Trust Center

We enable over 4,000 organizations across Europe to deliver exceptional business services, with a central focus on earning and maintaining your trust.

Product Security

One of our industry’s challenges is to ship secure products while maintaining a healthy speed to market. Our goal is to achieve the right balance between speed and security. There are a range of security controls we implement to keep our products and your data safe.

Encryption in transit

All customer data stored within Verified cloud products and services is encrypted in transit over public networks using Transport Layer Security (TLS) 1.3 to protect it from unauthorized disclosure or modification. Our implementation of TLS enforces the use of strong ciphers and key-lengths where supported by the browser.

Encryption at rest

Data drives on servers holding customer data and attachments in Verified use AES-256 encryption at rest. Data encryption at rest helps guard against unauthorized access and ensures that data can only be accessed by authorized roles and services with audited access to the encryption keys.

Encryption key management

Verified uses the AWS Key Management Service (KMS) for key management. The encryption, decryption, and key management process is inspected and verified internally by AWS on a regular basis as part of their existing internal validation processes. An owner is assigned for each key and is responsible for ensuring the appropriate level of security controls is enforced on keys.

Tenant Isolation on Verified Enterprise Version

Tenant isolation ensures that, even though customers are sharing a common IT infrastructure, they are logically segregated so that the actions of one tenant cannot compromise the data or service of another tenant.

This concept ensures that, in this shared environment :

  • Each customer’s data is kept logically segregated from other tenants when at-rest; and
  • Any requests that are processed by Verified have a “tenant-specific” view so other tenants are not impacted.

Product Security Testing

Our approach to vulnerability management for our products consists of internal and external security testing.

Internal Testing

This approach spans planning, development and testing phases, each test building on previous work and progressively getting tougher. We have an established approach to static and dynamic code analysis at both the development and testing phases. In the development phase, we focus on embedding code scanning to remove any functional and readily identifiable, non-functional security issues.

In the testing phase, both our development and security engineering team switch to an adversarial approach to attempt to break features using automated and manual testing techniques.

Our security engineering team has developed a wide range of security testing tools to automate common tasks and make specialized testing tools available to our product teams. These tools are beneficial for the security team and they empower developers to “self-serve” security scans and take ownership of the output.

Our security engineering team are subject matter experts, but it’s ultimately every developer in our company who is responsible for their own code.

External Testing

When a vulnerability is identified by one of our users during standard use of a product, we welcome notifications and respond promptly to any vulnerabilities submitted. We keep the submitter updated as we investigate and respond to the issue.

Specialist security consultants are used to complete penetration tests.

Our approach to penetration testing is highly targeted and focused. Tests will generally be:

  • White box: Testers are provided design documentation and briefings from product engineers to support their testing
  • Threat-based: Testing focuses on a particular threat scenario, such as assuming a compromised instance exists, and testing lateral movement from that starting point

We do not make these reports or extracts available externally due to the extensive information made available to the testers in conducting these assessments.

Product Vulnerability Management

We take innovative approaches to building quality software.

We step outside the traditional realm of Quality Assurance (QA) to ensure new features are introduced quickly and safely by adopting the notion of Quality Assurance. We focus on fostering a “whole team” mentality to quality by changing the role of QA to a facilitator rather than the person who does the actual QA work. We also are actively working to empower and educate developers to test their own features to our quality standards.

While we consistently strive to reduce the number of vulnerabilities in our products, we recognize that they are, to an extent, an inevitable part of the development process.

Amazon

Description and relevant certification

Hosting of our platform for our operational services storage ISO/IEC 27001:2013, SOCI-III, PCI DSS and more.

Company ID and address

Org no: 516411-0669, Kungsgatan 49, 111 22 Stockholm, Sverige

Processing customers data

Processing customers data

Region

EU

Bronnoysundregistrene

Description and relevant certification

Lookup services

Company ID and address

974 760 673, Brønnøysundregistera, Postboks 900, 8910 Brønnøysund

Processing customers data

Yes

Region

EU

Datadog

Description and relevant certification

Use logdata for Observability, monitoring and security purposes. Read more: https://trust.datadoghq.com/.

Company ID and address

Datadog, Inc. 620 8th Ave 45th Floor, New York, NY 10018 USA https://trust.datadoghq.com/

Processing customers data

Yes

Region

EU

Dun & Bradstreet

Description and relevant certification

Lookup services

Company ID and address

Org no: 556341-5685, Rosenborgsgatan 4-6, Solna, Sweden

Processing customers data

Yes, from Dec 27, 2023

Region

EU

EID Easy OÜ

Description and relevant certification

Signing, authentication

Company ID and address

14080014, Telliskivi tn 60/1, Tallinn, Estonia, 10412

Processing customers data

If customer uses the service

Region

EU

Finansiell ID-Teknik BID AB

Description and relevant certification

Signing, authentication, lookup services with BankID SE

Company ID and address

556630-4928, Södra Kungstornet; Kungsgatan 33; 111 56 Stockholm

Processing customers data

If customer uses the service

Region

EU

Google Ireland Limited

Description and relevant certification

Storage of files that enables the customer to maintain the text and its translations to different languages that are used if the service “smart forms” is used.

Company ID and address

ISO/IEC 27001:2013, SOC 2, CSA STAR and more: https://cloud.google.com/security IEno 6388047V, Gordon House, Barrow Street, Dublin 4

Processing customers data

If customer uses the service

Region

EU if customer select to use the service

IN Groupe Trust Services ApS

Description and relevant certification

Offer eID (MitID in Denmark)

Company ID and address

C/O IN Groupe Denmark A/STeknikerbyen 5, 2.Søllerød2830 Virum‍

Processing customers data

If customer select to use the service

Region

EU

MongoDB Limited

Description and relevant certification

Storage of process data generated and could be used during usage of some of our services as custom flows and AML.

Company ID and address

ISO/IEC 27001:2013, SOC 2, PCI DSS and more: Number One Ballsbridge, Ballsbridge, Dublin 4, Ireland

Processing customers data

Region

EU if customer select to use the service

Nets AS

Description and relevant certification

Signing, authentication, payments, lookup services

SOC 2

Company ID and address

37427497, Klausdalsbrovej 601, DK-2750 Ballerup, Denmark

Processing customers data

If customer select to use the service.

Region

EU

Plisec AB

Description and relevant certification

Lookup services supporting AML and KYC compliance

Company ID and address

559161-4275, Dansbanevägen, 16, 126 31 Hägersten, Sweden

Processing customers data

If customer uses the service

Region

EU

Tagd AB

Description and relevant certification

Operational services for contract management.

Company ID and address

559364-3058
Skogsfrugränd 1, 16762 Bromma, Sweden

Processing customers data

If customer select to use the service.

Region

EU

Trapets AB

Description and relevant certification

Signing, authentication, payments, lookup services

Company ID and address

Org no: 556586-4773, Kungsgatan 56, 111 22 Stockholm, Sweden

Processing customers data

If customer select to use the service

Region

EU

Vipps AS

Description and relevant certification

Signing, authentication, payments, lookup services

Company ID and address

918 713 867, Postboks 9236 Grønland, 0134 Oslo

Processing customers data

If customer uses the service

Region

EU

Zendesk, Inc.

Description and relevant certification

Tool for our customer support services and ticket application. Contains information provided by the customer and support staff about the service. ISO 27001:18, AICPA, SOCII etc. See: https://www.zendesk.com/product/zendesk-security/

Company ID and address

EIN no: 26-4411091, SEC CIK #0001463172, 989 Market St, San Francisco, CA 94103

Processing customers data

If customer uses the service

Region

EU

Basic electronic - Level 2

Character

Quick and easy

Use cases (local regulations regarding the legal validity and the availability of level 4 signatures apply)

  • Customer on-boarding
  • Signing when receiving a parcel

Type

Touch ID, Email, SMS OTP

Advanced electronic - Level 3

Character

  • Linked to signer
  • Increased legally binding proof
  • More trustworthy than basic electronic signature

Use cases (local regulations regarding the legal validity and the availability of level 4 signatures apply)

  • Loan application
  • Employment contracts
  • Insurance documents
  • Documents from public authorities

Type

SMS OTP, Mail OTP, BankID Sweden, BankID Norway, FTN, MitID

Qualified electronic - Level 4

Character

  • Highest level of security
  • Personal link to signer
  • Digital equivalent of a written signature
  • Legal obligation

Use cases (local regulations regarding the legal validity and the availability of level 4 signatures apply)

  • Loan application
  • Employment contracts
  • Insurance documents
  • Documents from public authorities

Type

BankID Norway

Standard

ISO 27001

Sponsor

International Organization for Standardisation

Status

Certified ISO 27001 is specification for an information security management system (ISMS), which is a framework for an organization's information risk management processes.

Standard

BankID

Sponsor

BankID

Status

Verified is a compliant partner and issuer of BankID in Norway and Sweden. Merchants get their certificates issued through Verified. Verified adheres to the current requirements of BankID to keep this status/position. BankID meets the banks’ own high standards for Internet banking security.