Security and sovereignty are the product. Verificate is engineered so that sensitive data and decisions stay inside your boundary. This page documents our controls, mapped to the AICPA SOC 2 Trust Services Criteria.
Verificate's controls are designed and mapped to the SOC 2 Trust Services Criteria. We are pursuing a formal SOC 2 Type II attestation R; the current audit status and any report are available under NDA. Verificate does not represent that it holds a completed SOC 2 attestation until one is issued.
Our controls address each of the five criteria:
Verificate products are CPU-native and architected for zero network egress — they can run entirely on-premise, in your own Kubernetes/OpenShift, on a VM, or fully air-gapped. Account and MCP-gateway data for the hosted service is stored in Australia on managed OpenShift infrastructure.
The hosted service uses a small set of vetted providers: Stripe (payments, PCI-DSS Level 1), Cloudflare (web hosting/CDN), Resend (transactional email), and managed OpenShift compute. A current list is available on request.
If you believe you have found a security vulnerability, please report it privately to [email protected] with the subject “Security”. We will acknowledge your report, work with you on a fix, and credit you if you wish. Please do not publicly disclose until we have remediated.
Verificate handles personal information under the Australian Privacy Act 1988 (Cth) / Australian Privacy Principles and, where applicable, the EU/UK GDPR. Payment processing is handled by a PCI-DSS Level 1 provider. See our Privacy Policy and Legal & claims pages.
© 2026 Verificate Pty Ltd · ACN 681 762 818 · Sydney, NSW, Australia · Last updated 8 July 2026