Security

Built to be trusted with payment data.

Verdikt processes some of the most sensitive signals in commerce. Security is not a checklist for us; it is the product working as intended.

Certifications

SOC 2 Type II

Independently audited controls for security, availability and confidentiality, renewed annually.

PCI DSS Level 1

The highest level of payment card industry certification, covering our full processing environment.

GDPR & CCPA

Privacy-by-design processing with a signed DPA, SCCs for transfers and regional data residency options.

ISO 27001 aligned

Information security management aligned to ISO 27001 practices across the organisation.

Encryption

All data is encrypted in transit with TLS 1.2 or higher and at rest with AES-256. Payment instruments are tokenised before they reach our models; we never store full card numbers. Encryption keys are managed in a hardware-backed KMS with automatic rotation.

Access control

Production access follows least privilege and is gated by SSO with hardware-key MFA. All access is logged, reviewed and revoked automatically when roles change. Customer data is logically isolated per tenant, and enterprise plans can add dedicated infrastructure.

Infrastructure & monitoring

Verdikt runs across multiple availability zones with automated failover and a 99.99% decisioning uptime SLA on enterprise plans. We run continuous vulnerability scanning, an annual third-party penetration test, and 24/7 monitoring with a staffed on-call rotation.

Data residency & retention

Enterprise customers choose EU, US or APAC data residency. Detailed transaction signals are retained for up to 24 months for model integrity, then aggregated or anonymised. Deletion requests are honoured in line with our Privacy Policy.

Responsible disclosure

We welcome reports from security researchers. If you believe you have found a vulnerability in a Verdikt service, email [email protected] with enough detail to reproduce. We acknowledge reports within 48 hours, keep you updated through remediation, and do not pursue good-faith research.

Need the full security package?

SOC 2 report, penetration test summary, DPA and subprocessor list are available under NDA for teams in procurement.