Veracross
Security &
Privacy Standards

Veracross is constantly evolving its security and privacy measures to keep pace with an ever-changing global landscape. The summary below outlines our current security and privacy initiatives.

For more information, contact info@veracross.com

Infrastructure

All Customer data and Veracross applications are hosted at 3rd party cloud providers. Providers maintain a suite of modern, best-practice compliance certifications for the US, EU, AU, and elsewhere. These programs help to protect both Veracross and our Customers.

Veracross employs industry-standard defenses including Web Application Firewalls, Distributed Denial of Service (DDoS) mitigation, and we write code to account for Open Web Applications Security Project (OWASP) Top Ten risks. Customer data backups are encrypted and stored at a redundant location. We use active protections including file integrity monitoring (FIM), intrusion detection systems (IDS), and security monitoring with oversight from a dedicated third-party Security Operations Center (SOC).

Customer data is protected by TLS 1.2+ encryption when in-flight and AES-256 encryption when at rest. Veracross infrastructure is hardened according to the Center for Internet Security (CIS) Benchmarks. More information can be found here:

• AWS Security: https://aws.amazon.com/security/
• Azure Security: https://azure.microsoft.com/en-us/overview/trusted-cloud/
• OWASP Top Ten: https://owasp.org/www-project-top-ten/
• CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks/

Certifications

Veracross is currently subject to PCI-DSS requirements, as well as GDPR, APP, Trans-Atlantic Data Privacy Framework (TADPF), and other data privacy laws and regulations.

SOC2

Veracross in in the process of being audited for SOC2 compliance.

TRUSTe

Veracross’ privacy policy and practices are reviewed against TRUSTe requirements including transparency, accountability, and choice regarding the collection and use of Customer information. Veracross’ Privacy Policy is analyzed and certified to be accurate based on Veracross business practices. Additionally, Veracross public website is continuously scanned for vulnerabilities.

TrustArc, an independent 3rd party auditor, performs yearly audits of Veracross privacy management practices. The audit ensures that:

• We have implemented commercially reasonable procedures to protect a Customer’s Personally Identifiable Information (PII) from unauthorized access, use, alteration, disclosure, or distribution.
• We logically separate PII we receive from each Customer or Individual so that only the Customer or Individual has access to their own data.
• We regularly monitor and update systems including networks, hardware, and software for known vulnerabilities.
• We limit access and use of PII, or third-party PII, to personnel with a legitimate business need.
• We implement protection against phishing, spam, viruses, data loss, and malware.
• We use encryption, masking, redaction, or other protective methods for transmission of information across wireless networks, and storage of information where appropriate.
• We have a security awareness guide, program or training for all personnel that will have access to a Customer’s or Individual’s PII.
• We ensure access to Customer information must be at least restricted by appropriate protective identity management technologies and procedures including multi-factor authentication (MFA).

The TRUSTe program covers information that is collected through the website http://veracross.com and Veracross platform services.

Trans-Atlantic Data Privacy Framework (TADPF)

Veracross has achieved certification for the Trans-Atlantic Data Privacy Framework (TADPF; formerly EU-US and Swiss-US Privacy Shield) with the U.S. Department of Commerce. To view the certification visit: link

PCI-DSS SAQ A-EP

Veracross is PCI-DSS SAQ A-EP compliant. Veracross performs both internal and third-party audits, penetration tests, and other assessments in order to maintain compliance.

Privacy Controls

The following summarize privacy controls at Veracross.

Policies & Procedures

• We maintain a security policy that defines and describes the security and privacy requirements. The policy is required review and attestation for all employees and contractors at least annually.
• We maintain an anti-virus policy that covers malware, viruses, and software vulnerabilities in commonly used software.
• We maintain an acceptable use policy for end-users.
• We maintain a mobile device management policy for personal devices (MDM).
• We maintain an acceptable email policy for all employees and contractors.
• We maintain an incident response policy (IRP).
• We maintain a multi-factor authentication policy (MFA).
• We maintain a virtual private network policy (VPN).
• We maintain a modern software development lifecycle (SDLC).
• We maintain a modern phishing test system as part of our communications safety program.
• We maintain a business continuity (BC) and disaster recovery (DR) plan.
• We maintain a third-party vendor privacy & risk assessment program.
• All employees & contractors undergo a criminal record check and background check.
• All employees take security awareness training.
• Product engineers receive OWASP Top 10 training.

Technical Measures

• End-user devices are protected by anti-virus software, malware protection, VPNs, and disk encryption. All are remotely managed and administered.
• Email systems are protected by modern security measures.
• Data loss prevention (DLP) systems are in place.
• Mobile device management (MDM) systems are in place.
• Single sign on (SSO) systems are in place for all critical systems & 3^rd party applications with MFA enforced.
• Granular access controls for employees, contractors, and customers are in place.
• Customer data is segregated. It is accessed and processed separately from other Customer data.
• Customer data is backed up continuously in a redundant location. Daily backups are available for a rolling 30-day window and monthly backups are available for one year.
• We maintain a Recovery Point Objective (RPO) of 15 minutes or less and a Recovery Time Objective (RTO) of 4 hours or less.
• Backups are stored at both AWS and Azure.
• All databases are encrypted with AES-256 standards at rest.

Physical Access Controls

Physical access to Veracross offices is managed as follows: 

• External doors to our offices are always locked. 
• The days and hours an employee can access the premises are employee specific. 
• Only authorized employees have physical access to the server / network room.
• All entrances, exits, and sensitive locations are remotely monitored by security cameras and other occupancy sensors.
• All employee, contractor, and visitor access is logged.

Note that no Customer data is stored on-premises. To review AWS and Azure physical security practices, see:

• AWS Security: https://aws.amazon.com/security/
• Azure Security: https://azure.microsoft.com/en-us/overview/trusted-cloud/

Visibility and Transparency

From technologies to business practices, everything is operating according to transparently stated policies and practices and are independently verified. The following Fair Information Practices (FIPs) are associated with this principle:

• Accountability – Responsibility for privacy and security and the policies in place to govern behavior and action.  As appropriate, policies procedures and assets should be assigned to a specific individual. When transferring PII to a 3rd party, an assurance must be in place that equivalent privacy protection exists through contractual or other means.
• Openness – Policies and practices relating to the management of PII must be readily available to all required to uphold them.
• Compliance – Redress mechanisms must be in place as well as procedures to handle complaints.  Verification of compliance of privacy policies and procedures should be taken.

Logical & Data Access Controls

The following data access controls are in place at Veracross.

Customer Data & Applications

• All Customer data and Veracross applications are hosted on modern cloud providers which enable granular access controls to both data and application infrastructure.
• All Veracross applications employ modern authentication and authorization mechanisms which provide granular access control to Customer data. 
• Role-based access controls are used to ensure only employees who are authorized to access data and infrastructure may do so.
• All Veracross applications support single-sign-on (SSO) and multi factor authentication (MFA).

Employees

Note that no Customer data is stored on-premises.

• Role-based access controls are used for all use of Veracross networks, databases, and other resources.
• Employee passwords must adhere to strong password requirements. Password and login sharing is prohibited. 
• Employees are required to use password managers.
• Employee access to Customer data is limited to employees that require it as a part of performing their duties and access levels are regularly reviewed.
• Employees are required to always use our approved VPN solution.
• Employees are required to always use our approved MDM solution.

Transmission Controls

The following data transmission controls are in place.

Policies & Procedures

• Employees are prohibited from transmitting Customer data or storing confidential information with any application, service, infrastructure, or cloud service provider unless explicitly authorized by the Information Security team.
• Employees are prohibited from sending Customer data via unencrypted email or non-encrypted email attachments.
• Employees are prohibited from placing any Customer data on any removable device.
• Employees are prohibited from storing Customer data on their end-user devices.
• Employees are prohibited from using unprotected public WiFi.
• Employees must always use our approved VPN solution.

Technical Measures

• Access to all Customer data and other Veracross systemsis restricted to virtual private networks (VPNs).
• Modern role-based access control is in place for on-premises network access. Wireless networks are protected with industry standard protocols.