Information Security Policy

Our Commitment to Security

At Verify Now, security is not an afterthought—it's the foundation of everything we build. As a provider of identity verification and KYC services, we understand that our customers trust us with sensitive personal information, and we take that responsibility seriously.

This Information Security Policy outlines how we protect your data, the standards we adhere to, and our commitment to continuous security improvement. Our security practices are designed to meet both South African regulatory requirements (including POPIA and FICA) and international standards (including ISO 27001 and SOC 2).

ULB Media (Pty) Ltd is the parent company trading as Verify Now. This policy applies to all products and services provided under these brands.

1. Data Encryption

All data processed through our platform is protected using industry-leading encryption:

• Data in Transit: All data transmitted between your systems and ours is encrypted using TLS 1.3. This includes API communications, dashboard access, and all webhook callbacks.
• Data at Rest: All stored data is encrypted using AES-256 encryption. This includes database records, uploaded documents, consent records, and audit logs.
• Key Management: Encryption keys are managed using industry-standard practices, with regular rotation and secure storage separate from encrypted data.

2. Access Control

We implement strict access controls to ensure only authorized personnel can access sensitive systems and data:

• Role-Based Access Control (RBAC): Access to systems and data is granted based on job function and follows the principle of least privilege.
• Multi-Factor Authentication (MFA): All administrative access requires multi-factor authentication. Customer accounts can optionally enable MFA for enhanced security.
• Session Management: Sessions are automatically terminated after periods of inactivity, and concurrent session limits are enforced.
• Access Reviews: Regular access reviews are conducted to ensure permissions remain appropriate and former employees/contractors are promptly deprovisioned.

3. Infrastructure Security

Our infrastructure is designed with security as a core requirement:

• Cloud Infrastructure: We host on enterprise-grade cloud platforms (Vercel, Cloudflare, Neon) that maintain SOC 2 Type II, ISO 27001, and other security certifications.
• DDoS Protection: Cloudflare provides enterprise-grade DDoS protection for all traffic.
• Network Segmentation: Critical systems are isolated and protected by firewalls and network security groups.
• Automatic Updates: All systems receive security patches and updates promptly to address vulnerabilities.

4. Continuous Monitoring & Threat Detection

We maintain 24/7 monitoring to detect and respond to security threats:

• Real-Time Monitoring: All system activity is monitored in real-time for anomalies and potential security incidents.
• Intrusion Detection: We employ intrusion detection systems to identify and alert on suspicious activity.
• Audit Logging: Comprehensive audit logs are maintained for all security-relevant events and retained for 7 years as required by POPIA.
• Incident Response: We maintain documented incident response procedures to quickly contain, investigate, and remediate security incidents.

5. Independent Security Audits

We regularly engage third-party security experts to validate our security posture:

• Penetration Testing: Regular penetration tests are conducted by independent security firms to identify vulnerabilities.
• Vulnerability Scanning: Automated vulnerability scans are performed continuously to detect security weaknesses.
• Compliance Audits: We undergo regular compliance assessments aligned with ISO 27001 and SOC 2 requirements.
• Remediation: Identified vulnerabilities are prioritized and remediated according to risk level and severity.

6. Secure Development Practices

Security is integrated throughout our software development lifecycle:

• Secure Coding Standards: Developers follow secure coding guidelines based on OWASP best practices.
• Code Review: All code changes undergo security-focused peer review before deployment.
• Dependency Scanning: Third-party dependencies are regularly scanned for known vulnerabilities.
• Controlled Deployments: All changes are deployed through controlled CI/CD pipelines with appropriate approvals.

7. Team Security & Training

Our team is trained and vetted to maintain the highest security standards:

• Background Checks: All employees and contractors with access to sensitive systems undergo background verification.
• Security Training: Regular security awareness training is mandatory for all team members.
• Confidentiality Agreements: All personnel sign confidentiality and data protection agreements.
• Offboarding: Access is promptly revoked when employees leave or change roles.

8. South African Legal Compliance

We are fully compliant with South African data protection and financial regulations:

Protection of Personal Information Act (POPIA)

• Personal information is processed only with proper consent and for specified, legitimate purposes
• Data subjects can access, correct, and request deletion of their personal information
• Data retention periods comply with POPIA requirements (7 years for audit records)
• Cross-border data transfers comply with POPIA's international transfer provisions

Financial Intelligence Centre Act (FICA)

• Our verification services support FICA-compliant customer due diligence
• Audit trails support regulatory reporting requirements

National Credit Act (NCA) & NCR Regulations

• Consent management features comply with NCR Regulation 18(5) requirements
• Credit information is accessed only for prescribed purposes

9. Global Security Standards

Our security program is aligned with internationally recognized standards:

ISO 27001

Our information security management system (ISMS) is aligned with ISO 27001, the international standard for information security management. This includes:

• Risk assessment and treatment processes
• Security policies and procedures
• Continuous improvement of security controls

SOC 2

We maintain controls aligned with SOC 2 Trust Services Criteria:

• Security: Protection against unauthorized access
• Availability: System availability and reliability
• Confidentiality: Protection of confidential information
• Privacy: Protection of personal information

10. Breach Notification

In the event of a security incident that affects your data:

• 72-Hour Notification: We will notify affected customers within 72 hours of confirming a data breach, in compliance with POPIA requirements.
• Regulatory Reporting: We will report to the Information Regulator and other relevant authorities as required by law.
• Incident Details: Notifications will include the nature of the breach, data affected, and steps being taken to remediate.
• Remediation Support: We will provide guidance and support to affected customers throughout the remediation process.

11. Data Retention & Deletion

We retain data only as long as necessary for the purposes for which it was collected:

• Verification Records: Retained for 7 years as required by POPIA and FICA for audit purposes.
• Consent Documents: Retained for 7 years with SHA256 hash verification for document integrity.
• Secure Deletion: Data is securely deleted after the retention period using cryptographic erasure.

12. Security Contact

If you have any security concerns, questions about this policy, or need to report a potential security issue, please contact us:

13. Policy Updates

This Information Security Policy may be updated periodically to reflect changes in our practices, technology, regulatory requirements, or industry standards. We encourage you to review this page regularly.

Version: 1.0
Last Updated: December 25th, 2025