The essential ways Veriff strengthens its compliance

The immense value of online services, including online verification, was highlighted during the COVID-19 pandemic. However, the risks associated with these online services must not be taken lightly. In the course of verifying someone’s identity online, companies unveil a range of personal identifiable information (PII) that requires special attention and appropriate protection. That’s why it’s crucial that proper compliance mechanisms are established. 

In this article, I’ll outline the mechanisms in place which show that Veriff goes the extra mile to ensure its compliance systems are the strongest around.

The immense value of online services, including online verification, was highlighted during the COVID-19 pandemic. However, the risks associated with these online services must not be taken lightly. In the course of verifying someone’s identity online, companies unveil a range of personal identifiable information (PII) that requires special attention and appropriate protection. That’s why it’s crucial that proper compliance mechanisms are established.

In this article, I’ll outline the mechanisms in place which show that Veriff goes the extra mile to ensure its compliance systems are the strongest around. You can learn more about Veriff’s security practices by visiting our Security and Compliance page.

ISO 27001

ISO/IEC 27001:2013 is an international standard which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system. 

Veriff is certified for compliance with the ISO/IEC 27001:2013 standard. The certification also extends to the additional controls defined within the ISO/IEC 27017:2015 (security for cloud services) and ISO/IEC 27018:2019 (protection PII in cloud services) standards.

Systems and Organisation Controls 2 Type 2

SOC as an abbreviation stands for Systems and Organisation Controls. SOC 2 is an auditing procedure performed by an external auditor that ensures that service providers securely manage both their data and the privacy of their end-users. It’s worth mentioning that following SOC 2 is not obligatory. However, many SaaS service providers want to prove that they are properly protecting data and information systems. It is also common practice for clients to request  SOC 2 reports from potential partners. Therefore, for security-conscious businesses, SOC 2 compliance is a minimal requirement when considering using a SaaS provider. 

It's important to make the distinction between the different types of SOC 2. SOC 2 Type 1 describes the systems of a company and determines whether it is capable of meeting relevant information security principles on a specified date. Veriff has passed this stage and it was confirmed that the existing controls are adequate for addressing security concerns.

SOC 2 Type 2, on the other hand, details the operational effectiveness of said systems throughout a disclosed period of time. Being compliant with it gives a higher level of assurance compared to SOC 2 Type 1. SOC 2 Type 2 certification approves that Veriff’s systems are designed to keep its clients’ sensitive data secure. When it comes to working with an identity verification service provider, such reliability is absolutely crucial. Currently, Veriff has already acquired SOC 2 Type 2 compliance certification.

General Data Protection Regulation

As Veriff provides clients with identity verification services, processing personal data is one of the core functions of Veriff’s operation. The General Data Protection Regulation (GDPR) is considered to have created the highest standards for personal data protection. But the GDPR does not stand alone, there are several other data protection laws around the world setting the same high standard for processing personal data. 

In regards to Veriff’s GDPR compliance level, it’s worth mentioning that an external independent audit regarding GDPR compliance demonstrated a high level of data protection compliance at Veriff. Veriff is dedicated to ensuring we consistently offer the highest level of data protection by having the necessary measures in place. Veriff takes the necessary physical, technical, and organisational measures to secure the personal data that is being processed. 

Veriff has a full time Data Protection Officer (DPO). This role is to help to comply with data protection principles and avoid the risks associated with processing personal data.  Our DPO is tasked with monitoring compliance with the GDPR and our data protection policies, auditing, and providing advice whenever data protection questions arise. To ensure the highest level of data protection compliance in Veriff, our DPO provides tailored data protection trainings based on  the specific needs of every division at Veriff. The advice on what to pay attention to in regards to being GDPR compliant can be read in our DPO’s blog on personal data protection. 

California Consumer Privacy Act and California Privacy Rights Act

CCPA stands for the California Consumer Privacy Act which has been amended by the CPRA - the California Privacy Rights Act. Both acts protect the residents of California. Like GDPR, CCPA/CPRA also aim to give consumers greater control over their data. Even though the details differ, many principles are the same. So companies that have prepared for GDPR compliance are well on their way to CCPA/CPRA compliance.  

Veriff has a CCPA/CPRA compliance framework in place. Our Privacy Policy is the backbone of this framework. One section of the Policy describes the information potentially collected about end users. Another section gives end users contact information allowing them to instruct Veriff regarding their Data Subject Rights as required by CCPA/CPRA. We have also implemented a Do Not Sell or Share My Personal Information page for easy control over website visitors’ privacy choices.

Veriff’s business practices contribute to compliance with GDPR, CCPA and CPRA. Most importantly, Veriff’s data management practices permit the company to apply all the necessary best practices to allow full control and implementation of data protection measures required by law, such as the GDPR, CCPA and CPRA. 

Other US Privacy Laws

As the world becomes increasingly digital, data privacy has become a major concern for both individuals and businesses alike. In response to this, several new privacy laws have been introduced in various states of the US in addition to the CCPA/CPRA, many of which either already have or soon will come into force during 2023 (VCDPA went into effect on January 1, 2023; CPA and CTDOA go into effect on July 1, 2023 and UCPA goes into effect on December 31, 2023). Veriff is well prepared to meet and surpass current and future data protection requirements imposed by these and any upcoming laws. 

With the right compliance framework in place, Veriff can ensure that we are meeting the requirements of the new laws and protecting the personal data of all data subjects. Our privacy framework provides a structured approach and the upcoming laws are a great opportunity to demonstrate our commitment to protecting end-user personal data. Veriff’s purpose is not only to comply with the applicable laws but to also build trust with our clients and provide visibility into our data processing practices.

Web Content Accessibility Guidelines

WCAG stands for Web Content Accessibility Guidelines. These guidelines are developed through the W3C process in cooperation with individuals and organisations around the world. The goal is providing a single shared standard for web content accessibility, for people with disabilities, that meets the needs of individuals, organisations, and governments internationally.

WCAG 2.0 and WCAG 2.1 are technical standards. They consist of 12-13 guidelines. For each guideline, there are testable success criteria which are at three levels: A, AA, and AAA. Veriff is compliant with WCAG version 2.0, level AA.

WCAG guidelines explain how to make web content more accessible to people with disabilities. On the other hand, meeting the requirements of WCAG shows that besides compliance, Veriff considers the inclusion of people with disabilities during our product development process. For further details, you can check Veriff’s blog on accessibility features.

Policies

Policies define the framework of actions and behaviors that are needed in order to execute the tasks by employees lawfully, consistently and effectively. It also helps companies mitigate risks in a consistent and proactive manner before a crisis arises, or in the case of an incident, follow mechanisms and procedures on how to tackle incidents and other (potentially) recurring situations.

At Veriff, our internal compliance functions are responsible for ensuring that relevant policies are in place, acknowledged with employee signatures, effectively executed and followed.

In conclusion, Veriff has various systems in place that ensure the information security of the data of our customers and end-users. Veriff always strives for the highest industry standards and is constantly working towards having the most advanced compliance mechanisms in our industry. If security is a top concern for you or your business when going digital, we hope you’ll consider choosing Veriff as your service provider. In case of any questions, don’t hesitate to contact us.