Trust Page

Security
certifications:

Verbit conducts a variety of audits to ensure continuous compliance with industry standard best practices:

• Verbit is SOC2 Type II compliant and provides a third-party attestation report covering security, availability, confidentiality and privacy, as well as HIPAA compliance.
• Verbit’s follows a commitment to information security at every level of our organization. Our security program is in accordance with industry-leading best practices.
• Verbit has implemented a GDPR (General Data Protection Regulation) readiness program that has been assessed by a Big Four accounting firm. This program includes appointing a Data Protection Officer (DPO), putting measures in place to identify and delete private data, ensuring all subcontractors are compliant, and updating Terms and Conditions, Privacy Policy, and Data Processing Addendum (DPA).
• Verbit hosts all of its software in Amazon Web Services (AWS) facilities in the USA. Amazon provides an extensive list of compliance and regulatory assurances, including SOC 13 and ISO 27001. View Amazon’s compliance and security documents for more detailed information
• All of Verbit servers are located within Verbit’s own virtual private cloud (VPC), protected by restricted security groups allowing only.

Data Security:

• All connections to Verbit are encrypted using SSL, and any attempt to connect over HTTP is redirected to HTTPS.
• All customer data (including recordings and transcripts) is encrypted at rest and in transit.
• System passwords are encrypted using AWS KMS with restricted access to specific production systems.
• Verbit.ai utilizes relational, as well as noSQL databases as managed services hosted by AWS.
• Data access and authorizations are provided on a need-to-know basis and based on the principle of least privilege Access to the AWS production system is restricted to authorized personnel only.
• Verbit customers may configure a data retention duration, and customer data is purged from Verbit systems subsequent to contract termination upon request.

Application
Security:

• Web application architecture and implementation follow OWASP guidelines. The application is regularly tested for common vulnerabilities (such as CSRF, XSS, SQL Injection).
• In addition to Verbit’s extensive testing program, Verbit conducts application penetration testing by a third-party at least annually.
• Verbit login requires strong passwords. User passwords are salted, irreversibly hashed, and stored in Verbit’s database. Audit logging allows administrators to see when users have last logged in and when passwords were last changed.

Application
Monitoring:

• Access to Verbit applications is logged and audited. Logs are kept for at least one year.
• Verbit maintains a formal incident response plan for major events.

Uptime:

• Verbit maintains a publicly available system-status webpage, which includes system availability details, scheduled maintenance, service incident history and relevant security events.

Security Policies and Secure Development Life Cycle (Sdlc):

• Verbit maintains security policies that are maintained, communicated, and approved by management to ensure everyone clearly understands their security responsibilities. Verbit policies are audited annually as part of its SOC2 certification.
• Code development is done through a documented SDLC process. Design of all new product functionality is reviewed by its security team. Verbit conducts mandatory code reviews for code changes and periodic in-depth security reviews of architecture and sensitive code. Verbit development and testing environments are separate from its production environment.
• The employee hiring process includes a background screening.
• At least annually, engineers participate in secure code training covering OWASP Top 10 security flaws, common attack vectors and Verbit security controls.