Everything you need for procurement
The short version: dedicated AWS account, per-data-class KMS CMKs, encrypted in transit and at rest, immutable audit log, biometric auto-purge, and a SOC 2 trajectory we will hold to publicly.
At a glance
What you can rely on today
Encryption
TLS 1.2+ in transit; AES-256 + KMS envelope encryption at rest with per-data-class CMKs.
Isolation
Dedicated vereid-prod AWS account under the AIARCO organization, with separate VPC and IAM.
PII vault
Identity documents and biometric templates live in a separate logical store with its own CMK and a strict allow-list of services.
Audit log
Every write goes to an append-only audit_events stream replicated nightly to a WORM-locked S3 bucket.
Biometric retention
Liveness and face-match templates auto-purge ≤30 days after the match completes; ID images retained 7 years for AML obligations only.
Backups
Aurora point-in-time recovery enabled; tested cross-region restore quarterly.
Incident response
Runbooks for the top 12 incident classes, with named on-call rotation and a 24-hour customer-notification SLA on confirmed breaches.
Sub-processors
Public list at /legal/sub-processors — updated 30 days before any new vendor goes live with PII access.
DSR
/v1/me/data-export and /v1/me/delete are live for all users; per-tenant override available on Enterprise.
Documents
Where to find what
- /securitySecurity overview, SOC 2 trajectory, encryption and key-management details
- /legal/privacyPrivacy policy
- /legal/termsTerms of service
- /legal/sub-processorsCurrent and pending sub-processors
- https://status.vereid.comLive status and incident history
- mailto:security@vereid.comSecurity contact — including coordinated disclosure