Compliance standards, privacy and data protection.
We understand the importance of privacy compliance and have created a truly secure system for sharing and storing your most sensitive information. You can rest assured knowing that your data is always protected from unauthorized access.
VeriFyle meets all requirements of the Payment Card Industry (PCI) Data Security Standard for a level four merchant. We do not store our users’ payment card data on our servers at any time.
In 2011, the Cloud Security Alliance (CSA) launched STAR, an initiative to encourage transparency of security practices within cloud providers. The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. Our data centers are a CSA STAR registrant and has completed the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ).
VeriFyle is HIPAA compliant (U.S. Health Insurance Portability and Accountability Act), and will enter into a Business Associates (BA) agreement with our Covered Entity (CE) customers when appropriate. Our CE customers and their BA partners can use VeriFyle to maintain a security level that is equivalent or greater than those required to protect electronic health records.
The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records and applies to all schools that receive funding from any applicable program of the U.S. Department of Education. VeriFyle gives our Covered Entity (CE) customers and their Business Associates (BA) subject to FERPA requirements a secure environment for storing and sharing protected education information.
Information in VeriFyle is stored and shared using our patented encryption technology, Cellucrypt. Our system can be used as a means for securely storing and sharing information in order to help our Financial Industry Regulatory Authority (FINRA) member customers to establish and maintain compliance. VeriFyle protects the security and confidentiality of its users, guards against anticipated threats or hazards, and protects against unauthorized access to customer information.
In June 2015 The National Institute of Standards and Technology (NIST) released guidelines 800-171, "Final Guidelines for Protecting Sensitive Government Information Held by Contractors.” This guidance is applicable to the protection of Controlled Unclassified Information (CUI) on nonfederal systems.
Our data centers are compliant with these guidelines. NIST 800-171 outlines a subset of the NIST 800-53 requirements, a guideline under which our data centers have already been audited under the FedRAMP program. The FedRAMP Moderate security control baseline is more rigorous than the recommended requirements established in Chapter 3 of 800-171, and includes a significant number of security controls above and beyond those required of FISMA Moderate systems that protect CUI data.
If a customer processes financial information in the cloud using VeriFyle, the customer’s auditors may determine that some VeriFyle systems (e.g. our data centers and related services) come into scope for Sarbanes-Oxley (SOX) requirements. The customer’s auditors must make their own determination regarding SOX applicability. Because customers manage most of the logical access controls, the customer is best positioned to determine if its activities meet relevant standards.
VeriFyle is compliant with EAR under Category 5 Part 2 with ECCN 5D992. The U.S. Department of Commerce administers the Export Administration Regulations or “EAR,” which regulate the export of “dual-use” items. These items include goods and related technology, including technical data and technical assistance, which are designed for commercial purposes, but which could have military applications, such as computers, aircraft, and pathogens.
VeriFyle supports United States International Traffic in Arms Regulations (ITAR) compliance. As a part of managing a comprehensive ITAR compliance program, companies subject to ITAR export regulations must control unintended exports by restricting access to protected data to US Persons and restricting physical location of that data to the US. All VeriFyle data centers are physically located in the US where access by VeriFyle personnel is limited to US Persons, thereby allowing qualified companies to transmit, process and store protected articles and data subject to ITAR restrictions.