Security & Privacy

verifd is designed to minimize data collection while keeping verification reliable, auditable, and abuse-resistant. Below is a high-level view of the controls we operate today.

Data minimization and retention

  • Privacy-first design: callers verify without seeing your phone number.
  • Signals are pseudonymous: phone numbers are HMAC-hashed before they enter risk signals and rollups.
  • Voice intros auto-delete within 24 hours; call audio is never stored.
  • vPass windows expire automatically; expired items are swept.
  • DSAR deletion removes signals + rollups; operational verification records follow their own retention window.

Abuse prevention and risk gating

  • Rate limits per IP and per phone number.
  • Risk-adaptive verification adds voice or OTP proof when risk is elevated.
  • Attestation signals are applied where available.

Privacy-preserving verification

  • No contact scraping. No data selling.
  • Privacy Pass + PIR live caller ID is in rollout for enterprise teams, using IETF privacy-pass blind signatures.

Transport and operational security

  • HTTPS + HSTS secured for all data transmission.
  • Signed webhook events for verification lifecycle changes.
  • Audit logging is captured for verification activity.
  • Admin operations are gated by API keys or admin console auth.

Security & compliance brief

Need a concise summary for security review? We provide a short brief covering data handling, retention, audit logging, and privacy-by-design safeguards.

Request the brief