All company policies and procedures follow SOC2 standards and have been assessed and verified by a 3rd party (AICPA, Trust Service Criteria) auditor.
Vault Verify uses a top-tier architecture deployed with Soc 2/ Type II hosting vendor. The full redundancy, auto-scalable and secure design uses a combination of MS Windows operating systems along with a back-end MS SQL Server.
All verifiers of our system first go through a verification process by one of our trained, credentialing professionals. This process includes verifying physical location, business type, contact information and electronic print.
Only once this process is complete the verifier is permitted to search against data housed in our system.
In addition, every search request requires permissible purpose, your companies designated code, and the employees SSN before they are processed.
Our verification systems can also be configured to require a signed release by the employee before any employment/income information is released.
Hosting on encrypted, virtualized servers ensures application files, virtual machines system snapshots, backup copies, log and database components are encrypted at rest. All scoped data in any database are protected with 256AES/ FIPS 140-2 encryption. Secure Socket Layer (SSL) certificates are used for transactions and communication using 256- encryption using the SHA256 with RSA algorithm. All productions servers are protected with Web Application Firewall (WAF)
FIPS stands for the Federal Information Processing Standard. FIPS 140-2 , issued by the National Institute of Standards and Technology (NIST), is a U.S. government computer security standards program used to accredit cryptographic modules produced by private sector vendors. Validated modules go through an extensive development, testing and validation process to gain the validation certificate from NIST.
Vault Verify supports a wide range of encryption methods for our data upload, which include SSL/TLS, SSH with FIPS 140-2 (embedded RSA security module). All servers are proactively monitored for intrusion prevention, which includes audit reviews of all activity logs. Additionally, data uploading through SFTP protocols are restricted to a given scope of IPs (or single IP) designated by the client. Connections from unauthorized public IPs are not allowed.