VerifyAI
SOC 2 Type II audit in progress

Enterprise-grade security and compliance

VerifyAI is undergoing a SOC 2 Type II audit and runs on SOC 2 / ISO 27001 infrastructure. We offer a standard Data Processing Addendum for customers with UK or EU data protection obligations. The controls below answer the questions our enterprise customers ask before signing.

Talk to our team Review resources

Certifications and alignment

We are undergoing a SOC 2 Type II audit against the AICPA Trust Services Criteria, with a standard Data Processing Addendum available for customers with UK/EU GDPR or CCPA privacy review requirements.

Audit in progress

SOC 2 Type II

Independent audit of our security, availability, and confidentiality controls is currently in progress. Status updates and our security overview are available under NDA.

AICPA Trust Services Criteria — audit in progress

Built on compliant infrastructure

VerifyAI runs on enterprise infrastructure with the compliance programs shown below. These provider audits reinforce the SOC 2 controls we are implementing across the stack.

Vercel

Application hosting and edge delivery

  • SOC 2 Type II
  • ISO 27001
  • PCI DSS Level 1
  • DPA and SCCs available

Supabase

Database, authentication, storage

  • SOC 2 Type II
  • HIPAA-eligible infrastructure
  • DPA and SCCs available

Google Cloud

Compute, image storage, ML inference

  • SOC 1 / 2 / 3
  • ISO 27001 / 27017 / 27018
  • HIPAA-eligible services

Encryption

Modern transport security, strong at-rest encryption, and documented key management.

TLS 1.3 in transit

All API and SDK traffic terminates over TLS 1.3 with modern cipher suites. Earlier protocol versions are disabled.

AES-256 at rest

Verification images, database records, and backups are encrypted at rest with AES-256 using provider-managed KMS.

Key rotation

KMS keys are rotated on a documented schedule. Application secrets and API credentials are rotated on personnel change and on any suspected exposure.

Data residency and transfers

Pick the region that matches your regulatory posture. New accounts default to the United States.

Regions

Where verification data is processed and stored

United States
Default for new accounts. Available on every tier.
United Kingdom
Available on the Enterprise tier.
European Union
Available on the Enterprise tier.

Transfer mechanisms

For restricted transfers under UK and EU GDPR

When personal data is transferred outside the UK or EEA, we rely on Standard Contractual Clauses (SCCs) and, for UK transfers, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs.

Transfer impact assessment information is provided alongside the DPA on request.

Access controls

Identity, authentication, and authorization built for enterprise teams.

SSO / SAML

SAML 2.0 single sign-on available on the Enterprise tier, with SCIM provisioning on request.

MFA for every account

TOTP-based MFA is available to all customers on all plans and is enforced for internal administrator access.

Role-based access control

Granular roles separate admin, developer, and read-only access. Customer data access by our staff is least-privilege and logged.

Audit logs

Tamper-evident audit logs cover authentication, API key changes, policy edits, and administrative actions. Exportable on Enterprise.

Vulnerability management

Continuous scanning, annual third-party testing, and a clear path for outside researchers.

Continuous dependency scanning

Automated dependency and container scanning runs on every build. High-severity findings block release until remediated or risk-accepted.

Annual penetration testing

Independent third-party penetration tests are conducted at least annually against the API, web application, and SDK surfaces. Summary letter available under NDA.

Responsible disclosure

Report suspected vulnerabilities to security@switchlabs.dev. We acknowledge reports within two business days and do not pursue researchers acting in good faith.
Security contact: security@switchlabs.dev — PGP key available on request.

Incident response

Defined severity levels, response SLAs, and breach notification commitments.

72-hour breach notification

We notify controllers of confirmed or reasonably suspected personal data breaches without undue delay, and in any event within 72 hours of becoming aware.

Sev-1 acknowledgement within 1 hour

Severity 1 incidents (production API materially unavailable or confirmed customer-data exposure) are acknowledged within one hour of confirmed detection, with written status updates at least every four hours until resolution.

Incident communications

We notify affected customers directly during material incidents and provide post-incident summaries for enterprise security reviews.

Business continuity

Tested backups and documented recovery objectives.

Backup RPO: 24 hours

Maximum acceptable data loss window

Production databases are backed up at least daily with point-in-time recovery enabled. Backups are encrypted and tested on a regular cadence.

Recovery RTO: 4 hours

Target time to restore production service

Our recovery runbooks target restoration of production API availability within four hours of a declared disaster, with prioritization of verification request processing.

Privacy

Minimum necessary data, configurable retention, and clear processor commitments.

90-day default image retention

Verification images are retained for 90 days by default, then deleted from active systems. Enterprise customers can configure shorter retention windows.

Data subject rights

We support controller-initiated requests for access, rectification, erasure, restriction, portability, and objection. Most requests are fulfilled within 30 days.

DPA available

A standard Data Processing Addendum covering UK and EU GDPR Article 28 obligations is available on request and included in Enterprise order forms.

Read our GDPR overview for a deeper walkthrough of controller / processor responsibilities and data subject rights.

Resources

Documents and evidence available for your security review.

SOC 2 audit status

Type II audit in progress — request status update under NDA

Request status

DPA and security questionnaires

Request our DPA, security overview, or pre-filled questionnaire responses from our team

Contact our team

Need details for an enterprise security review?

We'll walk through our controls, share evidence under NDA, and answer questionnaire-style follow-ups directly.

Talk to our team Email security@switchlabs.dev

Get in Touch

Questions about pricing, integrations, or custom deployments? We'd love to hear from you.