Compliance standards, privacy and data protection.

We understand the importance of privacy compliance and have created a truly secure system for sharing and storing your most sensitive information. You can rest assured knowing that your data is always protected from unauthorized access.

HIPAA

HIPAA

VeriFyle is HIPAA compliant (U.S. Health Insurance Portability and Accountability Act), and will enter into a Business Associates (BA) agreement with our Covered Entity (CE) customers when appropriate. Our CE customers and their BA partners can use VeriFyle to maintain a security level that is equivalent or greater than those required to protect electronic health records.

GDPR

GDPR

VeriFyle is compliant with the EU General Data Protection Regulation. We use proprietary technology to protect our users’ privacy and we will never rent or sell our users’ personal information to others. You can read more in our privacy policy.

Congress-NCSL

UETA and ESIGN

The Uniform Electronic Transactions Act (UETA), and the United States Electronic Signatures in Global and National Commerce Act (ESIGN), have the following four primary requirements in order for an electronic signature to be considered valid:

Intent to sign – Electronic signatures are only considered valid if all signing parties intended to sign.

Consent to do business electronically – All parties to the transaction must give their consent to do business electronically (it is the responsibility of the user to acquire consent from all signing parties).

Association of signature with the record – The system used to capture the transaction must keep an associated record that reflects the process used to create the signature, or generate either a textual or graphic statement, which is added to the signed record, that proves that it was executed with an electronic signature.

Record retention – U.S. laws on electronic signatures and electronic transactions require that electronic signature records be capable of retention and reproduction by all parties.

VeriFyle’s electronic signature solution can be used in compliance with these requirements.

IRS

Electronic Signing for Forms 8878 and 8879

According to the IRS’s Guidance for Electronic Signatures for forms 8878 and 8879, software used to provide electronic signature capability must record the following data:

  • Digital image of the signed form
  • Date and time of the signature
  • Taxpayer’s computer IP address (Remote transaction only)
  • Taxpayer’s login identification - user name (Remote transaction only)
  • Identity verification: taxpayer’s knowledge based authentication passed results and for in person transactions, confirmation that government picture identification has been verified
  • Method used to sign the record,(e.g., typed name); or a system log; or other audit trail that reflects the completion of the electronic signature process by the signer

VeriFyle’s electronic signature solution records these data and can be used in compliance with these requirements. Note: it is the responsibility of the user to verify the identity of document signers. Learn more

IRS

IRS Publication 1345 E-File Standards

VeriFyle complies with the following IRS security, privacy and business standards:

  1. Extended Validation SSL Certificate
  2. External Vulnerability Scan
  3. Information Privacy and Safeguard Policies
  4. Protection Against Bulk Filing
  5. Public Domain Name Registration
  6. Reporting of Security Incidents

Note: While VeriFyle does deploy technology to prevent malicious bot activity, VeriFyle cannot currently be used to submit tax returns to the IRS. VeriFyle is therefore not considered an Electronic Return Originator (ERO), and is not required to deploy protection against bulk filing. If you are using VeriFyle as an ERO to complete a remote transaction, you should be sure to satisfy any requirements regarding collecting and verifying personal information including social security number, address, and date of birth as part of this transaction. This information may be collected within a VeriFyle thread, where it can be securely stored and shared with other authorized VeriFyle users. Please refer to IRS publication 1345 for details.

PCI

PCI

VeriFyle meets all requirements of the Payment Card Industry (PCI) Data Security Standard for a level four merchant. We do not store our users’ payment card data on our servers at any time.

CSA

CSA

In 2011, the Cloud Security Alliance (CSA) launched STAR, an initiative to encourage transparency of security practices within cloud providers. The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. Our data centers are a CSA STAR registrant and has completed the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ).

FERPA

FERPA

The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records and applies to all schools that receive funding from any applicable program of the U.S. Department of Education. VeriFyle gives our Covered Entity (CE) customers and their Business Associates (BA) subject to FERPA requirements a secure environment for storing and sharing protected education information.

FINRA/SEC

FINRA/SEC

Information in VeriFyle is stored and shared using our patented encryption technology, Cellucrypt. Our system can be used as a means for securely storing and sharing information in order to help our Financial Industry Regulatory Authority (FINRA) member customers to establish and maintain compliance. VeriFyle protects the security and confidentiality of its users, guards against anticipated threats or hazards, and protects against unauthorized access to customer information.

NIST

NIST

In June 2015 The National Institute of Standards and Technology (NIST) released guidelines 800-171, "Final Guidelines for Protecting Sensitive Government Information Held by Contractors.” This guidance is applicable to the protection of Controlled Unclassified Information (CUI) on nonfederal systems.

Our data centers are compliant with these guidelines. NIST 800-171 outlines a subset of the NIST 800-53 requirements, a guideline under which our data centers have already been audited under the FedRAMP program. The FedRAMP Moderate security control baseline is more rigorous than the recommended requirements established in Chapter 3 of 800-171, and includes a significant number of security controls above and beyond those required of FISMA Moderate systems that protect CUI data.

Sarbanes-Oxley

Sarbanes-Oxley

If a customer processes financial information in the cloud using VeriFyle, the customer’s auditors may determine that some VeriFyle systems (e.g. our data centers and related services) come into scope for Sarbanes-Oxley (SOX) requirements. The customer’s auditors must make their own determination regarding SOX applicability. Because customers manage most of the logical access controls, the customer is best positioned to determine if its activities meet relevant standards.

EAR

EAR

VeriFyle is compliant with EAR under Category 5 Part 2 with ECCN 5D992. The U.S. Department of Commerce administers the Export Administration Regulations or “EAR,” which regulate the export of “dual-use” items. These items include goods and related technology, including technical data and technical assistance, which are designed for commercial purposes, but which could have military applications, such as computers, aircraft, and pathogens.

ITAR

ITAR

VeriFyle supports United States International Traffic in Arms Regulations (ITAR) compliance. As a part of managing a comprehensive ITAR compliance program, companies subject to ITAR export regulations must control unintended exports by restricting access to protected data to US Persons and restricting physical location of that data to the US. All VeriFyle data centers are physically located in the US where access by VeriFyle personnel is limited to US Persons, thereby allowing qualified companies to transmit, process and store protected articles and data subject to ITAR restrictions.

VeriFyle, Inc., Cloud Services, San Jose, CA

Better Business Bureau

VeriFyle is a Better Business Bureau (BBB) accredited business. BBB Accreditation Standards represent standards for business accreditation by BBB in the United States and Canada. BBB accredits businesses that meet the eight BBB Standards for Trust:

Build Trust - Establish and maintain a positive track record in the marketplace.

Advertise Honestly - Adhere to established standards of advertising and selling.

Tell the Truth - Honestly represent products and services, including clear and adequate disclosures of all material terms.

Be Transparent - Openly identify the nature, location, and ownership of the business, and clearly disclose all policies, guarantees and procedures that bear on a customer’s decision to buy.

Honor Promises - Abide by all written agreements and verbal representations.

Be Responsive - Address marketplace disputes quickly, professionally, and in good faith.

Safeguard Privacy - Protect any data collected against mishandling and fraud, collect personal information only as needed, and respect the preferences of consumers regarding the use of their information.

Embody Integrity - Approach all business dealings, marketplace transactions and commitments with integrity.