Security Policy

Verifox undergoes an annual SOC 2 Type II audit conducted by an AICPA-accredited independent auditor. Our audit covers the Trust Services Criteria for Security, Availability, and Confidentiality. The most recent SOC 2 Type II report is available to enterprise customers under NDA upon request at support@verifox.ai.

SOC 2 compliance means that our controls have been independently tested and verified over an extended observation period — not just a point-in-time snapshot. The audit covers access controls, change management, risk assessment, incident response, and vendor management.

We apply encryption at multiple layers:

• Data in transit: All communications between your browser/app and our servers are encrypted using TLS 1.2 or TLS 1.3. We do not support SSL or TLS 1.0/1.1. Our TLS certificate chain uses SHA-256 or stronger.
• Data at rest: Databases and file storage are encrypted using AES-256. AWS RDS instances use AWS-managed encryption keys with annual rotation.
• API keys: API keys are stored as salted hashes. We display an API key only once, at the time of generation. We cannot recover a lost key — you must rotate it.
• Passwords: User passwords are hashed using bcrypt with a cost factor of at least 12. We do not store plaintext passwords.

We apply the principle of least privilege across our systems:

• Production system access is restricted to a small group of authorised engineers via VPN and multi-factor authentication (MFA).
• Database access from application servers uses read/write-segregated roles with minimum required permissions.
• Customer data is logically isolated by organisation ID — no customer can access another customer's data.
• Administrative access to customer accounts is logged and audited. Support staff access data only when investigating authorised support tickets.
• Access is revoked immediately upon employee offboarding.

We conduct security assessments on a regular basis:

• Annual external penetration test: Conducted by an independent third-party security firm. Scope includes the web application, API, and network perimeter.
• Continuous vulnerability scanning: Automated scanning of our codebase (SAST), dependencies (SCA), and infrastructure using tools including Snyk and AWS Inspector.
• Patch management: Critical and high-severity vulnerabilities in dependencies are patched within 72 hours of identification. Medium-severity within 14 days.

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue in our platform, please report it to support@verifox.ai before public disclosure, and allow us a reasonable time (typically 90 days) to investigate and remediate.

In your report, please include: (a) a description of the vulnerability; (b) steps to reproduce; (c) the potential impact; and (d) any proof-of-concept code. We will acknowledge your report within 2 business days and keep you informed of our progress.

We do not pursue legal action against researchers who follow these guidelines. We offer recognition (and in some cases monetary rewards) for impactful, responsibly disclosed findings, at our discretion.

We maintain a documented incident response plan that covers detection, containment, eradication, recovery, and post-incident review. In the event of a confirmed data breach affecting your personal data or Customer Data:

• We will notify affected customers within 24 hours of confirming the breach.
• We will notify relevant supervisory authorities within 72 hours as required by GDPR Art. 33.
• We will provide a full incident report within 14 days, including root cause analysis and remediation steps.

Our on-call security team is available 24/7 for critical incident response. For security emergencies, email support@verifox.ai with "URGENT" in the subject line.

Our infrastructure is hosted in AWS data centres that hold ISO 27001, SOC 1, SOC 2, and SOC 3 certifications. AWS data centres include physical security controls such as 24/7 security personnel, multi-factor access control, CCTV, and environmental controls (fire suppression, power redundancy, cooling).

Verifox employees working with customer data are subject to background checks, security training at onboarding, and annual security awareness training. Remote working policies include requirements for encrypted devices, VPN usage, and screen locks.