VerefVeref

Security and trust

Verification the compliance team can sign off on.

Veref was built for regulated industries hiring at scale. Candidate-owned data, human-in-the-loop decisions, and full audit trails are standard, not a premium add-on.

Request security pack Book a demo

Our principles

Six commitments that shape every feature we ship.

Human-in-the-loop, always

Veref never auto-rejects a candidate. Every risk signal is evidence for a recruiter to review. This is an ethical commitment and an EU AI Act requirement.

Evidence over verdicts

Every flag ships with the raw clip, transcript, and timestamp. Recruiters see what Veref saw and make the call. No black-box scoring.

Candidate-owned data

The Passport lives with the candidate, not the employer. Candidates can export, share, or delete their record on demand.

Privacy-first by design

Biometric templates, not raw images. Minimum data collected. Never sold, shared, or used to train third-party models.

Data residency

Pin your tenant to UK, EU, or US. All infrastructure is regional, all subprocessors are disclosed, and DPAs are available on request.

Bias-tested models

Every model is evaluated across demographic cohorts before release and on every update. Evaluation methodology is published on request.

Enterprise security, candidate-positive by design

Verification the compliance team can sign off on.

Privacy-first, human-in-the-loop, fully auditable. Candidates own their data and can export or delete it at any time.

  • GDPR and UK GDPR

    Lawful basis, DPA on request, EU and UK data residency options.

  • EU AI Act ready

    Human-in-the-loop by default. No automatic candidate rejection, ever.

  • Biometric best practice

    Templates stored, not raw images. Deleted on candidate request.

  • SOC 2 Type II planned

    Audit engagement planned for our first year of operation. Progress tracked publicly in the changelog.

  • ISO 27001 planned

    Controls framework mapped to ISO 27001 Annex A. Certification planned after SOC 2.

  • Bias-tested

    Models evaluated across demographic cohorts before release and on every update.

Security policies

Org: Northwind · 214 seats

  • Multi-factor authentication (MFA)
  • SSO / SAML 2.0
  • IP allowlisting
  • Session recording encryption
  • Automatic key rotation
  • Audit log export (SIEM)

Threat blocked · 14:17

Virtual camera driver detected on candidate device. Session halted before join. Evidence saved.

Compliance posture

Where we are today, and what's next on the roadmap.

GDPR and UK GDPR

DPA on request, data residency options, full data subject rights.

EU AI Act ready

Human-in-the-loop by default. No automatic adverse decisions.

Bias testing published

Model fairness evaluations across protected categories.

SOC 2 Type II planned

Audit engagement planned for our first year of operation. Timeline shared on request.

ISO 27001 planned

Controls framework mapped to ISO 27001 Annex A. Certification planned after SOC 2.

Penetration testing planned

Third-party pen test scheduled ahead of first enterprise GA customers; summary will be available under NDA.

Trust center

Everything your security team wants, in one place.

Architecture overview, subprocessor list, DPA, our roadmap for SOC 2 and ISO 27001, and security questionnaire responses. One link, updated continuously.

  • Architecture and data flow diagrams
  • Subprocessor and vendor list
  • SOC 2 and ISO 27001 roadmap
  • Security questionnaire responses
  • DPA and subprocessor change feed

Need a security questionnaire turned around this week?

Email security@veref.work and we will get you answers in under 48 hours.

Email security team