Security and privacy
built into every layer.
VeriGo is designed to protect the sensitive customer compliance data you hold on behalf of your AML/CTF obligations. Here's exactly how.
How we protect your data.
Security is not an add-on — it's how VeriGo was architected from the first line of code. Compliance data is among the most sensitive information any business handles. We treat it accordingly.
AES-256 Encryption
All customer data stored in VeriGo is encrypted at rest using AES-256 — the same standard used by government agencies and financial institutions worldwide. All data in transit between your browser, the VeriGo application, and our data centres is protected with TLS 1.3.
Encryption keys are managed using hardware security modules (HSMs) and rotated on a regular schedule. Customer compliance data is never stored in plaintext at any point in the platform's data lifecycle.
Multi-Factor Authentication
Multi-factor authentication is required for all VeriGo user accounts. Time-based one-time passwords (TOTP) via authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) are supported. Hardware security key support is available for Enterprise accounts.
MFA cannot be disabled by individual users — it is enforced at the platform level as a baseline security control. This protects your compliance data even if a user's password is compromised.
Role-Based Access Control
VeriGo implements granular role-based access control (RBAC) across all platform modules. Predefined roles include: Compliance Officer (full access), Reviewer (read and review, cannot approve), Administrator (user management, configuration), and Read-Only (reporting and audit access only).
Custom roles are available on Enterprise plans. Access is governed by the principle of least privilege — users see and interact with only the data and functions their role requires. All role assignments are logged and auditable.
Immutable Audit Logs
Every action taken in VeriGo — login, data access, record creation, modification, report generation, approval, rejection, and deletion — is logged with a timestamp, the user who performed the action, and the IP address from which it was performed.
Audit logs cannot be modified or deleted by any user, including administrators. They are retained for a minimum of 7 years in line with AML/CTF Act record-keeping requirements. Audit logs can be exported for internal audit, regulatory inspection, or external assurance review.
Australian Data Residency
All VeriGo customer and compliance data is hosted in AWS data centres located in Sydney, Australia. No customer data is replicated, transferred, or processed outside of Australia. This commitment is contractually guaranteed in VeriGo's terms of service.
Australian data residency ensures compliance with the Australian Privacy Act 1988, the Privacy (Australian Government Agencies - Governance) APP Code, and the requirements of the AML/CTF Act for record retention on Australian soil.
SOC 2 Type II Roadmap
VeriGo is currently pursuing SOC 2 Type II certification. SOC 2 evaluates the design and operating effectiveness of controls across five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Enterprise customers can request VeriGo's current security posture documentation, including our security control framework and penetration testing results. We expect to complete the SOC 2 Type II audit in 2025.
Your documents, in your environment.
VeriGo supports customer-managed document storage. Rather than holding identity documents and compliance records in VeriGo's own infrastructure, you can connect your own Google Drive, Microsoft OneDrive, or SharePoint instance.
When customer-owned storage is enabled, VeriGo stores and retrieves documents from your environment directly. VeriGo never holds your documents — we only hold the metadata (file names, upload dates, verification outcomes) required to operate compliance workflows.
This architecture is particularly valued by financial institutions, law firms, and government-aligned organisations with strict data governance requirements.
- Google Drive (Google Workspace)
- Microsoft OneDrive & SharePoint
- Dropbox Business
We practice what we preach.
VeriGo maintains its own AML/CTF Program as a reporting entity. We understand the obligations we help our customers meet from the inside — not just as software developers, but as practitioners who have read every AUSTRAC guidance note and tested our workflows against the AML/CTF Rules.
Our compliance team conducts an annual independent audit of our own AML/CTF Program. We apply the same risk-based approach to our own customer due diligence that we build into the platform.
This means when AUSTRAC guidance changes, we understand the operational implications for our customers before anyone else — and we update the platform accordingly.
Your data is yours. Full stop.
No data selling
VeriGo never sells, shares, or rents customer compliance data to any third party under any circumstances.
Minimal data collection
We collect only the data required to operate the platform. No marketing profiling, no behavioural analytics sold externally.
Australian Privacy Act
VeriGo complies with the Australian Privacy Act 1988 and all Australian Privacy Principles (APPs) applicable to our operations.
Our full Privacy Policy details exactly what data we collect, how we use it, how long we retain it, and your rights regarding your data. We update it when our practices change — not just when required by law.