Privacy Policy

Effective date: 29 March 2026

The previous version was effective from 12 October 2025.

1. Overview

Veraproof Pty Ltd ("Veraproof", "we", "us", or "our") provides secure identity and provisioning services through two Software-as-a-Service (SaaS) products:

Scimify
Challenge

This Privacy Policy explains how Veraproof collects, uses, stores, and protects your information when you use these products.

2. Information We Collect and Process

a. Scimify

When using Scimify, we process and store the following information:

User profiles: Full name and email address (for provisioning users and group members).
Group names: Used for group provisioning.
API tokens: Application-specific integration tokens required to sync users and groups between your Identity Provider (IdP) and target SaaS applications. Tokens are stored with least-privilege architecture and encryption at rest.

b. Challenge

When using Challenge, we process and store:

IdP user profiles: Full name and email address.
Slack user profile information.
Slack API token – used for verification workflows and integrations.
Device fingerprinting metadata, public IP addresses, and geolocation data – collected for security and fraud prevention purposes during verification workflows.

c. Common Practices

We do not store user passwords.
Authentication is performed via federated logins (Slack, GitHub, Google) or via OIDC SSO connected to your organisation's IdP.
We log metadata necessary for operational security (IP addresses, timestamps, and API usage metrics).

3. How We Use the Information

We use your information to:

Provide, operate, and improve Scimify and Challenge services.
Provision, synchronise, and verify user and group data between systems.
Communicate about service incidents, security updates, or subscription matters.
Provide optional product updates and new feature announcements (you may opt out at any time).
Comply with applicable laws, security obligations, and audit requirements.

We never sell or rent customer data.

4. Controller and processor roles, legal bases, and international transfers (EEA, UK, and similar laws)

This section summarises how we approach the EU General Data Protection Regulation (GDPR), the UK GDPR, and similar laws. It is additional to the rest of this policy and does not limit your rights under Australian privacy law where those apply.

Who is the controller?

Where your organisation subscribes to Scimify or Challenge and your users’ data is processed to deliver the service, your organisation is typically the controller of that end-user personal data, and Veraproof acts as a processor on your instructions (including the way you configure integrations, SCIM, and Challenge). Where you use the services as an individual consumer or sole trader, or where Veraproof determines the purposes of processing for account and relationship data, Veraproof may act as controller for that data. The Privacy Policy and (where applicable) section 6 of our Terms of Service (Article 28 GDPR and UK GDPR) or a separate data processing agreement describe processing in more detail.

Legal bases for processing (Article 6 GDPR)

We rely on the following legal bases under the GDPR and UK GDPR, as appropriate:

Contract – to provide Scimify and Challenge, authenticate users, run integrations you configure, manage billing, and communicate about the service.
Legitimate interests – to secure our services, prevent fraud and abuse, protect users, maintain reliability (including logging and monitoring described in this policy), and deliver identity verification in Challenge (including device-related metadata, IP address, and approximate geolocation where described in section 2), where those interests are not overridden by your rights.
Legal obligation – where we must process data to comply with applicable law.
Consent – where we specifically rely on consent (for example for non-essential marketing communications). Where consent applies, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

We do not use profiling or solely automated decision-making within the meaning of Article 22 GDPR to evaluate individuals in ways that produce legal or similarly significant effects. We do use automated processes for ordinary service operation: for example, account access may be restricted when Stripe indicates failed payment after applicable retry and grace periods, and IP addresses may be blocked at our edge or WAF when abuse is suspected. Contact [email protected] if you need to dispute account status.

International transfers

Personal data you store with us for Scimify and Challenge is primarily hosted in Australia (see section 5). Cross-border transfers of personal data outside Australia in connection with your use of the products most often arise because you configure integrations, workspaces, identity providers, or third-party SaaS tenants that are operated from or hosted outside Australia (for example a Slack workspace, GitHub organisation, or a downstream application you provision to in another region). We process personal data in those cases to deliver the features and integrations you have enabled.

Additionally, the sub-processors listed in section 7 (for example for federated sign-in, payments, CDN, bot protection, and APIs) may process personal data in the United States and other countries where they operate, as necessary to provide those functions. Where the GDPR or UK GDPR requires safeguards for transfers to such countries, we implement appropriate safeguards, including the European Commission’s standard contractual clauses (SCCs) and, where applicable, the UK International Data Transfer Addendum, through our agreements with those providers (and in our Terms of Service or a separate DPA where we provide one). In practice, we subscribe to these services under each provider’s current data processing or online terms, which typically incorporate SCCs or equivalent transfer mechanisms for restricted transfers.

5. Data Storage and Security

Production services run in AWS in the Asia Pacific (Sydney) ap-southeast-2 region. Veraproof may also use Veraproof-controlled infrastructure (for example, encrypted off-site backup storage at our premises in Australia).
We follow security industry best practices and align with SOC 1 controls.
Data in transit uses TLS (1.2+). At rest, AWS EBS volumes for our production environment are encrypted; the database runs on that infrastructure, and sensitive integration credentials stored in the database are protected with application-level encryption where we store them in encrypted form.
Access to production systems is restricted by least-privilege principles and reviewed periodically.
Administrative access is protected by phishing-resistant biometric multi-factor authentication (MFA).

6. Data Retention and Deletion

We retain customer data until the customer requests deletion or terminates their subscription.

Upon request or termination, we will permanently delete customer data from all systems (including backups) within a reasonable period.

Customers may request deletion or export of their data by contacting us at [email protected] or via the shared Slack support channel.

7. Sharing and Disclosure

We may share limited information with:

Service providers (e.g., AWS, Cloudflare, Stripe, Slack API) strictly as needed to deliver our services.
Legal authorities only if required by applicable law or valid legal process.
Enterprise partners under written agreements that include confidentiality and data-protection obligations.

Sub-processors

Where we engage third parties to process personal data on our behalf in connection with Scimify and Challenge, we impose appropriate contractual and security obligations. The following sub-processors are used to provide the services described in this policy:

Sub-processor	Purpose	Processing location (summary)
Amazon Web Services, Inc.	Cloud hosting, storage, and related infrastructure for production services.	Australia (Asia Pacific, Sydney, ap-southeast-2) for current production workloads.
Cloudflare, Inc.	CDN, DNS, DDoS protection, secure connectivity, Turnstile (bot protection on selected flows), and Cloudflare Web Analytics on web properties.	Global edge network; see Cloudflare documentation for regional detail.
Stripe, Inc. and/or Stripe Payments Australia Pty Ltd	Payment processing, invoicing, and subscription billing (the contracting Stripe entity depends on your account and region).	As described in Stripe’s data processing terms and regional documentation.
Google LLC	Federated customer login: OAuth sign-in and user profile information when you choose to sign in with Google to create or access your Veraproof account.	United States and other regions as described in Google’s documentation.
GitHub, Inc.	Federated customer login: OAuth sign-in and user profile information when you choose to sign in with GitHub to create or access your Veraproof account. Customer-configured integrations: When you connect your GitHub organisation or credentials, we use GitHub APIs to deliver Scimify provisioning and related features for that connection.	United States and other regions as described in GitHub’s documentation.
Slack Technologies, LLC (Salesforce, Inc.)	Federated customer login: OAuth sign-in and user profile information when you choose to sign in with Slack to create or access your Veraproof account. Customer-configured integrations: When you connect your Slack workspace (tokens and settings you authorise), we use Slack APIs to deliver Challenge and related product features against that workspace. Processing location follows Slack’s infrastructure for those API calls.	United States and other regions as described in Slack’s documentation.

Enterprise SSO (OIDC): When you sign in using your organisation’s identity provider (for example Okta or Microsoft Entra) via OIDC, authentication is handled under your organisation’s relationship with that provider. We do not list your employer’s IdP vendor in the table as our sub-processor in the same way as the named OAuth providers above.

Customer-configured integrations (general): For integrations you set up into your own third-party accounts (for example Slack, GitHub, or other apps Scimify or Challenge support), you instruct us to exchange data with those services to provide the integration. Additional sub-processors apply when you enable a specific integration (for example the vendor that hosts that application); the current integration options are described on our product pages (Scimify, Challenge), which we update as offerings change. We list core platform providers in the table above; integration-specific vendors are engaged when you connect them. Your agreement with that third party (for example your Slack workspace or GitHub organisation terms) also applies to your use of their product, and you control which workspace or account you connect.

Email: The products do not send automated transactional email through a third-party email delivery provider. Messages we send to customers may use Veraproof’s corporate email systems.

Monitoring and backups: Centralised logging and infrastructure monitoring are operated on self-hosted systems under our control (not listed as separate sub-processors). Encrypted database backups may be stored on Veraproof-controlled on-premises infrastructure in Australia in addition to AWS; that storage is not a third-party sub-processor.

We may update this sub-processor list from time to time. We will publish the current list on this page and, where required by law or contract, notify customers of material changes. Last updated: 29 March 2026.

Data Processing Agreement (DPA): Processor obligations for customers who are controllers under the GDPR or UK GDPR are incorporated in section 6 of our Terms of Service. Enterprise customers may also request a separate DPA (including this sub-processor schedule or an equivalent annex) by contacting [email protected].

We do not disclose customer data for marketing or advertising purposes.

8. Your Rights

Depending on your jurisdiction (including Australia, the EU, and UK), you may have rights to:

Access and receive a copy of your personal data.
Correct inaccurate personal data.
Request deletion ("right to be forgotten") where applicable.
Request restriction of certain processing or object to processing based on legitimate interests, where the law allows.
Data portability – where processing is based on contract or consent and is carried out by automated means, you may have the right to receive your personal data in a structured, commonly used format.
Withdraw consent where processing is based on consent, without affecting the lawfulness of processing before withdrawal.
Lodge a complaint with a supervisory authority. In Australia you may contact the Office of the Australian Information Commissioner (OAIC). In the EEA, you may contact your local authority (see the EDPB list of members). In the UK, you may contact the Information Commissioner’s Office (ICO).

To exercise these rights, contact [email protected]. If you are an end user of an organisation customer, we may need to coordinate with that organisation where they are the controller.

9. Communications

We primarily communicate via email or shared Slack channels established with customers.

Customers may opt out of non-essential product update emails using the unsubscribe link in each message or by contacting us.

10. Updates to This Policy

We may update this Privacy Policy from time to time. The latest version will always be available on our website at https://veraproof.io/privacy/.

If changes materially affect your rights, we'll notify you via email or in-app notice.

11. Contact

Veraproof Pty Ltd

Victoria, Australia

Email: [email protected]

Slack: Shared support channel (for participating enterprise customers)