Security
Verifyfed is built for federal contractor security environments. Infrastructure, encryption, data residency, access controls, and audit logging designed to support FedRAMP-aligned security requirements.
Verifyfed is pursuing SOC 2 Type II assessment and FedRAMP alignment. We are not currently SOC 2 Type II certified and do not hold a FedRAMP ATO. Architecture and controls are designed to support these assessments. We provide full security posture documentation for program office vendor review — contact us to request the vendor security questionnaire response package.
Infrastructure & Deployment
AWS GovCloud (US) Deployment
Primary deployment on AWS GovCloud US regions. GovCloud is designed for US government compliance requirements and provides the US data residency and access control framework appropriate for federal contractor data.
US-Only Data Residency
All data stored and processed within US boundaries. No cross-border data transfer. No international routing of contractor personnel data. Data residency controls aligned to federal contractor data handling requirements.
High Availability Architecture
Multi-availability zone deployment within AWS GovCloud US. Designed for the uptime requirements of active security program operations. Recovery time objectives documented in vendor security questionnaire.
On-Premise / Hybrid (Roadmap)
Architecture documentation for on-premise and hybrid deployment is available for agency sponsors evaluating high-classification environment options. Contact us to discuss specific deployment requirements.
Encryption
Transport Encryption
All data in transit encrypted using TLS 1.3. TLS 1.0 and 1.1 are disabled. Certificate management and rotation follows NIST SP 800-52 guidance for TLS protocol selection.
Data at Rest Encryption
All stored data encrypted using AES-256. Database encryption, object storage encryption, and backup encryption all use AES-256 with key management aligned to FIPS 140-2 validated key management practices.
Access Controls
Role-Based Access Control
Least-privilege RBAC for all platform access. Security officer, administrator, and read-only roles with fine-grained permission controls. Role assignments documented in audit trail.
Multi-Factor Authentication
MFA required for all administrative access and security officer console access. TOTP and hardware token support. Authentication events logged to immutable audit trail.
Privileged Access Controls
Privileged access to platform infrastructure governed by just-in-time access controls. All privileged sessions logged and subject to security review. No standing privileged access.
API Authentication
API access controlled via scoped tokens with expiration policies. Token issuance, rotation, and revocation logged. No long-lived credential support for API access.
Audit Logging
Immutable Audit Trail
All platform events logged to an immutable audit trail. Logs cannot be modified or deleted after creation. Cryptographic integrity verification ensures tamper evidence.
SIEM-Exportable Log Format
Audit logs exportable in standard SIEM formats (CEF, JSON). Integrates with Splunk, IBM QRadar, and Elastic Security. Event schema documented for security operations integration.
Log Retention
Audit logs retained for a minimum of 36 months with configurable extended retention for program-specific requirements. Long-term archival with controlled access and chain-of-custody documentation.
Security Event Monitoring
Continuous monitoring of platform security events. Anomalous access patterns, authentication failures, and privileged activity monitored with alerts to security operations.
Vendor Security Questionnaire
We provide a pre-completed vendor security questionnaire response package for program office vendor review. The package includes infrastructure details, encryption specifications, access control documentation, incident response procedures, and SOC 2 pursuit timeline.
Your program office vendor review deserves complete answers.
Schedule a technical briefing with our security team to walk through architecture, controls, and compliance documentation for your vendor evaluation process.
Schedule a Security Briefing