Security
Found a vulnerability? Please report it responsibly to security@verinty.com. We review all reports and respond within 3 business days.
1. Our Security Approach
Security is foundational to Verinty. Our platform handles verified business identity data — we take that responsibility seriously. This page describes the controls we have in place and how to reach us if you discover a security issue.
2. Infrastructure Security
- Encryption in transit: All connections to Verinty use TLS 1.2 or higher. We do not serve content over HTTP.
- Encryption at rest: User data stored in our database is encrypted at rest by our infrastructure providers.
- Hosted infrastructure: We run on Supabase (database and edge functions), Railway (API server), and Vercel (landing pages) — all tier-1 providers with their own security certifications.
- Environment isolation: Production secrets and service role keys are stored as environment variables and never committed to source code.
3. Authentication and Access Control
- User authentication is handled by Supabase Auth with email-based sign-in and session tokens
- Row-level security (RLS) policies in the database ensure users can only access their own records
- Sovereign Lock tokens (
vnt_live_) are generated cryptographically and scoped to a single user and domain - Service role keys are used only server-side in edge functions and are never exposed to the client
4. Data Handling
- We do not store payment card details — all payments are processed by our payment provider
- Business identity data fetched from public registries (ABR, NZBN) is stored to power your identity infrastructure, not resold or shared
- Scan logs and audit trails are retained for security and compliance purposes and may be anonymised after account deletion
5. Responsible Disclosure
If you discover a security vulnerability in the Verinty platform, we ask that you:
- Report it to us privately at security@verinty.com before public disclosure
- Give us reasonable time (typically 90 days) to investigate and remediate before going public
- Not exploit the vulnerability beyond what is necessary to confirm its existence
- Not access, modify, or delete data belonging to other users
We will acknowledge your report within 3 business days, keep you informed of our progress, and credit you (if you wish) when the issue is resolved. We do not currently offer a formal bug bounty programme, but we genuinely appreciate responsible disclosure.
6. Incident Response
In the event of a confirmed security incident affecting user data, we will notify affected users in accordance with our obligations under the Australian Privacy Act 1988 (Notifiable Data Breaches scheme) and take immediate steps to contain and remediate the issue.
7. Security Contact
For all security matters: security@verinty.com
For general privacy enquiries: privacy@verinty.com
Verinty · Melbourne, Victoria, Australia · ABN 18 459 403 998