How Veriff keeps your data safe
Veriff is in the privileged position of handling vast amounts of private and personal data of individuals every day. This is not something we take lightly, and as trust is our business we want to be transparent about our security practices around how we keep your personal information safe at all times.
Aleksander Tsuiman
Verifying that an individual is who they say they are in the virtual world is a top priority for many businesses. Making the Internet a safer place for everyone is also the core reason Veriff was founded. To achieve this, we must prevent identity fraud by reducing anonymity by fostering greater trust in all online interactions. However, fraud is common in today’s online world. For example, a report by Juniper Research from 2023 estimated that losses from online payment fraud are to exceed $362 billion globally over the next 5 years. According to the Federal Trade Commission (FTC), reports of identity theft doubled in 2020 compared to 2019, highlighting the heightened risk in the digital space. Identity theft connected with credit cards tops the list of identity theft types reported in 2023. The FTC received 416,582 reports from individuals who said their information was misused with an existing credit card or when applying for a new credit card.
Veriff has also continuously published its own fraud reports. Veriff’s Fraud Index 2024 and its accompanying survey highlight that 47,8% of the respondents encountered fraudulent or suspicious activity in the past 12 months to March 2024.
Veriff is committed to building trust online, so it is especially crucial for individuals to be able to trust an identity verification company like Veriff with their data.
However, sharing your personal data, such as your identification document online can raise some doubts. Identity verification should be a pathway to a safer space online and not a barrier, so it’s essential that the online verification process is simple and transparent. Also, it is Veriff's job to ensure compliance with data security and protection requirements. To add further transparency, in this blog, we’ll outline some of the ways we make sure your data is always safe.
Veriff is dedicated to its compliance with the highest standard of privacy and data protection laws, such as the European Union’s General Data Protection Regulation (GDPR). Compliance with laws is always backed by Veriff’s core priority - which is to ensure the security of its service. At the heart of Veriff’s compliance are organizational and technical measures that ensure secure data processing. Here are some examples of key elements to understand about personal data processing and the best practices followed by Veriff.
1. Processing of personal data
Your rights. Veriff recognizes each and every individual going through its verification flow as a data subject. The data subject is always in the center of Veriff’s service. You as the data subject, are entitled to specific information and exercising of data privacy rights. That is why Veriff makes it clear in its Privacy Notice that Veriff is providing its verification services to other companies - Veriff collects your data via its verification service only if you have been directed there by a business customer of Veriff. Veriff’s customer, the company asking you to verify your identity, is the one who decides how and for which purposes Veriff processes your data. This also means that they must tell you how they and Veriff process your data and make sure you can exercise your rights along the way.
Veriff’s services process personal data. The EU’s General Data Protection Regulation (known as GDPR) defines personal data as any information about an individual who can be identified, directly or indirectly, by name, ID number, or other factors relating to an individual's physical, physiological, genetic, mental, economic, cultural or social identity. The data collected by Veriff for your identification is personal data and Veriff’s customers must ensure that they have a valid legal basis for allowing Veriff to use the data for its services.
Veriff’s services may process sensitive personal data. Sensitive data is a subcategory of personal data. There are different definitions of “sensitive data” in different countries. However, it is generally centered around data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and genetic data, biometric data (for the purpose of uniquely identifying a person), health data, or data concerning a person’s sex life or sexual orientation. As a part of its service, Veriff may process your sensitive data. For example, Veriff’s services can process information about your face amounting to biometric data. This is an important note as depending on why our customers are using our services, they might need to follow heightened legal requirements. Although the requirements around biometrics processing are stringent, it is important to note that biometrics can provide a strong security layer against bad actors while also minimizing the amount of data processed.
Oversight by authorities. Compliance with data privacy laws across the world is under heightened scrutiny by the local data protection authorities. Veriff is also supervised by local data protection authorities and ensures full cooperation with the authorities from different EU Member States and beyond.
2. Risk assessments and a dedicated team
Veriff’s dedicated privacy and compliance team, together with our data protection officer, consistently conducts data protection impact assessments. These data protection impact assessments not only fulfill legal requirements but also allow Veriff to proactively identify and address the risks related to our products and services. By leveraging our in-house legal competence and taking proactive measures, Veriff ensures the highest level of data security to uphold our commitment to safeguarding your privacy.
3. No selling or unauthorised sharing of end user data
As stated in Veriff's Privacy Notice, we’ll disclose your personal data to the customer who has authorized us to provide you with the identity verification service. Additionally, as an integral part of the identity verification service, your personal data may be disclosed to our carefully chosen sub-processors. These are service providers helping us with different data processing and data storage services, being essential to providing our identity verification service. Internally, any access to data is granted on a need-to-know and least-privilege basis. This means that our employees are only granted the information and access rights strictly necessary for their specific tasks. This ensures your data is always kept safe with no unauthorized access.
4. Fixed data storage periods
The term for keeping your data is fixed in internal policies and customer agreements. Veriff never keeps data indefinitely. For example, as a standard, personal data which is processed on behalf of our customers is stored for no longer than 3 years. However, in the context of identity verification services, this may differ depending on the customer's instructions. That is why the company that asked for your identity verification is the one that can tell you the exact time for how long your data is stored and used for identity verification.
5. Encryption at rest and in-transit
In Veriff, data is encrypted both at rest and in transit. Encryption is the process of converting data into an unreadable format, making it unaccessible for the user who does not have the decryption key. Encryption enables secure and confidential end-to-end protection of the data by protecting its content.
Data in transit is encrypted using Transport Layer Security (TLS) 1.2 or newer version. TLS is the protocol that allows digital devices (such as computers and phones) to communicate over the internet securely without the transmission being vulnerable to an outside audience. Data at rest is encrypted using Advanced Encryption Standard AES-256. AES is a symmetric key cipher, meaning that the same key is used for both encryption and decryption of the data.
In addition, all internal applications hosted by Veriff and used to manage personal data are also channeled into VPN as an extra measure to reduce the attack surface and to provide an additional protection layer around the standard TLS.
6. Security by design and by default
Veriff has acquired and for years upheld the SOC 2 Type 2 compliance certification. It confirms that Veriff’s systems are designed to keep its customers’ data secure. When it comes to working with the identity verification service provider, such reliability is absolutely crucial because we are well aware that cases of personal data breaches and leaks might have life-altering consequences.
Veriff has also been awarded certification against the ISO/IEC 27001:2022 standard, an internationally recognized information security standard published by the International Organization for Standardization (ISO). Veriff is also certified against the UK’s Cyber Essentials scheme which is designed to help protect organizations against a whole range of the most common cyber attacks. You can learn more about the Cyber Essentials from the UK’s National Cyber Security Centre’s webpage.
These security measures are just some examples that are put in place here in Veriff. We take all necessary precautions to give you peace of mind when using our identity verification service. We always follow the relevant updates and implement additional measures to ensure compliance.
7. Where can you read more?
We are always excited to hear your feedback, opinions, and ideas - you can find ways to contact us in our Privacy Notice.
You can learn more of our security practices from the Security and Compliance page and from Veriff’s Trust Center.
