Security & Privacy
verifd is designed to minimize data collection while keeping verification reliable, auditable, and abuse-resistant. Below is a high-level view of the controls we operate today.
Data minimization and retention
- Privacy-first design: Callers verify without seeing your phone number.
- Signals are pseudonymous: phone numbers are hashed before they enter risk signals and rollups.
- Voice intros are stored temporarily and auto-delete within 24 hours.
- vPass windows expire automatically; expired items are swept.
- DSAR deletion applies to signals + rollups; operational verification records are retained per policy and are not modified by DSAR.
Abuse prevention and risk gating
- Rate limits per IP and per phone number.
- Risk-adaptive verification adds voice or OTP proof when risk is elevated.
- Attestation signals are applied where available.
Privacy-preserving verification
- No contact scraping. No data selling.
- Privacy Pass + PIR live caller ID is in rollout for enterprise teams, using the IETF Privacy Pass issuance protocol for privately verifiable tokens.
Transport and operational security
- HTTPS + HSTS secured for all data transmission.
- Signed webhook events for verification lifecycle changes.
- Audit logging is captured for verification activity.
- Admin operations are gated by API keys or admin console auth.
Security & compliance brief
Need a concise summary for security review? We provide a short brief covering data handling, retention, audit logging, and privacy-by-design safeguards.