Trust center

How we secure your data, who we work with, and how we prove it.

Certifications and attestations

SOC 2 Type II

Annual audit by Schellman & Co. Report available under NDA — request via security@verifypg.com.

ISO/IEC 27001:2022

Certified Information Security Management System. Surveillance audits semi-annually.

GDPR & UK GDPR

EU representative engaged. Standard Contractual Clauses signed with every customer.

HIPAA ready

Business Associate Agreement available on Enterprise plans for covered entities and business associates.

PCI-DSS scope reduction

Cardholder data tokenized at the edge; VerifyPage does not store PANs.

CCPA & state privacy laws

Aligned with CCPA, CPRA, VCDPA, CPA, CTDPA, UCPA. Data subject requests serviced within 30 days.

Encryption

At rest

All customer data is encrypted at rest with AES-256-GCM. Object storage uses envelope encryption: each file is encrypted with a unique data encryption key (DEK), and DEKs are wrapped by a customer-bound key encryption key (KEK) managed in AWS KMS. Enterprise customers can supply their own KEK (BYOK) or run customer-managed keys (CMK) from their own KMS.

In transit

TLS 1.2 minimum, TLS 1.3 preferred. Forward-secret ciphers only. HSTS enforced with 1-year max-age and includeSubDomains. We are listed on the HSTS preload list. Internal service-to-service traffic uses mutual TLS with short-lived SPIFFE certificates.

End-to-end (optional)

For high-sensitivity documents, customers can enable end-to-end encryption. Files are encrypted in the recipient's browser using a per-document key derived from a recipient-held passphrase or hardware key. VerifyPage never sees plaintext or the derivation material.

Key management

KEKs rotate annually. Per-customer master keys are isolated by tenant. Key access requires a hardware-backed MFA challenge from on-call SREs; access events stream to an immutable audit log reviewed weekly.

Sub-processors

VerifyPage engages the following sub-processors. We notify customers 30 days before adding or removing.

Amazon Web Services

Primary infrastructure. Regions: us-east-2, eu-west-1, ap-southeast-2.

Cloudflare

Edge network, WAF, DDoS mitigation. Workers for in-region routing.

Stripe

Billing and payment processing. No cardholder data stored in VerifyPage.

Postmark

Transactional email delivery (signup, password reset, notifications).

Twilio

SMS verification codes for recipient identity challenges.

Datadog

Application performance and security event monitoring. Customer data is masked.

Vulnerability disclosure

We welcome security research. If you believe you have found a security issue, please email security@verifypg.com with a description and reproduction steps. PGP key available below.

Scope

  • verifypg.com and all subdomains
  • The VerifyPage web application and mobile apps
  • Our public API at api.verifypg.com

Out of scope

  • Social engineering of VerifyPage employees, customers, or vendors
  • Physical attacks against our offices or infrastructure
  • Denial-of-service testing
  • Issues in third-party services we use (please report to them directly)

Safe harbor

We will not pursue legal action against researchers who comply with this policy in good faith. We aim to acknowledge reports within 24 hours and triage within 5 business days. Critical issues are credited in our security advisories with researcher permission.

Recent advisories

  • VSA-2026-003 — CSRF on workspace settings (medium) — patched 2026-02-14
  • VSA-2026-002 — Stored XSS in document comments (high) — patched 2026-01-22
  • VSA-2025-019 — SSRF in webhook validator (high) — patched 2025-11-08

Operational practices

Penetration testing

Annual external pentest by NCC Group and quarterly continuous testing by HackerOne pentesters. Reports available under NDA.

Background checks

All employees with production access pass criminal background checks and sign confidentiality agreements before onboarding.

Access reviews

Production access reviewed quarterly. JIT elevation required for any data-plane operation. All access logged and reviewed by Security.

Incident response

24/7 on-call SREs with security training. P1 response within 15 minutes; customer notification within 72 hours for confirmed data incidents.

Business continuity

RPO of 15 minutes, RTO of 4 hours for the primary region. Cross-region failover tested quarterly.

Security training

Mandatory annual security awareness, plus role-specific training for engineering, customer support, and finance. Phishing simulations monthly.

Questions or audits?

Security and compliance teams: we make the diligence process painless.

Email security@verifypg.com