VeraIDVeraID
Identity Security
Security Posture (ISPM)Threat Detection (ITDR)Directory IntegrationAI Agent Security
Governance
Lifecycle AutomationOffboarding CascadesComplianceCross-Cloud Correlation
FeaturesSecurityDocumentation
Blog
Partner ProgramMSP PartnersReseller PartnersTechnology PartnersReferral Partners
AboutCareersContact
Pricing
Join WaitlistLogin

Security

Security is at the core of everything we do. VeraID is built from the ground up to protect your most sensitive credentials and identities.

SOC 2 Ready

Controls designed for SOC 2 compliance

GDPR Compliant

EU-hosted, EU data protection standards

ISO 27001 Aligned

Following security management framework

Credential Security

Credentials are protected with multiple layers of security using industry-leading cryptographic standards.

  • Argon2id Hashing: All credentials are hashed using Argon2id, the winner of the Password Hashing Competition. We use memory-hard parameters (64MB memory, 3 iterations) to make brute-force attacks computationally infeasible.
  • AES-256-GCM Encryption: Credentials are also encrypted using AES-256-GCM with unique initialization vectors. The authenticated encryption ensures both confidentiality and tamper detection.
  • Minimal Plaintext Exposure: Only a short prefix of each credential is stored in plaintext for identification purposes. The full credential is never stored unencrypted.
  • Encryption in Transit: All communications use TLS 1.3. We enforce HTTPS for all connections with HSTS enabled.

Key Management

  • Secure Key Storage: Encryption keys are stored in secure, isolated environments and never committed to code repositories.
  • Key Rotation: Encryption keys can be rotated without service interruption. Historical keys are retained for decryption of existing data.
  • Separation of Concerns: Authentication (via hashing) and retrieval (via encryption) use separate cryptographic operations, providing defense in depth.

Infrastructure Security

  • Cloud Security: We run on Cloudflare's global edge network with built-in DDoS protection, WAF, and automatic failover.
  • Network Isolation: All production systems are isolated in private networks with strict firewall rules and no public internet exposure.
  • Database Security: Databases are encrypted, access-controlled, and backed up with point-in-time recovery. No public endpoints.
  • Edge Computing: Our API runs on Cloudflare Workers, providing isolation at the request level and automatic geographic distribution.

Access Controls

  • Least Privilege: All internal access follows least privilege principles. Employees have only the access they need.
  • Multi-Factor Authentication: MFA is required for all employee accounts. We support hardware keys and authenticator apps.
  • Audit Logging: All access to production systems is logged and monitored. Logs are immutable and retained for compliance.
  • SSO Integration: Enterprise customers can use SAML/SCIM for centralized identity management and access control.

Incident Response

We maintain a comprehensive incident response program with 24/7 on-call coverage. Our incident response process includes:

  • Detection: Automated monitoring and alerting for security events, anomalies, and potential threats.
  • Response: Documented runbooks for common incident types. Escalation procedures and communication templates ready.
  • Communication: Affected customers are notified within 72 hours of confirmed breaches. Status updates provided throughout.
  • Post-Incident: Root cause analysis and lessons learned documented. Improvements implemented to prevent recurrence.

Report a Security Issue

Found a vulnerability? We appreciate responsible disclosure and offer a bug bounty program.

security@veraid.io