Trust · Security

Trust & Security

Security and sovereignty are the product. Verificate is engineered so that sensitive data and decisions stay inside your boundary. This page documents our controls, mapped to the AICPA SOC 2 Trust Services Criteria.

Certification status

Verificate's controls are designed and mapped to the SOC 2 Trust Services Criteria. We are pursuing a formal SOC 2 Type II attestation R; the current audit status and any report are available under NDA. Verificate does not represent that it holds a completed SOC 2 attestation until one is issued.

SOC 2 Trust Services Criteria

Our controls address each of the five criteria:

Security (Common Criteria)
  • TLS encryption in transit on all endpoints (edge-terminated).
  • Passwords stored only as one-way bcrypt hashes; short-lived signed (JWT) sessions.
  • Single-user API keys — per-key rate limiting and automated key-sharing (multi-IP) detection block abuse.
  • Least-privilege access; secrets held in the platform secret store, never in source.
  • No anonymous access to metered endpoints; the raw model routes are not publicly exposed.
Availability
  • Runs on managed OpenShift with health-checked, restartable workloads and a durable, backed-up database.
  • Website served via a global CDN (Cloudflare) with static, cacheable assets.
  • Capacity and error monitoring; graceful degradation (e.g. maintenance responses) rather than hard failure.
Processing Integrity
  • Bit-exact C++/ONNX inference — 0 / 10,000 argmax mismatches vs the reference.
  • Deterministic decisioning with per-decision audit lineage.
  • Governed proposal layer: changes are validated and gated before they can affect a live decision.
Confidentiality
  • Data classification and access control; sensitive reports shared only under NDA.
  • Sovereign, zero-egress product architecture — raw data never leaves the customer boundary.
  • Tenant isolation; dedicated database for account and usage data.
Privacy
  • Data minimisation and purpose limitation; cookie-free, first-party analytics with no third-party trackers.
  • Data-subject rights honoured under the Privacy Act 1988 and GDPR.
  • See our Privacy Policy for the full detail.

Data residency & sovereignty

Verificate products are CPU-native and architected for zero network egress — they can run entirely on-premise, in your own Kubernetes/OpenShift, on a VM, or fully air-gapped. Account and MCP-gateway data for the hosted service is stored in Australia on managed OpenShift infrastructure.

Sub-processors

The hosted service uses a small set of vetted providers: Stripe (payments, PCI-DSS Level 1), Cloudflare (web hosting/CDN), Resend (transactional email), and managed OpenShift compute. A current list is available on request.

Responsible disclosure

If you believe you have found a security vulnerability, please report it privately to [email protected] with the subject “Security”. We will acknowledge your report, work with you on a fix, and credit you if you wish. Please do not publicly disclose until we have remediated.

Compliance

Verificate handles personal information under the Australian Privacy Act 1988 (Cth) / Australian Privacy Principles and, where applicable, the EU/UK GDPR. Payment processing is handled by a PCI-DSS Level 1 provider. See our Privacy Policy and Legal & claims pages.

© 2026 Verificate Pty Ltd · ACN 681 762 818 · Sydney, NSW, Australia · Last updated 8 July 2026