Information Security and Privacy Overview
As the premier Supply Chain Risk and Performance Network, confidentiality, integrity, and availability of your data is of utmost importance. We help you stay ahead of risk. We help your business run more safely and effectively. We optimize performance. And we do it better than anyone else in the world.
Last updated: July 2022
Veriforce is committed to ensuring the confidentiality, integrity, and availability of your data. We have implemented international standards such as ISO 27001 and SOC2 to demonstrate that commitment. These standards require regular auditing from third parties to ensure we remain compliant. Our dedicated Compliance & Risk-, Engineering- and HR teams ensure compliance with the security and privacy programmes.
Terms and Definitions
ISMS - Information Security Management System
ISO - International Organization for Standardization
SOC - Service and Organization Controls
Cloud Datacenter Security
Veriforce’s production infrastructure is hosted on Amazon Web Services as our primary Infrastructure as a Service (IaaS) provider, located in Canada.
All physical office spaces require badge access and are located in buildings with dedicated security services, including camera surveillance. Additional security controls are in place for server and networking areas. Badge issuing and returns are managed by our HR department.
All visitors are signed in and out by their host and are always accompanied by a company representative. Visitors are only allowed at the shared areas such as boardrooms and meeting rooms. Physical access logs are reviewed every 90 days.
Data is encrypted both at rest and in transit using industry-leading encryption standards. Encryption keys for web applications are managed by AWS and locally managed for databases and local networks. Encryption key lifecycle management processes exist and keys are rotated at a minimum of every two years.
All employees are required to use company-issued laptops. Laptops are encrypted and equipped with antivirus solutions. Technical controls prevent tampering with security software and removable media drives are disabled. No unauthorised software may be installed and employees do not have the admin rights to change security settings on company devices. Password complexity and max validity period protocols are in place.
All network gateways are protected by firewalls and WAFS. Network Intrusion Detection System and Intrusion Prevention Systems (IDS/IPS) monitor all traffic for signs of intrusion, malicious software, and network abuse. Logging and monitoring of activity takes place with the assistance of expert 24/7 third party Managed Security Provider, and event escalation protocols are in place.
Vulnerability scanning is performed on a continuous basis and penetration testing is performed annually by a qualified third party. Security concerns identified in scans and testing are resolved and patches are applied monthly. Wifi networks (including employee home networks) use WAP2 encryption. MFA is enforced for all main systems.
Veriforce has adopted industry best practice in email security management via a cloud based solution that scans and monitors emails for threats and malware. All employees are trained on email security when onboarding and regular security refresher training is provided. Regular simulated phishing campaigns are conducted and additional training provided to any employees who fail the test. Employees may only use work email for work related matters. A bounty system with a reward programme is implemented for employees reporting suspect emails.
All employees are required to undergo background checks prior to onboarding. As part of onboarding employees are required to agree to the company code-of-conduct and confidentiality agreements. Employees also complete information security awareness training and data privacy training within 30 days of hire. Additional mandatory security awareness training courses are assigned each month and tracked to completion.
Veriforce follows a strict provisioning- and deprovisioning process that enforces segregation of access requests, modifications, and termination. All requests are tracked to completion and all termination requests are completed within 24-hours.
Employee physical and network access are monitored and access logs are reviewed quarterly. Regular access reviews are conducted by managers to ensure all employees operate on least privileged user roles. Veriforce has a hybrid work schedule allowing all employees to work remotely part time and designated employees to work remotely full time. A Work from Home Policy has been established ensuring all staff abide with certain minimum criteria to ensure security and data protection are in place.
Software Development - Secure Lifecycle
The Veriforce Software Development Lifecycle (SDLC) standard incorporates security practices throughout our platforms’s planning, development, and release processes. We are externally audited, annually, against the SOC2 standard and the resulting SOC2 Type II audit reports are available.
Incident Response Management
Veriforce has an Incident Response Procedure that addresses different types of incidents. The Incident response plan is updated and tested regularly. Veriforce has access to an expert Forensics and Legal team to assist with incident management and resolution. Incident response roles and responsibilities are clearly defined. All incidents are logged and tracked to completion. Incident response includes root cause analysis for all incidents and notification procedures to alert affected customers in the instance of a breach.
Business Continuity and Disaster Recovery
Veriforce has formal Business Continuity and Disaster Recovery procedures that are updated regularly. Disaster recovery procedures include a range of scenarios including natural disasters and pandemics. Business Continuity and Disaster Recovery testing are conducted annually.
Backup and Restore Capabilities
Veriforce has a formal backup schedule, including daily incremental backups and full backups performed weekly. Backups are encrypted and stored off site to ensure availability and security. Backups are also regularly tested to ensure integrity.
Veriforce is adequately insured to mitigate Cyber Security incidents and closely work with insurance carriers to meet their pre-conditions and requirements for providing cover.
Veriforce has implemented a Vendor Management Procedure and performs risk assessments on all new and existing vendors to ensure the vendors meet the information security and privacy requirements of Veriforce. Contracts and DPA’s (where required) are in place. A list of all vendors and third parties that are engaged in data sub-processing is kept updated and are available to clients.
|Sub processor||Purpose of processing||Data location|
|Celeritas Tech||IT support||Canada|
|ComplyWorks South Africa||Customer support services||South Africa|
|Constant Contact||Marketing and communications with contractors||USA|
|Elavon||Credit card payment processing||Canada and USA|
|Google Translate||Translation of live chat communications||USA|
|Google Workspace||Data management||USA|
|Ring Central||Call center support||USA|
|Salesforce & Marketing Cloud||Customer relationship management
(stored in Canada, accessed from Canada and USA)
|Canada and USA|
|Showpad||Sales Enablement Platform||Belgium|
|Veriforce||Customer support activities||USA|
|Wordpress||Website customer engagement||USA|
Veriforce has embarked on obtaining relevant industry certifications and external audits:
SOC2 Type 2
Veriforce has been externally audited and has
SOC2 audit reports available.
ISO 27 001
Veriforce has been certified to
ISO 27 001:2013 standard by ABS
Climate Smart Certified
Veriforce has completed the Climate Smart
certification program to reduce carbon footprint.
For more information please contact the Compliance and Risk department at firstname.lastname@example.org