Architecture Overview
- Next.js 14 frontend with static export served via Nginx reverse proxy
- Node.js/Fastify API tier running in cluster mode across all CPU cores
- PostgreSQL 15 primary database with daily pg_dump backups to encrypted storage
- Redis 7 for caching, rate limiting, and session state
- Infrastructure hosted on IONOS VPS (Germany) with geographic redundancy planning
Data Flow Summary
- Screening queries are normalized and matched against in-memory fuzzy indexes
- Match results are persisted to PostgreSQL with request ID, query, and full response
- Evidence Capsules are stored as structured JSON linked to screening records
- Sanctions source data is ingested via scheduled sync jobs with version tracking
- No customer PII is shared with third-party services beyond configured subprocessors
Subprocessors
- IONOS — VPS hosting and infrastructure (Germany)
- Let's Encrypt — TLS certificate issuance (automated via Certbot)
- LemonSqueezy — payment processing and subscription management (PCI-DSS compliant)
- Resend — transactional email delivery (sign-up, password reset, alerts)
- GitHub — source code repository and version control
API Key Security
- API keys use vfx_ prefix with 256-bit random entropy
- Only SHA-256 hashes are stored in the database — raw keys are never persisted
- Keys can be revoked instantly from the dashboard
- Enterprise plan supports IP allowlisting
- API key rotation available with 24-hour grace period (Enterprise)
Webhook Signing
- Webhook payloads include a SHA-256 HMAC signature in the X-Webhook-Signature header
- Signature is computed using your webhook secret (configurable per endpoint)
- Enterprise plan supports custom webhook secrets per endpoint
- Failed deliveries are retried up to 5 times with exponential backoff (Enterprise)
Rate Limiting
- Per-API-key rate limits enforced at the edge: Free 10/min, Starter 30/min, Growth 60/min, Pro 120/min, Enterprise 300/min
- Rate limit headers returned on every response: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset
- 429 responses include Retry-After header with seconds until quota resets
- Burst protection via Redis-backed token bucket algorithm
Backup & Retention
- Daily automated pg_dump backups to encrypted off-site storage
- Backups retained for 30 days with weekly snapshots kept for 90 days
- Screening records retained per plan: Free/Starter 30 days, Growth 60 days, Pro 90 days, Enterprise 365 days
- Evidence Capsules follow the same retention schedule as screening records
- Customer-initiated data deletion available via dashboard or API request
Incident Response
- 24-hour response target for security incidents reported to security@verifex.dev
- Incident classification: P1 (service down) → 1 hour, P2 (data risk) → 4 hours, P3 (degraded) → 24 hours
- Status page at verifex.dev/status with real-time API health and incident history
- Post-incident reports published within 72 hours for P1/P2 events
- Customer notification via email for any incident affecting their data
Current Certification Status
- SOC 2 Type II — On the roadmap. Target: Q4 2026 assessment start.
- No current SOC 2, ISO 27001, or PCI-DSS certification.
- Security controls documented and reviewed quarterly.
- Penetration testing scheduled annually (next: Q3 2026).
- We do not claim certifications we have not earned.
No certifications yet. Verifex does not currently hold SOC 2 Type II, ISO 27001, or PCI-DSS certification. SOC 2 Type II is on the roadmap (target Q4 2026). This document describes our operational security controls, not a certified compliance posture.
FAQ
Common questions.
Can I download this security packet as a PDF?
Not yet. A downloadable security packet PDF is on the roadmap. This page serves as the live, version-controlled source of truth for our security posture.
Where is data hosted?
Production infrastructure runs on IONOS VPS in Germany. Backups are stored in encrypted off-site storage within the EU.
Is Verifex GDPR compliant?
Verifex processes screening data as a data processor. We provide a Data Processing Addendum (DPA) upon request. See verifex.dev/dpa and verifex.dev/privacy for details.
How do I report a security issue?
Email security@verifex.dev with details. We aim to respond within 24 hours and publish a fix timeline for confirmed vulnerabilities.