Compliance FAQ

Certifications

Is VeriProof SOC 2 certified?

SOC 2 Type II audit in progress. The audit covers security, availability, and confidentiality Trust Service Criteria. Once complete, the report is available to customers under NDA. See SOC 2 for current status.

Does VeriProof comply with ISO 27001?

ISO 27001 certification is on the roadmap for 2027. VeriProof’s control environment is aligned with ISO 27001’s control objectives, and many of the same controls will be assessed in the SOC 2 audit. If ISO 27001 is a hard requirement for your vendor assessment process, raise it during enterprise diligence through the contact page or your account team.

What US Federal frameworks does VeriProof support?

VeriProof’s session audit and governance scoring features address several NIST AI RMF practices, particularly in the MEASURE and MANAGE functions. See NIST AI RMF for a full mapping.

For FedRAMP-authorised cloud services, VeriProof runs on Microsoft Azure, which holds FedRAMP High authorisation. VeriProof itself does not hold a FedRAMP Authorisation to Operate (ATO). Federal customers with FedRAMP requirements should contact us to discuss whether the current architecture meets their needs.

Data Processing

Where is my data stored?

Standard Tier data is stored in Microsoft Azure, West Europe by default, with geo-replication to North Europe. Enterprise Federated customers store all data in their own Azure subscription in any region they choose.

Can I get a Data Processing Agreement?

Yes. A standard DPA is available for all paying customers. Enterprise customers can negotiate custom terms. See DPA or contact legal@veriproof.app.

Who are VeriProof’s subprocessors?

The current subprocessor list is available at Subprocessors. Material changes are notified to customers at least 14 days in advance.

GDPR

Is VeriProof GDPR-compliant?

VeriProof operates as a data processor under GDPR when you send personal data through the SDK. Controls include EU data residency, cryptographic erasure (Article 17), data subject management, DPA availability, and sub-processor transparency. See GDPR for the complete coverage.

Does VeriProof support the Right to Erasure?

Yes. VeriProof implements cryptographic erasure for data subjects linked to sessions. Erasure destroys the per-subject key material (salt), making all linked session commitments permanently unverifiable without physically removing the blockchain anchors. The 30-day hold period can be waived or shortened on request for demonstrably urgent cases. See GDPR — Article 17.

Does VeriProof transfer data outside the EU?

Session data remains in the Azure region selected at provisioning. Blockchain anchors are written to the Solana network, which is a globally distributed public ledger. The anchor contains only a 32-byte cryptographic commitment — no personal data. See Blockchain Anchoring for what is and is not written to the ledger.

Healthcare

Does VeriProof support HIPAA compliance?

Yes, under a Business Associate Agreement (BAA). A BAA is required before submitting PHI to VeriProof in any production environment. See HIPAA.

Does VeriProof process Protected Health Information by default?

No. VeriProof captures what your SDK adapters send. Whether PHI is included depends on your adapter configuration. Customers with PHI-containing pipelines must have a BAA in place and should implement PHI minimisation before capture.

EU AI Act

Is VeriProof an AI system under the EU AI Act?

VeriProof is an AI observability and compliance infrastructure tool, not an AI system that makes decisions about individuals. As an infrastructure provider, VeriProof may be considered a component supplier under Article 28 for high-risk AI systems.

VeriProof’s features — immutable audit trails, governance scoring, evidence export — are designed to help you, as the AI system provider or deployer, satisfy your own obligations under the Act.

Does VeriProof satisfy all EU AI Act requirements?

No single tool satisfies all EU AI Act requirements. VeriProof addresses the audit trail, monitoring, and documentation obligations (Articles 9, 11, 13, 17) that are most directly served by production observability infrastructure. Risk management design, training data governance, human oversight mechanisms, and conformity assessment are your responsibility. See EU AI Act for a detailed mapping.

Penetration Testing and Security Assessments

Can I include VeriProof in my vendor security assessment?

Yes. We support security assessments and can provide the following collateral under NDA:

• SOC 2 Type II report (when available)
• Completed standard security questionnaires (SIG Lite, CAIQ, VSAQ)
• Architecture documentation
• Penetration test executive summary

Request assessment collateral through the contact page or your enterprise diligence channel.

Can I conduct my own penetration test?

Yes, with prior authorisation. See Penetration Testing for scope, authorisation requirements, and how to request approval.

Next Steps

• SOC 2 — certification status
• GDPR — full GDPR coverage detail
• EU AI Act — regulatory mapping
• Responsible Disclosure — reporting security issues