Security & Trust

Security controls for regulated screening workflows

Your sanctions screening infrastructure handles regulated data. Here's exactly how we protect it — no vague promises, just specifics.

SOC 2-style controls — certification not complete

Verifex is implementing SOC 2-style security and auditability controls. Formal SOC 2 certification is not complete. Security questionnaires and architecture reviews are available for enterprise evaluations. For a detailed architecture review, contact hello@verifex.dev.

Security Controls

Hosting

  • Dedicated VPS on IONOS, United States
  • PostgreSQL database with encrypted connections
  • Redis with authentication-required access
  • Tenant isolation enforced at the application and database layer

Encryption

  • TLS 1.3 for all API and web traffic (HTTPS enforced)
  • HSTS with 1-year max-age and includeSubDomains
  • Database connections encrypted via SSL
  • API keys hashed with SHA-256 before storage (never stored in plaintext)
  • Webhook secrets generated with 256-bit cryptographic randomness

Authentication

  • Bearer token authentication with SHA-256 hashed keys
  • Passwords hashed with bcrypt (12 rounds)
  • Per-key rate limiting (sliding window via Redis)
  • IP allowlist support (Enterprise plan)
  • API key rotation with 24-hour grace period
  • Timing-safe comparison for internal secret validation where static secrets are used

Application Security

  • SSRF protection on webhook delivery (blocks private IPs, localhost, metadata endpoints)
  • HMAC-SHA256 signatures on all webhook payloads
  • Content Security Policy (CSP) headers
  • X-Frame-Options: DENY (clickjacking protection)
  • X-Content-Type-Options: nosniff
  • Zod input validation on all API endpoints
  • CSV injection prevention on data exports
  • Idempotency keys scoped per-user (prevents cross-tenant leakage)

Rate Limiting & Abuse Prevention

  • Per-API-key rate limiting (10-5,000 req/min based on plan)
  • Per-IP rate limiting on public endpoints
  • Login rate limiting (5 attempts/minute per email)
  • Admin endpoint rate limiting (10 req/min per IP)
  • Circuit breaker pattern prevents cascade failures
  • Fail-closed design: rate limiter rejects if Redis is unavailable

Data Privacy & GDPR

  • Configured sanctions, watchlist, PEP, and debarment sources are treated as screening data
  • Account data and screening query payloads are retained only as needed for service delivery, audit evidence, and plan-specific retention
  • Screening results stored for audit compliance (configurable retention)
  • Data processing in the United States (IONOS infrastructure)
  • Right to deletion supported (contact hello@verifex.dev)
  • No third-party analytics or tracking on the API

Audit & Compliance

Every screening is an auditable event. Regulators can request proof that screening was performed, what lists were checked, and what the result was. Verifex provides this out of the box.

Audit Trail

Every screening request is logged with a unique request ID, timestamp, query, results, confidence scores, and lists checked. Records are retained per plan: Starter 30 days, Growth 60 days, Pro 90 days, Enterprise 365 days. Free plan does not include audit trail access.

Adversarial Safety Testing

Engine v3 is tested against 10 corruption categories (OCR, keyboard, mixed script, spacing, contamination, token reorder, nickname, transliteration, org suffix, token omission) on 247 adversarial cases. 0% danger score — no false positives on corrupted common names. Conservative by design.

List Version Tracking

Each screening record includes the exact timestamp of the sanctions list version used. If a regulator asks "was this person screened against the OFAC list as of March 15?", you have the answer.

Webhook Delivery Receipts

Every webhook delivery is logged with HTTP status, response time, retry attempts, and delivery timestamp. Enterprise plans include automatic retries with exponential backoff.

Uptime & Monitoring

Sanctions screening is on the critical path of your payment flow. We monitor continuously.

Real-Time Monitoring

  • 99.9% uptime target for the screening API; contractual SLA terms require a separate agreement.
  • 60-second health checks on all services
  • Memory and error spike alerting
  • Automatic process restart on failure (PM2 cluster mode)
  • 2 redundant API instances with load balancing
  • Live status at status.verifex.dev

Data Freshness

  • OFAC SDN synced every 6 hours
  • UN/EU lists synced every 12 hours
  • Configured public sources synced on source-specific schedules
  • Safety guard prevents data corruption from partial feeds

Security roadmap

  • Two-factor authentication for dashboard users is planned.
  • Role-based access controls are planned for larger teams.
  • Formal SOC 2 certification is not complete. SOC 2-style controls are in progress.

Subprocessors and support

Verifex uses infrastructure and service providers including IONOS for hosting, Lemon Squeezy for checkout and billing, and Resend for transactional email. Security questions can be sent to security@verifex.dev.

Responsible Disclosure

Found a security vulnerability? Send enough detail for us to reproduce and assess it. We prioritize reports involving account access, API keys, tenant isolation, or data exposure.

Ready to screen with confidence?

Free tier available. No credit card. No sales calls. Security controls are documented plainly.