based authentication will make it easy to align with access restrictions that may need to be imposed to comply with data classification and handling requirements.

Encouraging users to practice good password hygiene will also mitigate threats such as password guessing and malicious parties reusing leaked credentials from materializing.