Verifiable maintains an Information Security Program to ensure the confidentiality, integrity, and availability of Information assets, while meeting the required legislative, industry, and contractual requirements.

Verifiable’s security policies, procedures, and standards are in accordance with the Trust Service Principles of the AICPA SOC2.

Furthermore, we perform an independent third-party audit of our compliance to the SOC2 standard annually.

Information Security Program

Verifiable maintains a robust Information security program which consists of policies, procedures, and controls to maintain the confidentiality, integrity and availability of information and information assets, Verifiable’s users, guests, employees, and business partners while meeting compliance  standards.


Verifiable policies, procedures, and standards are based on the SOC2 trust service principles and criteria.

In addition, we use an independent third-party body to audit our compliance to the SOC2 standard annually.

Access Control

Verifiable maintains access control policies and procedures to mitigate against unauthorized access to system resources, by ensuring access to system and resources are granted in accordance with the principle of least privilege, where access is restricted to the minimum level required to perform job functions. In addition to this, Verifiable performs access reviews for all systems and resources.

Secure Software Development

Verifiable’s  Software Development Life Cycle (SDLC) framework is based on industry standards such as the OWASP, which ensures that secure design practices are integrated directly into the design and development process of the Verifiable Platform.

Incident Management and Response

An extensive security monitoring and incident response program is in place to notify, investigate and remediate security events. Our Incident Response team verifies the scope and impact of any suspected incident and ensures timely remediation.

Disaster Recovery and Business Continuity

Verifiable maintains policies, procedures, and security controls to ensure the continuity of critical business functions in the event of a catastrophic event. This includes data center resiliency, data redundancy and disaster recovery procedures for the Verifiable Platform.

Data Classification & Management

At Verifiable, all assets have a data owner that is responsible for ensuring specific information assets are handled and managed appropriately.

Verifiable maintains policies and procedures for data classification and protection governing how different classes of data are handled.

Risk Management

Verifiable has a documented Risk Management Program that ensures risks to systems and resources are managed and assessed annually.

Vulnerability Reporting

In accordance with reasonable disclosure, we continue to respond to submitted security issues and encourage anyone to report bugs on our platform.

Please review the rules below before submitting any reviews or making any testing attempts.

Reporting Security Issues

Verifiable takes its security responsibilities seriously on behalf of our clients, their customers, and ourselves. We view the role of security researchers as critical in the improvement of controls and products throughout the internet. We believe the ethical and safe processes that can be used to discover vulnerabilities should have a proper channel to advise Verifiable. Please review below for our standards regarding our Vulnerability Reporting.


To submit a bug for review, please send an email to

Non-Verifiable Issues

Any issues found that are not directly the intellectual property of Verifiable that come from external sources will be advanced to that party. These issues would be outside of our program and while appreciated, these will not be handled in the same manner.

Disclosure Process

Verifiable will take all reported issues seriously and review the details. In order to protect Verifiable from chaos testing, any researcher who wishes to engage in our program needs to comply with our process. We will not take legal action against any legitimate, non-disruptive testing used to reveal an issue. Verifiable will need a reasonable timeframe to review, recreate and address any potential findings.  Verifiable offers a discretionary program for those sharing potential security vulnerabilities. Verifiable customers are not eligible for this program and should refrain from any testing attempts.

Disclosure Process


The following vulnerabilities are not eligible for the consideration:

Potential for Compensation

You may be eligible to receive a monetary reward if:

Any amounts will be determined at the discretion of the Verifiable Information Security team who will evaluate each report for severity, impact, and quality. Reward amounts vary depending upon the severity of the vulnerability reported. There could be submissions that we determine have an acceptable level of risk such that we do not make changes.  There should be no expectation that any communication from Verifiable will take place, regardless of the vulnerability submitted.