Trust & security

Trust & Security

This page summarizes how Veraproof protects customer data across Scimify and Challenge. For categories of data we process, see our Privacy Policy.

How we protect customer data

Snapshot of practices across hosting, encryption, access, and operations — aligned with common enterprise expectations.

Compliance posture

  • We align our security practices with SOC 1 control objectives and industry best practices, and design and operate controls using themes comparable to widely used frameworks (including SOC 2 and ISO 27001, for example access control, encryption, and logging).
  • We do not currently publish independent third-party attestations (such as SOC 2 Type II or ISO 27001 certification). We can support vendor security questionnaires and calls for customers who need additional detail.

Infrastructure & hosting

  • Production services are hosted in Amazon Web Services (AWS) in Australia (for example, the Sydney region), supporting data residency expectations for many Australian and regional customers.
  • Applications run in containerized environments on managed compute. Storage is encrypted using AWS KMS.
  • Edge and network protections (for example, DDoS mitigation and secure transport to our services) leverage industry-standard providers as described in our Privacy Policy.

Encryption

  • In transit: Customer connections to Veraproof services use TLS (modern versions).
  • At rest: Production storage uses encrypted AWS EBS (see Privacy Policy); sensitive integration credentials in the database use application-level encryption where stored in encrypted form.

Identity, authentication & access

  • End users sign in with federated identity (for example, Slack, GitHub, or Google) or your organisation’s OIDC SSO. We do not store user passwords.
  • Tenant isolation: Customer data and configuration are separated by tenant. Administrative APIs (including SCIM) require authenticated, scoped credentials.
  • RBAC: Customer tenant users can be assigned role-based access control so day-to-day administration follows least privilege inside the tenant.
  • Operational access to production is limited, authenticated, and protected with strong authentication (including phishing-resistant MFA for administrative accounts).

Application security

  • Browser sessions use modern web protections (including CSRF controls for interactive flows).
  • Edge traffic is protected with web application firewall (WAF) capabilities to help block common application-layer attacks.
  • Outbound integrations and discovery flows are designed to reduce common abuse classes (for example, unsafe URL fetching).
  • Changes are developed with signed commits and reviewed before release on a regular cadence.

Logging & monitoring

  • Application, container, and host logs are sent to a centralized logging stack with alerting for operational and security-relevant events.
  • Tenant audit logs are available to customers for review of activity within their tenant (for example, administrative and security-relevant actions), subject to product capabilities and retention described in our Privacy Policy.
  • Infrastructure health is monitored with standard network and systems monitoring tooling.

Backups & availability

  • Database backups run on a daily schedule. Copies are stored separately from primary production environments to support recovery.
  • We aim for high availability; like any cloud service, we do not guarantee uninterrupted operation. See our Terms of Service for service and support expectations.

Vulnerability management

  • We perform recurring dependency review and apply security patches on a regular cadence.
  • If you believe you have found a security vulnerability, contact us at [email protected] with a short description and reproduction steps where possible.

Privacy, subprocessors & data requests

  • Our Privacy Policy describes retention, deletion, international transfers, and subprocessors at a high level.
  • Data subject and customer deletion requests are handled in line with that policy, typically coordinated via [email protected].

Incidents

  • We investigate suspected security issues using our logging and monitoring capabilities and will communicate about confirmed incidents affecting customer data in line with our Privacy Policy and applicable law.
  • We do not publish a fixed contractual notification timeline for all customers; enterprise customers can discuss expectations as part of procurement.

Product-specific notes

  • Scimify: SCIM API access uses tenant-scoped bearer credentials. Integration secrets are protected using least-privilege patterns and encryption for stored credentials where applicable.
  • Challenge: Verification workflows may process device and network metadata for fraud prevention as described in the Privacy Policy.

Questions or procurement?

For security reviews, questionnaires, or vendor diligence, reach out to our team - we’re happy to go deeper than this overview.

Contact sales Report a vulnerability

Last updated: March 2026. We may update this page as our security program evolves; substantive changes will be reflected here.