The EU General Data Protection Regulation (GDPR) is the most significant piece of the European privacy legislation in the last twenty years. It replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe.
In addition to strengthening and standardizing user data privacy across EU member states, it introduces new or additional obligations on all organizations that handle EU citizens’ personal data, regardless of where the organizations are located. On this page, we explain how we help our customers comply with the GDPR.
Commitment to the user and the protection of user’s data
Verificient Technologies (“Verificient”, “We”) is committed to ensuring that user’s privacy is protected and we strictly adhere to the provisions of GDPR and all relevant Data Protection Legislation, ensuring all personal data is handled in line with the principles outlined in the regulation.
Where Do We Stand
Verificient as a Data Processor: GDPR defines Data Controllers as an entity that determines the purposes for which and the means by which personal data is processed. Data Controllers decide ‘why’ and ‘how’ the personal data of the data subject should be processed. The Data Processor processes personal data only on behalf of the Data Controller as per the requirements of the Data Controller.
Verificient acts as a data processor and processes data on behalf of its clients/Test Sponsors/organisations who act as data controllers. The data controllers specify the kind of data required from the data subject, i.e., the assessment taker. We act as a mediator between the data controller and the data subject by collecting the specified data before or during the assessment and then processing it as per Data Controller’s instructions.
Data Protection: Verificient is committed to information security best practices. In line with GDPR, Verificient assesses the measures required in its products based on factors like data sensitivity, impact, risk and available technology.
Security is a core requirement of, and a guiding mantra in the design of any component of Verificient’s products, including encryption of data whilst in-flight and at rest, continuous vulnerability and penetration testing of systems and “firewalled” DevOps procedures to ensure security.
Data Deletion & Retention: We have dedicated data deletion procedures in place to meet the new ‘Right To Be Forgotten’ obligation and are aware of when this and other data subjects’ rights apply, along with any exemptions, response time frames and notification responsibilities.
Our default retention policy for Data collected from proctored activities (including biometric data) is for up to 180 days after a session is completed and for identity profile and data collected for identity verification purposes (including the biometric data we use to create your identify profile) is for up to two years from the time the identity profile is created in our Platform or, as configured by the applicable client/Test Sponsor/organization (Data Controller).
International data transfers – Privacy Shield: To comply with EU data protection legislation on international data transfer mechanisms, we self-certify under the EU-US Privacy Shield and the Swiss-US Privacy Shield. These frameworks were developed to establish a way for companies to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.
Data Subject Rights
We provide easy-to-access information procedures of an individual’s right to access any personal information that Verificient processes about them and to request information about:
- what personal data we hold about them
- the purposes of the processing
- the categories of personal data concerned
- the recipients to whom the personal data has/will be disclosed
- how long we intend to store your personal data
- if we did not collect the data directly from them, information about the source
- the right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this
- the right to request deletion of personal data (where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use
- the right to lodge a complaint or seek judicial remedy and who to contact in such instances.
As per GDPR, Verificient (Data Processor) is required to obtain prior approval from the client or Test Sponsor or organization (Data Controller) before accommodating the user’s request to exercise their rights under the GDPR.
Third-party audits and certifications
Verificient has the distinction of being one of the first in the industry to be SOC 2 audited, and to utilize the SSAE 16/18 framework to provide security review. Verificient is SOC 2 Type 2 certified and undertakes an independent third party audit that reviews and verifies the effectiveness of internal controls and processes. The audit covers internal governance, production operations, change management, data backups, and software development processes. It assures that we have the appropriate controls and processes in place and that they are actively functioning appropriately in accordance with related standards.
As a cloud-based company entrusted with some of our customers’ most valuable data, we’ve set high standards for security. We’ve received several security certifications from the American Institute of Certified Public Accountants such as SOC 2 Type 2.
We have invested heavily in building a robust security team, one that can handle a variety of issues – everything from threat detection to building new tools. In accordance with GDPR requirements relating to real-time security incident notifications, Verificient will continue to meet its obligations and offer contractual assurances.
The SOC program offers independent verification that our security practices provide a recognized standard of security measures. Furthermore, the program is designed to cover key elements of data processing and integrity, while maintaining auditing practices within our business and operational processes. As all users and clients are concerned with their data and its security, Verificient has integrated its SOC controls into its operating procedures. These procedures span the organization, teams or functions that provide service or support to our clients and users. The key components of our SOC controls environment include:
- Data Security: how we set up information security and data protection controls
- Change Management: how we make sure changes are tracked and properly reviewed
- Access Control and Management: who has access to our platform operations and how this access is managed
- Data Redundancy and Backup: how data is kept safe and stored in the event of adversity
- Software Architecture and Development: oversight of the development effort around our platform
Data Privacy Team
Verificient has designated a Data Protection Officer (DPO) and a designated Data Privacy Team to develop and implement policies, procedures and controls for complying with the new data protection Regulation. The team is responsible for promoting awareness of the GDPR across the organization, assessing our GDPR compliance, identifying any gap areas and implementing the new policies, procedures, and measures.
We understand that continuous employee awareness and understanding is vital to the continued compliance of the GDPR and have involved our employees in our preparation plans.
If you have any questions about our GDPR compliance policies, please contact our Data Privacy Team at: Privacy@verificient.com.