VerefVeref

Veref Trust Center

One link your security team can sign off on.

Compliance posture, security controls, infrastructure, sub-processors, and the documents your team will ask for. All in one place, kept up to date.

Request documents Email security team

Status

All systems operational

Primary region

United Kingdom (GCP)

Frameworks

GDPR, EU AI Act, SOC 2, ISO 27001

Compliance

Where we stand on the frameworks customers ask about.

Our posture is current and honest. Where work is in progress, we say so.

GDPR & UK GDPR

Compliant

Lawful basis documented, DPA available on request, full data subject rights honoured.

EU AI Act

Ready

Human-in-the-loop by default. No automatic adverse decisions. Bias testing across protected categories.

SOC 2 Type II

In progress

Controls mapped to the SOC 2 Trust Services Criteria. Audit engagement underway.

ISO 27001

In progress

Controls mapped to ISO 27001 Annex A. Certification work in progress alongside SOC 2.

Security controls

The controls behind the certifications.

Mapped to SOC 2 Trust Services Criteria and ISO 27001 Annex A.

Identity & access

  • MFA required for all staff accounts
  • SSO / SAML 2.0 for enterprise customer logins
  • Role-based access control with least privilege
  • Quarterly access reviews
  • All admin actions audit-logged

Data protection

  • AES-256 encryption at rest
  • TLS 1.3 in transit, with HSTS
  • Biometric templates stored, never raw images
  • Per-tenant key isolation
  • Configurable retention and on-request deletion

Infrastructure

  • Hosted on Google Cloud Platform (europe-west2, London)
  • Web and edge delivery via Vercel
  • Production data residency in the United Kingdom
  • EU and US residency available on request
  • Daily encrypted backups, tested restores

Application security

  • Code review required on every change
  • Automated SAST and dependency scanning in CI
  • Annual third-party penetration test
  • Responsible disclosure programme
  • Secrets stored in a managed vault, never in code

Monitoring & response

  • 24/7 alerting on production health and security events
  • Security event logging with tamper-evident retention
  • Documented incident response playbooks
  • Customer notification within 72 hours of confirmed incident
  • Post-incident reviews shared with affected customers

People & policies

  • Background checks on all staff
  • Annual security and privacy training
  • Confidentiality obligations in every employment contract
  • Managed laptops with disk encryption and MDM
  • Clear acceptable-use and data-handling policies

Sub-processors

Every vendor that touches customer data.

The full list and notification policy live on the Sub-processors page.

VendorPurposeRegion
Google Cloud PlatformHosting, storage, computeUnited Kingdom
VercelWeb and edge delivery for veref.workGlobal edge
SprintoContinuous controls monitoring (rolling out)United States
See the full sub-processor list

Testing & assurance

How we prove the controls work.

Annual penetration test

Third-party penetration test scheduled annually against the production stack. Summary report available to qualified parties under NDA after the first cycle.

Continuous controls monitoring

Continuous evidence collection across infrastructure, identity, and code, rolling out on Sprinto. Findings drive remediation in the same week they surface.

Bias testing

Models evaluated across demographic cohorts before release and on every update. Methodology and summary results are available on request.

Documents

Everything your security team will ask for.

Public documents are linked directly. Sensitive documents are sent under a mutual NDA on first request.

Public

Available on request

  • Security Whitepaper
  • Architecture & data flow overview
  • SOC 2 Type II report (when available)
  • ISO 27001 Statement of Applicability (when available)
  • Penetration test summary (when available)
  • Business continuity & DR plan
  • Information security policy
  • Vendor risk assessment
  • Insurance certificate

Request documents

We reply within one business day, usually much sooner.

Documents requested

Select what you need. Gated documents are sent under a mutual NDA on first request.

Your details are used solely to send the requested documents and respond to questions. We do not add you to any marketing list.

Responsible disclosure

Found something? Tell us.

We take security reports seriously and reply quickly. We commit to acknowledging every legitimate report, working with you on a fix, and crediting researchers who want public credit once the issue is resolved.

What we ask

  • Give us a reasonable time to fix before public disclosure.
  • Do not access, modify, or delete data that is not yours.
  • Do not run automated scans that disrupt service.
  • Stick to in-scope assets: veref.work, app.veref.work, and our public APIs.

What you can expect

  • Acknowledgement of every report within 2 business days.
  • A triage and severity assessment, shared with you.
  • Regular updates until the issue is closed.
  • Public credit on request once a fix has shipped.

Reviewing Veref?

We answer security questionnaires in days, not weeks.

Send us your questionnaire (CAIQ, SIG, or your own) along with your document request above and we will return both inside one business week. If you need a security call with our team during evaluation, we are happy to set one up.