Trust Center

Built on verifiable trust.

Identity verification handles the most sensitive data your customers will ever give you. Here's exactly what we do to keep it safe — published, not pitched.

Contact securityLive status →

Security capabilities

Every control your security team will ask about.

TOTP-based 2FA

RFC 6238 authenticator-app 2FA with backup codes. Works with Google Authenticator, Authy, 1Password, and any compliant app.

Org-wide MFA enforcement

Owners can require 2FA for every team member. Non-compliant accounts are blocked from the portal until they enroll.

SAML 2.0 single sign-on

Per-tenant SSO with Okta, Google Workspace, Azure AD, OneLogin, JumpCloud — any IdP that speaks SAML 2.0.

Immutable audit log

Every sensitive action — sign-ins, key rotations, settings changes, webhook config — recorded with actor, IP, timestamp, and metadata. Exportable as CSV.

Scoped API keys + IP allowlists

Per-environment keys with granular scopes. Optional IPv4/IPv6 allowlists restrict each key to specific egress addresses.

HMAC-signed webhooks

Every webhook signed with HMAC-SHA256 using a per-endpoint secret. Exponential-backoff retry with full delivery log.

Sign-in history + global revocation

Members see every recent sign-in with device, IP, and method. One-click revocation of all active sessions across every device.

GDPR right-to-erasure

Single API call deletes a verification and all derived data. Customers can build complete data-subject deletion flows on top of our endpoint.

Compliance program

Where we are, transparently.

We don't claim certifications we don't hold. Here's our current status and roadmap. Auditors and security teams can email security@enemoverify.com for evidence requests.

SOC 2 Type I

In progress

Target: Q3 2026

SOC 2 Type II

Planned

Target: Q1 2027

ISO 27001

Planned

Target: Q3 2027

GDPR

Compliant

CCPA

Compliant

FCRA

Compliant

Sub-processors

Who else touches the data

Full list →
ProviderPurposeCompliance
VercelApplication hostingSOC 2 Type II, ISO 27001
NeonPostgreSQL databaseSOC 2 Type II
SumsubVerification backendSOC 2, ISO 27001
StripePaymentsPCI DSS Level 1
ResendTransactional emailSOC 2 Type II

Documents

Public & on-request

Privacy Policy

Public

How we collect, use, store, and protect personal data.

Terms of Service

Public

The legal agreement governing use of EnemoVerify.

Sub-processor list

Public

Every third party that processes data on our behalf.

Security overview

Public

Detailed controls grouped by category.

Data Processing Agreement

On request

GDPR-compliant DPA template for EU customers.

Penetration test report

On request

Most recent third-party security assessment.

SOC 2 readiness statement

On request

Current control mapping and certification timeline.

Vendor security questionnaire

On request

Pre-filled SIG Lite + CAIQ responses.

Got a security question?

Vendor onboarding, security questionnaires, vulnerability reports, compliance evidence — one inbox, fast response.

security@enemoverify.com

Average first response: under one business day