Trust page

At Verbit, we understand just how important your data is. Our dedicated in-house information security team uses human expertise, cutting-edge technology and industry best practices to keep your data safe and secure, providing you with the assurance and confidence you need to use Verbit’s platform and services.

Infrastructure

Amazon web services (AWS)

Verbit leverages the power, flexibility and security of the world’s largest public cloud service provider to provide a secure environment for our platforms and our customers’ data

High availability

Backed by the AWS uptime SLA, our platforms are also replicated across multiple availability zones and regions to ensure that our services are available whenever you need them.

Security

Only authorized Verbit employees may make changes to our AWS infrastructure. Access is via SSO and with 2FA only, and user privileges are regularly reviewed. All account actions are logged.

Monitoring and logging

We use AWS services such as GuardDuty, CloudWatch, and CloudTrail to monitor and help detect threats to our AWS infrastructure, and to generate a comprehensive audit trail.

Vulnerability management
Cloud security posture management (CSPM)

We use industry-leading CSPM software to monitor our infrastructure continuously, including infrastructure-as-code scanning. Our CSPM software helps us detect misconfigurations in real-time and set up automatic remediation workflows, while also providing important context that allows our team to make risk-based decisions. Attack path analysis enables our security experts to identify lateral movement paths that may pose a risk to high-value assets.

Remediation

We’ve set internal commitments to ensure that vulnerabilities are remedied within an appropriate timeframe, according to severity level. We aim to resolve critical-severity vulnerabilities within 48 hours and high-severity vulnerabilities within 14 days.

Monitoring and incident management
Security information and event management (SIEM)

For global businesses with large digital estates, the volume of security data can quickly become overwhelming. At Verbit, this is where we turn to our SIEM for help. With AI and machine learning capabilities, our SIEM combines security data with threat intelligence and behavioral analytics, cutting down on false positives and allowing our security experts to focus on protecting our data and our customers’ data.

Incident response

Led by Verbit’s CISO, our information security team includes security experts who specialize in incident response and malware analysis. Working together with our dedicated 24/7 Security Operations Center, our security team can triage and respond to security incidents quickly and effectively.

Security operations center (SOC)

To support our internal team, Verbit works with an external provider to ensure that we have 24/7 coverage of all events and incidents

Application
security

Encryption

Access to our platforms is via the encrypted HTTPS protocol only, and any HTTP requests are redirected to HTTPS. This helps to keep your user credentials and data secure while in transit. Your data is also encrypted in AWS S3 buckets while at rest, using industry-standard strong cryptographic algorithms such as AES-256.

Access control

Over 80% of data breaches can be traced back to poor password security – that’s why our platforms also include two-factor authentication (2FA) to help secure your data. Customers can assign specific roles within their team to ensure that no one has more access rights than they require. On the Verbit side, we also have detailed access control and password policies. Only authorized personnel have access to your data, and we regularly review access rights.

Data retention

Your data is safe and secure when it’s in our platform, but you can also remove it whenever you want – just get in touch with your account manager.

Secure software development lifecycle (SSDLC)

Verbit’s R&D team is passionate about providing our customers with the best and most secure platforms possible, and we plan and carry out our development according to documented SSDLC procedures.

Our platforms are developed with input from our security specialists, while also taking into account industry best practices, such as the OWASP Top 10. All code is reviewed prior to being merged into the main branch. As with everything in information security, it’s important to keep up to date with the latest developments – our R&D team undergoes regular secure coding training.

Penetration testing

We support our commitment to secure development and information security by commissioning an independent, external penetration test of our platforms at least annually. These tests are conducted by cybersecurity experts with decades of experience, using the latest tools and techniques to simulate real-world attacks.

Corporate
security

Infrastructure and application security focuses on protecting the data that our customers send us for transcription. That’s a priority for Verbit, but we’re just as serious when it comes to protecting our own data.

SaaS security posture management (SSPM)

Like most tech businesses, Verbit relies on a number of software-as-a-service (SaaS) platforms for our daily business operations. To manage these platforms, we’ve chosen to implement a best-in-class SSPM solution to help us out.

With SSPM, our security team can monitor security posture for each of our SaaS assets in near real-time. We’re able to detect SaaS misconfigurations, as well as monitor user privileges. This allows us to make accurate assessments of both SaaS-to-SaaS and Device-to-SaaS risks and implement appropriate remediations, continuously hardening our SaaS security.

Single sign-on (SSO)

SSO is the perfect counterpart to SSPM – we use one of the world’s leading SSO platforms to bring authentication across our SaaS estate together under one umbrella.

Incorporating 2FA, our SSO platform hardens our SaaS security and helps our employees avoid falling into common password security traps, such as reusing the same password for multiple systems.

Our SSO platform also makes life easier for our IT and security teams when provisioning and deprovisioning users, and even helps by automatically deactivating inactive user accounts.

Endpoint security

At Verbit, we don’t store confidential information on user devices, but we don’t stop there. All of our corporate-managed devices are encrypted, meaning that if the device is lost, any data on it cannot easily be accessed. We also enroll our devices into a device management platform so that our team can monitor and manage them centrally. The functionality includes helping with routine tasks, such as applying system updates, but also allows us to disable or even wipe the device remotely if it is ever lost or compromised.

Antivirus and anti-malware

If you ask any information security expert what keeps them awake at night, invariably they’ll start talking about ransomware. The idea that you could quickly be locked out of your data is a risk that all businesses should take seriously.

We leverage the power of a world-leading next-gen antivirus and endpoint detection and response (NGAV and EDR) solution that goes far beyond traditional definitions-based file checking to help secure our endpoints and reduce the risk of ransomware and other malware. Utilizing AI and machine learning technology, our NGAV and EDR can block known and unknown malware and ransomware. Industry-leading threat intelligence is combined with AI-powered indicators of attack to help prevent malicious behavior and sophisticated attacks.

What’s more, our NGAV and EDR solution is backed by a team of cybersecurity experts working 24/7 to help prevent attacks – sometimes referred to as Managed Detection and Response (MDR) – for a truly comprehensive, hybrid solution.

Email security

A phishing email can often be the entry point for ransomware or malware – in fact, some reports suggest that as much as 91% of all attacks begin with a phishing email, so email security is worth taking very seriously. At Verbit, we’ve enhanced the native security capabilities of our email suite by adding advanced threat protection from one of the leading vendors in the market. With seven layers of security – including threat intelligence from multiple sources, recursive unpacking, and CPU-level technology – our advanced threat protection can prevent not just spam and typical malicious emails, but also deeply embedded attacks, persistent attacks and targeted attacks, as well as business email compromise scenarios such as email spoofing and look-alike domains.

Vendor risk management

It’s important that our vendors take information security as seriously as we do at Verbit – particularly where they may have access to our customers’ data.

We’ve developed strict security criteria for our vendors based on the risk they pose to us and to our customers, and we work with a leading third-party security management platform to automate the management process. Smart questionnaires and automated security scanning give us visibility of our external attack surface and allow us to identify and treat third-party risks effectively.

Human
resources

At Verbit, we believe in making our people the first line of defense in information security. That means giving them knowledge, encouraging questions, and empowering people to make good decisions.

Security awareness training

All Verbit employees undergo security awareness training as part of their initial onboarding. We don’t stop there, though – we have a rolling program of security awareness training that runs throughout the year, across the whole business, and we also encourage our employees to make use of our large training catalogue in addition to compulsory awareness modules. Our security awareness training isn’t generic, static content. Working with a leading provider, we make sure that we have dynamic content tailored specifically to Verbit’s information security landscape. As part of our security awareness program, we also conduct regular phishing and spear phishing simulations.

Security champion program

Our objective at Verbit is to build a strong culture of cybersecurity awareness. Our Security Champions help facilitate this by integrating security into the daily work process, both for themselves and for their teams. Security Champions can provide peer-to-peer support to supplement our formal training and awareness schedule and reinforce the collaborative nature of our information security strategy.

Personnel onboarding

It’s important that we ensure we have the right people working for us and working on our customers’ data. Our HR team works hard to verify that new Verbit employees are who they say they are. Where local laws permit, we may also conduct background checks appropriate to the job role – a criminal records check or a credit history check, for example.

Commitment to information security

All Verbit employees are aware of our information security policies and agree to follow them. We manage policy updates and attestation through a central platform so that we can be sure everyone is always up to date with the latest version

Access control

When our employees need to use Verbit information systems, we grant access based on the principle of least privilege. All user accounts are unique to an individual user and are secured in accordance with Verbit’s access control and password policies.

Our access control policy specifies rules for joiners, movers, and leavers – and user access rights are regularly reviewed to ensure that privileges are appropriate and not retained longer than necessary.

Your privacy matters to us

At Verbit, we put great effort into ensuring that your personal data is processed properly and securely and that our privacy values and practices are accurately communicated to you.

If you have any questions, feel free to contact us privacy@verbit.ai.

Privacy by design

We incorporate privacy considerations into our products and services from the earliest stages of development and throughout the product lifecycle, including to ensure we are collecting the appropriate amount of personal data necessary to provide you with our services and further improve and evolve them, for the duration which is appropriate for such purposes.

Transparency

In our Privacy Policy we aim to provide clear, simple and consistent information about our privacy values and data protection practices, thereby giving you more choice and control over the personal data you share with us, and what happens with it.

Data processing addendum

We enter into a Data Processing Addendum (DPA) with our Customers to ensure that processing personal data on their behalf would be done in a lawful and compliant manner. It defines the respective roles of Verbit and our customer, the responsibilities and obligations we take upon ourselves when processing customer data, and our commitments on data protection and the security measures and safeguards that we implement and maintain to ensure the proper protection of our customers’ data.

We also enter into DPAs with our third-party service providers that may have access to our customers’ personal data, to ensure the ongoing protection of our customers’ data and to maintain accountability throughout the data processing chain.

Data protection officer

Verbit has appointed PrivacyTeam Ltd. as our Data Protection Officer, for monitoring and advising on Verbit’s ongoing privacy compliance, and serving as a point of contact on privacy matters for data subjects and supervisory authorities. PrivacyTeam may be reached at dpo@verbit.ai.

Personal data transfers

When we transfer personal data from the EEA, the UK and Switzerland to other countries which are not considered by competent authorities to be offering an ‘Adequate’ level of data protection, we and our service providers rely on the Standard Contractual Clauses as approved by the European Commission, the Swiss Federal Data Protection and Information Commissioner (FDPIC), and the UK Information Commissioner’s Office (ICO), as relevant, to guarantee an adequate level of data protection.

Governmental authorities requests to access to customer data

Verbit does not permit governmental authorities access to any personal data unless required to do so under applicable laws and according to very legitimate grounds for requesting such data (e.g. suspected illegal activity related to that particular account). In any event, per our Principles on Responding to Government Data Access Requests, disclosure would be limited only to such data which is strictly necessary under law, after the request has been reviewed by our Legal and Privacy teams to ensure it is valid and warranted. We will do our best to notify our customer before we make such disclosure, unless such notification is prohibited under law.

Governance
& compliance

image 208 image 209 gdpr

Information security is a culture, not a bolt-on, and in Verbit this culture starts at the very top with a strong commitment from senior leadership – leading by example and promoting continual improvement, but also ensuring that our information security strategy is aligned with Verbit’s overall business objectives.

Information security management system (ISMS)

At Verbit, we have a dedicated team for managing information security, led by our CISO, and we align with globally accepted best practices for information security management.

ISO 27001:2013 certification and SOC2 attestation are available for certain services and configurations – please speak with your account manager or our support team for further details.

Risk management

Without understanding our risk landscape, it would be impossible to select appropriate information security controls. That’s why risk management is the heart of Verbit’s ISMS – we identify threats and vulnerabilities to our information assets and assess them in terms of both likelihood and impact to our business. We then use this data to make sure that we’re selecting controls appropriate to the risks we face.

Risk assessments are regularly updated, in particular in response to system changes, and the risk landscape is reviewed by senior leadership at least annually.

Information security policies

Verbit’s information security policies are reviewed at least annually, or in response to significant change, and approved by senior leadership. Policies are communicated throughout the business and are also available to other interested parties where appropriate.

Internal audit

It’s important to check that controls are working as intended. That’s why we run both annual and quarterly internal audit programs – this allows us to catch any problems and resolve them quickly, but also to identify opportunities for continual improvement. The results of internal audits form part of our overall reporting on information security and are reviewed by senior leadership.

Haven’t found the answer you were looking for?

Text file, documentation
Visit our resource center
Support
Contact our support