Security

All traffic between clients and the Veridian API is encrypted using TLS 1.3. Connections using TLS 1.2 or below are rejected. HTTP requests are redirected to HTTPS.

Data stored in our database is encrypted at rest using AES-256. Encryption is handled by Supabase (PostgreSQL on AWS), which manages key rotation and hardware security module (HSM) integration.

API keys are hashed with SHA-256 before storage. Veridian never stores the plaintext key after initial generation. If you lose your API key, you must rotate it — we cannot recover it.

Keys are displayed in full only at the moment of creation. After that, only the last four characters are visible in the dashboard.

Every identity verification request is screened against the OFAC SDN (Specially Designated Nationals) list as part of the verification pipeline. Screening occurs on every request, not just at onboarding.

Government ID images and selfie photos submitted through the API are used solely to produce a verification result and are deleted after verification completes. We do not retain document images or use them for any purpose beyond the requested check.

The Veridian API runs on AWS eu-west-1 (Ireland). Data submitted through the API is stored and processed within the EU. We do not replicate data to regions outside the EU without customer instruction.

• SOC 2 Type II: Audit in progress. We will publish the report when complete.
• GDPR: We act as a data processor for customer-submitted end-user data. A Data Processing Agreement (DPA) is available on request.

If you believe you have found a security vulnerability in Veridian, please report it to hello@veridianapi.com with a description of the issue and steps to reproduce. We will acknowledge receipt within one business day and investigate promptly.

We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.