Operational Practices

Access to customer data stored within applications is restricted and only happens based on a service and support request initiated by our customers.

Within our SaaS platform, we treat all customer data as equally sensitive and have implemented stringent controls governing this data. Awareness training is provided to our internal employees and contractors during the on-boarding / induction process which covers the importance of and best practices for handling customer data.

Within Verified, only authorized Verified employees have access to customer data stored within our applications. Authentication is done via individual passphrase-protected public keys, and the servers only accept incoming SSH connections from Verified locations. All access to data is logged to offer a complete audit-trail.

Unauthorized or inappropriate access to customer data is treated as a security incident and managed through our incident management process. This process includes instructions to notify affected customers if a breach of policy is observed.

Our global support team has access to our cloud-based systems and applications to facilitate maintenance and support processes. Hosted applications and data are only able to be accessed for the purpose of application health monitoring and performing system or application maintenance, and upon customer request via our support system.

Our support teams will only access customer data when necessary to resolve an open ticket.

Our security training and awareness program doesn’t just check compliance boxes but results in a genuine uplift in knowledge across the company.

Our awareness program is built on the premise that security is the responsibility of everyone. These responsibilities are extracted from our internal Security Policy Program, and the training and awareness program is used as the primary vehicle for communicating these responsibilities to our staff.

Candidates and contractors are required to sign a confidentiality agreement prior to starting with us, and subsequently, during the onboarding process, security awareness courses are delivered to these new hires.

Keeping in line with the theme of ‘continuous improvement’, we disseminate security messages through company-wide messages and blog posts. These messages generally carry a message that is relevant at that time, e.g. a newly discovered and published threat, and reinforces the importance of following security good practices.

Verified as a company attracts and hires only the best and the brightest to work for us. During recruiting, we perform employment, visa, background, criminal records and financial checks. On acceptance of an offer, we ensure each new hire has an on-boarding plan and access to on-going training based on their role.

If a contract between Verified and one of our customers using our cloud products ends, customer data will be removed from our cloud environment according to the timelines below.

Scenarios where customer contract can end include:

• Missed payments: Where an existing customer misses a payment for their product subscription (whether monthly or annually);
• Subscription cancellation: Where an existing customer cancels their subscription;

When a customer misses a payment or the payment cannot be made, they are unsubscribed from all products 30 days after the due date for the payment. Once this occurs, their data is retained in backup for 180 days, after which it is deleted. Customers can ensure their data is not deleted by rectifying any missed payments within 15 days. It is not possible to restore customer data after this timeline even if payment has been made.

Your account and associated users will be deactivated when your subscription ends. Verified retains data for deactivated accounts after the end of your current subscription period for 180 days.

Your data cannot be recovered after it’s deleted. We strongly recommend creating a Verified data backup from the archive. This can be done manually or via the API.