Trust Center

We empower 2.000+ organizations in Europe to provide outstanding business services —earning and keeping your trust is at the heart of this effort.

The Verified Trust Center connects you to the latest information on the security, reliability, privacy, and compliance of our products and services.

Security

We believe all businesses have potential to do amazing things. Our mission is to unleash the potential in every business of every size and industry, and in turn, help advance these businesses through the power of software.

We know that your mission is as important to you as our mission is to us, and information is at the heart of all our businesses and lives. This is why customer trust is at the center of what we do and why security is our top priority. We’re transparent with our security program so you can feel informed and safe using our products and services.

The information on this page applies to Verified core services, Smart Flows and APIs unless otherwise noted.

Data encryption

We protect your data with encryption in transit with TLS v1.3. We also support TLS v1.2 in case needed. We encrypt your data with AES 256 at rest.

Cloud product security

Security is built into the fabric of our cloud products. We employ numerous controls to safeguard your data including encryption in transit and at rest across our cloud services, external vulnerability research such as our continuous penetration test program, and more.

Security operations and best practices

Our dedicated security team approaches security holistically with a common controls framework. Security threats are prevented using our Verified Trust Management System (VTMS), secure software development practices, and industry-accepted operational practices.

Platform and network security

We perform rigorous security testing including threat-modeling, automated scanning, and third-party audits. If an incident occurs, we resolve the issue quickly using our security incident response practices,following the ITIL framework, and keep you informed with real-time system status on status.verified.eu

Availability and continuity

We maintain high levels of availability with multiple redundant AWS data centers in Sweden and robust Disaster Recovery and Business Continuity programs.

Key security offerings

  • Data encryption in transit
  • Data encryption at rest
  • SSO with multiple authentication schemes (OIDC and SAML)

Architecture

Security is front of mind when designing our applications and business processes. The Verified’s Cloud security architecture is designed with consideration of a broad range of industry standards and frameworks and in tandem with our internal threat modeling process. It is designed to balance the need for flexibility with the need for effective controls to ensure confidentiality, integrity, and availability of our customers' data.

Applications

Development security, data security & information lifecycle management.

Security

Encryption, threat and vulnerability management, security incident management

Infrastructure

Asset management, access control, operations, communications security

Data Center & Offices

Verified is using the industry leading cloud provider AWS which has relevant physical security controls in place, validated by external assessments such as SOC 1/ISAE 3402, SOC 2, SOC 3. Physical and environmental security

Corporate

Security governance, organization of security, personnel security, supplier & third-party data management, mobile security, business continuity, audit/compliance, data privacy.

Network

We practice a layered approach to network access, with controls at each layer of the stack.

We control access to our sensitive networks through the use of virtual private cloud (VPC) routing, firewall rules, and software defined networking. All connectivity is encrypted by default.

Staff connectivity requires device certificates, multi-factor authentication, and use of proxies for sensitive network access. Access to customer data requires explicit review and approval.

We have also implemented intrusion detection and prevention systems in both our office and production networks to identify potential security issues.

The Verified platform

Threat modeling is used to ensure that we are designing in the right controls for the threats we face.

During the product planning and design phase, we use threat modeling to understand the specific security risks associated with a product or feature. Generally speaking, threat modeling is a brainstorm session between engineers, security engineers, architects, and product managers of an application or service. Threats are identified and prioritized, and that information feeds controls into the design process and supports targeted review and testing in later phases of development.

We use the STRIDE Threat Model framework. STRIDE is an acronym for a common set of security concerns: Spoofing, Tampering, Reputation, Information Disclosure, Denial of Service, and Elevation of Privilege. We utilize threat modeling early in the design process and often can ensure that relevant security configuration and controls are designed to mitigate threats specific to each product or feature we develop.

Reliability

The users of Verified are running their most important business operations with the service. Hence it is integral that Verified offer the highest degree of reliability in combination with back-up plans for what happens when something stops working.

Verified’s Cloud Hosting Infrastructure

Our cloud infrastructure takes advantage of elastic scale, multi-level redundancy, and failure options across the Amazon Web Services Stockholm Region to reduce latency, maintain reliability, and scale with your organization’s needs.

Platform Performance

We continuously look for ways to improve product and platform performance by monitoring key performance metrics, such as load times, search responsiveness, and attachments.

Product and Data Safeguards

Your business demands uniform reliability and uptime. Our Business Continuity and Disaster Recovery programs ensure the impact on our customers is minimized in the event of a disruption to our operations. Should you need to recover your data, rest assured knowing our backup program automatically performs daily application and database backups for Verified cloud products.

Quality Controls

We are relentless when it comes to preventing possible points of failure. We implement controls at every point of the development based on ISO 27002 and ISO 22301 standards and practices. We also utilize industry-verified quality control processes, such as chaos engineering, staging environments, and internal dogfooding, enabling us to proactively identify issues.

The criticality of our products will vary from customer to customer. From talking to our customers, we know that our products end up being part of key business processes. We run our business on our own product suite, so we understand the importance of reliability and recoverability.

Platform-wide Availability and Redundancy

We host all of our cloud applications with our cloud hosting partner AWS. AWS data centers have been designed and optimized to host applications, have multiple levels of redundancy built in, and run on a separate front-end hardware node on which application data is stored.

We care about high availability of your data and services. We focus on product resiliency through standards and practices that allow us to minimize downtime.

Our resiliency practices are based on ISO 27001 and ISO 22301. Verified core services, Smart Flows and APIs are hosted with the industry-leading cloud hosting provider Amazon Web Services Stockholm Region, resulting in optimal performance with redundancy and failover options globally. We also maintain multiple availability zones across the European Union.

Backups

Application database backups for Verified happen on a daily automated basis. All snapshot and backup data is encrypted. Backup data is not stored offsite but is replicated to multiple data centers within AWS Sweden. We perform quarterly testing of our backups.

Business Continuity and Disaster Recovery

We have comprehensive, tested business continuity and disaster recovery plans.

We are determined to not #@!% our customers, and strive to maintain strong Business Continuity (BC) and Disaster Recovery (DR) capabilities to ensure that the effect on our customers is minimized in the event of any disruptions to our operations.

Our Disaster Recovery Program consists of a few key practices to ensure the appropriate levels of governance, oversight, and testing:

Governance

Leadership involvement is key to how we run our DR Program. With leadership involved, we have both business and technical drivers accounted for in our strategy for resilience.

Oversight and maintenance

We take a disciplined governance, risk, and compliance approach when monitoring and managing our DR program. It enables us to operate more efficiently and effectively when monitoring, measuring, reporting, and remediating key activities within our DR program. Site Reliability Engineers are committed to ongoing Disaster Recovery meetings and represent their critical services. They discuss identified DR gaps with the risk and compliance team and focus on the appropriate levels of remediation as necessary.

Testing

We conduct regular testing and strive for continual improvement as part of our DR lifecycle to ensure your data and the use of your data is highly available and performant.

Backup and restore procedures are in place and tested on a regular basis. This means that when data needs to be restored, we’re prepared to get you up and running with well-trained support staff and fully tested procedures.

In addition to assurance of resiliency through governance, oversight, and testing, Verified emphasizes on continual improvement throughout the DR Program.

We publish our service availability status in real-time to ensure you can access your data when you want.

Product security

One of our industry’s challenges is to ship secure products while maintaining a healthy speed to market. Our goal is to achieve the right balance between speed and security. There are a range of security controls we implement to keep our products and your data safe.

Encryption in transit

All customer data stored within Verified cloud products and services is encrypted in transit over public networks using Transport Layer Security (TLS) 1.3 to protect it from unauthorized disclosure or modification. Our implementation of TLS enforces the use of strong ciphers and key-lengths where supported by the browser.

Encryption at rest

Data drives on servers holding customer data and attachments in Verified use AES-256 encryption at rest. Data encryption at rest helps guard against unauthorized access and ensures that data can only be accessed by authorized roles and services with audited access to the encryption keys.

Encryption key management

Verified uses the AWS Key Management Service (KMS) for key management. The encryption, decryption, and key management process is inspected and verified internally by AWS on a regular basis as part of their existing internal validation processes. An owner is assigned for each key and is responsible for ensuring the appropriate level of security controls is enforced on keys.

Tenant Isolation on Verified Enterprise Version

Tenant isolation ensures that, even though customers are sharing a common IT infrastructure, they are logically segregated so that the actions of one tenant cannot compromise the data or service of another tenant.

This concept ensures that, in this shared environment :

  • Each customer’s data is kept logically segregated from other tenants when at-rest; and
  • Any requests that are processed by Verified have a “tenant-specific” view so other tenants are not impacted.

Product Security Testing

Our approach to vulnerability management for our products consists of internal and external security testing.

Internal Testing

This approach spans planning, development and testing phases, each test building on previous work and progressively getting tougher. We have an established approach to static and dynamic code analysis at both the development and testing phases. In the development phase, we focus on embedding code scanning to remove any functional and readily identifiable, non-functional security issues.

In the testing phase, both our development and security engineering team switch to an adversarial approach to attempt to break features using automated and manual testing techniques.

Our security engineering team has developed a wide range of security testing tools to automate common tasks and make specialized testing tools available to our product teams. These tools are beneficial for the security team and they empower developers to “self-serve” security scans and take ownership of the output.

Our security engineering team are subject matter experts, but it’s ultimately every developer in our company who is responsible for their own code.

External Testing

When a vulnerability is identified by one of our users during standard use of a product, we welcome notifications and respond promptly to any vulnerabilities submitted. We keep the submitter updated as we investigate and respond to the issue.

Specialist security consultants are used to complete penetration tests.

Our approach to penetration testing is highly targeted and focused. Tests will generally be:

  • White box: Testers are provided design documentation and briefings from product engineers to support their testing
  • Threat-based: Testing focuses on a particular threat scenario, such as assuming a compromised instance exists, and testing lateral movement from that starting point

We do not make these reports or extracts available externally due to the extensive information made available to the testers in conducting these assessments.

Product Vulnerability Management

We take innovative approaches to building quality software.

We step outside the traditional realm of Quality Assurance (QA) to ensure new features are introduced quickly and safely by adopting the notion of Quality Assurance. We focus on fostering a “whole team” mentality to quality by changing the role of QA to a facilitator rather than the person who does the actual QA work. We also are actively working to empower and educate developers to test their own features to our quality standards.

While we consistently strive to reduce the number of vulnerabilities in our products, we recognize that they are, to an extent, an inevitable part of the development process.

Operational practices

As much as securing our products is a priority, we also understand the importance of being conscious of the way we conduct our internal day-to-day operations. The concept of “building security in” is the same philosophy we use with our internal processes and influences how our business is conducted.

Access to Customer Data

Access to customer data stored within applications is restricted and only happens based on a service and support request initiated by our customers.

Within our SaaS platform, we treat all customer data as equally sensitive and have implemented stringent controls governing this data. Awareness training is provided to our internal employees and contractors during the on-boarding / induction process which covers the importance of and best practices for handling customer data.

Within Verified, only authorized Verified employees have access to customer data stored within our applications. Authentication is done via individual passphrase-protected public keys, and the servers only accept incoming SSH connections from Verified locations. All access to data is logged to offer a complete audit-trail.

Unauthorized or inappropriate access to customer data is treated as a security incident and managed through our incident management process. This process includes instructions to notify affected customers if a breach of policy is observed.

Support Access

Our global support team has access to our cloud-based systems and applications to facilitate maintenance and support processes. Hosted applications and data are only able to be accessed for the purpose of application health monitoring and performing system or application maintenance, and upon customer request via our support system.

Our support teams will only access customer data when necessary to resolve an open ticket.

Training and Awareness

Our security training and awareness program doesn’t just check compliance boxes but results in a genuine uplift in knowledge across the company.

Our awareness program is built on the premise that security is the responsibility of everyone. These responsibilities are extracted from our internal Security Policy Program, and the training and awareness program is used as the primary vehicle for communicating these responsibilities to our staff.

Candidates and contractors are required to sign a confidentiality agreement prior to starting with us, and subsequently, during the onboarding process, security awareness courses are delivered to these new hires.

Keeping in line with the theme of ‘continuous improvement’, we disseminate security messages through company-wide messages and blog posts. These messages generally carry a message that is relevant at that time, e.g. a newly discovered and published threat, and reinforces the importance of following security good practices.

Change Management

We have embraced open source style change management.

Traditional change management processes rely on a pyramid-style change control hierarchy. When someone wants to make a change, it has to be presented to a board that either approves or denies it. Each change, whether going into our code or infrastructure, has a requirement to be reviewed by one or more peers to identify any issues the change may cause. We increase the number of reviews based on the criticality of the change or product. We trust our development teams and engineers to identify security issues and performance issues, and to flag the change before we allow it to go through.

Employee Hiring

Verified as a company attracts and hires only the best and the brightest to work for us. During recruiting, we perform employment, visa, background, criminal records and financial checks. On acceptance of an offer, we ensure each new hire has an on-boarding plan and access to on-going training based on their role.

Customer Exit Procedure

If a contract between Verified and one of our customers using our cloud products ends, customer data will be removed from our cloud environment according to the timelines below.

Scenarios where customer contract can end include:

  • Missed payments: Where an existing customer misses a payment for their product subscription (whether monthly or annually);
  • Subscription cancellation: Where an existing customer cancels their subscription;

Missed payments

When a customer misses a payment or the payment cannot be made, they are unsubscribed from all products 30 days after the due date for the payment. Once this occurs, their data is retained in backup for 180 days, after which it is deleted. Customers can ensure their data is not deleted by rectifying any missed payments within 15 days. It is not possible to restore customer data after this timeline even if payment has been made.

Data retention and destruction

Your account and associated users will be deactivated when your subscription ends. Verified retains data for deactivated accounts after the end of your current subscription period for 180 days.

Your data cannot be recovered after it’s deleted. We strongly recommend creating a Verified data backup from the archive. This can be done manually or via the API.

Security processes

We acknowledge that there is always margin for error. We are proactive in detecting security issues, which allows us to address identified gaps as soon as possible to minimize the damage.

Security Incident Management

Our routines, speed and efficiency aim to keep any incident impact as low as possible, in the unlikely event of a security incident.

The security team at Verified aggregates logs from various sources in the hosting infrastructure. Our internal processes define how these alerts are triaged, investigated further, and escalated appropriately. Our customers and the wider community are encouraged to report suspected security incidents through Verified Support.

In the event of a serious security incident, Verified has access to the expertise internally - and through external subject matter experts - to investigate incidents and mitigate them until closure. The database of our security incidents is cataloged against the ITIL Framework.

Vulnerability Management

We have an extensive vulnerability management program to ensure that we are actively seeking out weaknesses that may be present in our environment.

Apart from our product-specific vulnerability management practices, our security team performs on-going network vulnerability scans of both our internal and external infrastructure using an industry leading vulnerability scanner.

We also use specialist security consulting firms to complete penetration tests on high-risk products and infrastructures. Internal processes are in place to review any reported vulnerabilities and act on them.

Compliance

We run our security program in compliance with a range of well-known industry standards. We appreciate that these attestations matter, as they provide independent assurance to our customers that we are on the right track.

StandardSponsorStatus
ISO27001International Organization for Standardisation

Verified is currently in the process of getting ISO27001 certified. We are aiming to get the accreditation by Q2/2021.

ISO/IEC 27001 also leverages the comprehensive security controls detailed in ISO/IEC 27002. The basis of this certification is the development and implementation of a rigorous security management program, including the development and implementation of an Information Security Management System (ISMS). This widely-recognized and widely-respected international security standard specifies that companies that attain certification also:

BankIDBankID

Verified is a compliant partner and issuer of BankID in Norway and Sweden. Merchants get their certificates issued through Verified. Verified adheres to the current requirements of BankID to keep this status/position. BankID meets the banks’ own high standards for Internet banking security

Standard ISO27001
Sponsor International Organization for Standardisation
Status

Verified is currently in the process of getting ISO27001 certified. We are aiming to get the accreditation by Q2/2021.

ISO/IEC 27001 also leverages the comprehensive security controls detailed in ISO/IEC 27002. The basis of this certification is the development and implementation of a rigorous security management program, including the development and implementation of an Information Security Management System (ISMS). This widely-recognized and widely-respected international security standard specifies that companies that attain certification also:

Standard BankID
Sponsor BankID
Status

Verified is a compliant partner and issuer of BankID in Norway and Sweden. Merchants get their certificates issued through Verified. Verified adheres to the current requirements of BankID to keep this status/position. BankID meets the banks’ own high standards for Internet banking security

We also perform comprehensive security audits, which is done at least annually.

Outputs arising from these audit and certification programs, coupled with our internal process outputs, such as vulnerability management, are all fed into a continuous improvement cycle which helps us keep sharpening the overall security program.

GDPR Compliance

We invest significant strategic resources in maintaining compliance with the GDPR and we also aim to help our customers comply with the processes and policies outlined. Where applicable, we institute appropriate international data transfer mechanisms by executing Standard Contractual Clauses through our updated Data Processing Agreements.

We are wholly invested in our customers' success and the protection of customer data. One way that we deliver on this promise is by helping Verified’s customers and users understand, and where applicable, comply with the General Data Protection Regulation (GDPR). The GDPR is the most significant change to European data privacy legislation in the last 20 years and went into effect on May 25, 2018.

Verified does not store any of its customers data outside the EU/EEA region. The latest EU court ruling has validated Verified’s management decision to move all data processing activities into the EU/EEA region.

In case a customer has a specific need for international data transfer, we can support this need by executing Standard Contractual Clauses and our updated Data Processing Agreement.

We offer data portability and data management tools including:

Profile deletion tool: We help customers respond to user requests to delete personal information, such as names and email addresses, from a Verified account and we also help end users delete their personal information.

Import and export tools: Customers may access, import, and export their Customer Data using Verified’s tools.

We have ensured Verified staff that access and process Verified customer personal data have been trained in handling that data and are bound to maintain the confidentiality and security of that data.

We hold any vendors that handle personal data to the same data management, security, and privacy practices and standards to which we hold ourselves.

We have committed to carrying out data impact assessments and consulting with EU regulators where appropriate.

Privacy

We commit to meeting the highest bar for personal data privacy, and support your organization in meeting data privacy obligations around the world. We appreciate our customers’ concerns about privacy – and we understand that these concerns are probably the same concerns we ourselves have when using SaaS-based applications. So, fundamentally, we try to treat your personally identifiable and other sensitive data the same way we would want our service providers to treat our data.

Verified and its subsidiaries comply with the EU GDPR guidelines for the collection, use, and retention of personal information.

Our approach to privacy is laid out in detail in our Privacy Policy.

Shared Responsibility

In the cloud, the security of your data on our systems is a joint responsibility. At a high level, Verified handles security of the applications themselves, the systems they run on, and the environments those systems are hosted in. We ensure these systems and environments are compliant with relevant standards.

You – our customers – manage the information within your accounts, manage the users accessing your accounts and related credentials, and control which apps you install and trust. You ensure your business is meeting its compliance obligations in using our systems.

The decisions you make about how you set up our products have a significant influence on the way security is implemented. Key decisions are:

Granting access. Our products are designed to enable collaboration. Collaboration requires access. But you do need to be careful about granting permissions to access your data to other users, and to apps.

Understanding the classification of the data that goes into the system, and ensuring that users that have access to the system are authorized to access that data are key considerations in this context. Where applicable, using role-based authentication will make it easy to align with access restrictions that may need to be imposed to comply with data classification and handling requirements.

Encouraging users to practice good password hygiene will also mitigate threats such as password guessing and malicious parties reusing leaked credentials from materializing.