SOC 2 Type II — In Progress
We are building toward SOC 2 Type II certification. Security controls documented below are actively enforced in production. For enterprise security questionnaires or a detailed architecture review, contact hello@verifex.dev.
Security Controls
Hosting
- Dedicated VPS on IONOS, United States
- PostgreSQL database with encrypted connections
- Redis with authentication-required access
- No shared hosting or multi-tenant infrastructure
Encryption
- TLS 1.2+ for all API and web traffic (HTTPS enforced)
- HSTS with 1-year max-age and includeSubDomains
- Database connections encrypted via SSL
- API keys hashed with SHA-256 before storage (never stored in plaintext)
- Webhook secrets generated with 256-bit cryptographic randomness
Authentication
- Bearer token authentication with SHA-256 hashed keys
- Passwords hashed with bcrypt (12 rounds)
- Per-key rate limiting (sliding window via Redis)
- IP allowlist support (Enterprise plan)
- API key rotation with 24-hour grace period
- Timing-safe comparison for all secret validation
Application Security
- SSRF protection on webhook delivery (blocks private IPs, localhost, metadata endpoints)
- HMAC-SHA256 signatures on all webhook payloads
- Content Security Policy (CSP) headers
- X-Frame-Options: DENY (clickjacking protection)
- X-Content-Type-Options: nosniff
- Zod input validation on all API endpoints
- CSV injection prevention on data exports
- Idempotency keys scoped per-user (prevents cross-tenant leakage)
Rate Limiting & Abuse Prevention
- Per-API-key rate limiting (10-10,000 req/min based on plan)
- Per-IP rate limiting on public endpoints
- Login rate limiting (5 attempts/minute per email)
- Admin endpoint rate limiting (10 req/min per IP)
- Circuit breaker pattern prevents cascade failures
- Fail-closed design: rate limiter rejects if Redis is unavailable
Data Privacy & GDPR
- Sanctions data sourced from official government publications (public data)
- No personal data stored beyond what users provide at registration
- Screening results stored for audit compliance (configurable retention)
- Data processing in the United States (IONOS infrastructure)
- Right to deletion supported (contact hello@verifex.dev)
- No third-party analytics or tracking on the API
Audit & Compliance
Every screening is an auditable event. Regulators can request proof that screening was performed, what lists were checked, and what the result was. Verifex provides this out of the box.
Tamper-Evident Audit Trail
Every screening request is logged with a unique request ID, timestamp, query, results, confidence scores, and lists checked. Stored for 10 years per OFAC record-keeping requirements.
List Version Tracking
Each screening record includes the exact timestamp of the sanctions list version used. If a regulator asks "was this person screened against the OFAC list as of March 15?", you have the answer.
Webhook Delivery Receipts
Every webhook delivery is logged with HTTP status, response time, retry attempts, and delivery timestamp. Enterprise plans include automatic retries with exponential backoff.
Uptime & Monitoring
Sanctions screening is on the critical path of your payment flow. We monitor continuously.
Real-Time Monitoring
- 60-second health checks on all services
- Memory and error spike alerting
- Automatic process restart on failure (PM2 cluster mode)
- 2 redundant API instances with load balancing
Data Freshness
- OFAC SDN synced every 6 hours
- UN/EU lists synced every 12 hours
- 43 government sources synced multiple times daily
- Safety guard prevents data corruption from partial feeds