Trust

Security

EnemoVerify handles sensitive identity data. This page documents exactly how we protect it. Questions? security@enemoverify.com

Encryption

  • TLS 1.3 for all data in transit
  • AES-256 for data at rest (Neon managed encryption)
  • API keys stored as bcrypt hashes — the original value never touches disk
  • Webhook payloads signed with HMAC-SHA256

Access control

  • JWT-based session tokens with 30-day max lifetime
  • Scoped API keys (read/write per resource type)
  • Environment isolation between live and sandbox
  • Rate limiting: 100 req/min per API key

Auditability

  • Every verification, event, and admin action logged
  • Webhook deliveries tracked with status, latency, and retry history
  • GDPR right-to-erasure endpoint (DELETE /v1/verifications/:id)
  • Immutable audit trail stored separately from operational data

Application security

  • Input validation with Zod schemas on every endpoint
  • Parameterized queries via Prisma — SQL injection not possible
  • Security headers: HSTS, X-Frame-Options DENY, X-Content-Type-Options nosniff, Permissions-Policy
  • Dependency scanning in CI

Infrastructure

  • Hosted on Vercel (SOC 2 Type II, ISO 27001)
  • Neon PostgreSQL database (SOC 2 Type II)
  • Automated backups with point-in-time recovery
  • No customer data stored outside our primary region

Compliance program (in progress)

  • SOC 2 Type I — target Q3 2026
  • SOC 2 Type II — target Q1 2027
  • ISO 27001 — target Q3 2027
  • Annual third-party penetration testing

Report a security issue

Found a vulnerability? Email us — we respond within one business day and credit researchers in our security advisories.

security@enemoverify.com

Related

Sub-processorsSystem statusPrivacy PolicyTerms of Service