At Verifacto, we take security and privacy seriously. Our approach is founded on several key principles and practices designed to protect our clients’ data and maintain the highest standards of security.
Principles of Security
-
Access Control Access is limited to only those with a legitimate business need, granted based on the principle of least privilege. This ensures that only authorized personnel have access to sensitive information.
-
Defense-in-Depth Security controls are implemented and layered according to the principle of defense-in-depth. This multi-layered approach ensures that even if one control fails, others will continue to protect the system.
-
Consistent Application of Controls Security controls are applied consistently across all areas of the enterprise to maintain uniform protection standards.
-
Continuous Improvement The implementation of controls is iterative, continuously maturing across the dimensions of improved effectiveness, increased auditability, and decreased friction. This ensures that our security measures evolve to meet new threats and challenges.
Data Protection
Data at Rest
Data at rest is encrypted even before it hits the database, ensuring that neither physical access nor logical access to the database is sufficient to read the most sensitive information. This extra layer of protection ensures the highest level of security for stored data.
Application Secrets
Application secrets are encrypted and stored securely via AWS Secrets Manager and Parameter Store. Access to these values is strictly limited, ensuring that sensitive information is protected from unauthorized access.
Penetration Testing
All areas of the Verifacto product and cloud infrastructure are in-scope for penetration testing assessments. Source code is fully available to the testers to maximize the effectiveness and coverage of these tests, ensuring comprehensive security evaluations.
Secure Remote Access
Verifacto secures remote access to internal resources using Tailscale, a modern VPN platform built on WireGuard. We also use malware-blocking DNS servers to protect employees and their endpoints while browsing the internet, ensuring secure and safe remote work environments.
Security Education
Verifacto provides comprehensive security training to all employees upon onboarding and annually through educational modules within our own platform. In addition, all new employees attend a mandatory live onboarding session centered around key security principles. New engineers also attend a mandatory live onboarding session focused on secure coding principles and practices. Our security team shares regular threat briefings with employees to inform them of important security and safety-related updates that require special attention or action.
Identity and Access Management
Verifacto employees are granted access to applications based on their role, and they are automatically deprovisioned upon termination of their employment. Further access must be approved according to the policies set for each application, ensuring strict access control.
Data Privacy
At Verifacto, data privacy is a first-class priority—we strive to be trustworthy stewards of all sensitive data. We are committed to maintaining the highest standards of privacy and protecting the data entrusted to us by our clients.