Security

All traffic between clients and the Veridian API is encrypted using TLS 1.3. Connections using TLS 1.2 or below are rejected. HTTP requests are automatically redirected to HTTPS.

Our TLS configuration uses strong cipher suites (AES-256-GCM, ChaCha20-Poly1305) and forward secrecy. Certificate pinning is not enforced to avoid deployment friction, but our certificates are from a widely trusted CA.

Data stored in our database is encrypted at rest using AES-256. Encryption is handled by Supabase (PostgreSQL on AWS eu-west-1), which manages key rotation and hardware security module (HSM) integration.

Backups are encrypted using the same key hierarchy. Backup retention is 30 days. Point-in-time recovery is available to our operations team.

API keys are hashed with SHA-256 before storage. Veridian never stores the plaintext key after initial generation. If you lose your API key, you must rotate it — we cannot recover it.

Keys are displayed in full only at the moment of creation. After that, only the last four characters are visible in the dashboard. Test-mode keys (prefixed vrd_test_) never access production data.

Every identity verification request is screened against the OFAC SDN (Specially Designated Nationals) list as part of the verification pipeline. Screening occurs on every request, not just at onboarding.

Our sanctions database is updated daily. The OFAC SDN list currently contains 18,698 records across individuals, entities, and vessels. Potential matches are flagged for review and surfaced in the API response and webhook payload.

Government ID images and selfie photos submitted through the API are used solely to produce a verification result and are deleted after verification completes. We do not retain document images or use them for any purpose beyond the requested check.

Verification results (status, risk score, extracted identity fields) are retained for the duration of your subscription. You can retrieve them at any time via GET /v1/verifications/:id.

The Veridian API runs on AWS eu-west-1 (Ireland). Data submitted through the API is stored and processed within the EU. We do not replicate data to regions outside the EU without customer instruction.

Access to production infrastructure is restricted to Veridian engineers via SSO with enforced MFA. All access is logged and reviewed. No employee has standing access to customer data — queries require approval.

• SOC 2 Type II: Audit in progress. We will publish the report when complete. Contact us if you need our current security posture documentation.
• GDPR: We act as a data processor for customer-submitted end-user data. A Data Processing Agreement (DPA) is available on request.
• PCI DSS: We do not process or store payment card data directly. Payments are handled by our PCI-compliant payment processor.

If you believe you have found a security vulnerability in Veridian, please report it to hello@veridianapi.com with a description of the issue and steps to reproduce. We will acknowledge receipt within one business day and investigate promptly.

We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it (typically 90 days). We do not currently operate a bug bounty program but we do recognize researchers who report valid issues.