Trust
Vendor security Q&A.
How Verifex protects your data: hosting, encryption, access control, incident response, backups, and honest limitations.
Where is Verifex hosted?
Verifex runs on dedicated VPS infrastructure hosted by IONOS in the United States. We do not use shared serverless platforms for the screening API.
What encryption is used?
All API traffic is TLS 1.2+ in transit. API keys are stored as SHA-256 hashes (not plaintext). Screening request payloads are processed in memory and not retained beyond the plan's audit retention period.
How are API keys managed?
API keys are generated as random tokens (vfx_… prefix), hashed with SHA-256 before storage, and can be revoked instantly from the dashboard. We do not support key rotation automation yet.
Who has access to customer data?
Access is restricted to the founder/operator. There is no third-party support team with database access. We do not share customer screening data with external analytics or advertising platforms.
What audit logs are maintained?
Every screening event is logged with timestamp, query metadata, list versions, match results, and algorithm version. Logs are retained according to plan tier (30–365 days).
What is the backup and disaster recovery posture?
Database backups are performed daily and stored off-site. RPO is approximately 24 hours. RTO is not formally guaranteed. We recommend customers implement client-side retry logic for critical screening flows.
What is the uptime target?
We target 99.9% uptime for the screening API on self-serve plans. This is a target, not a contractual SLA. Enterprise customers can negotiate signed SLAs. Live status is available at status.verifex.dev.
What compliance certifications does Verifex hold?
Verifex does not currently hold SOC 2 Type I, SOC 2 Type II, or ISO 27001 certification. We are evaluating SOC 2 Type I engagement. This is a known gap for enterprise procurement.