PRIVACY BY DESIGN
Once you have verified and identified your customer and have downloaded your report, ALL global data is cleaned and the verification will be archived within a 5 minute period.
We DO keep an internal reference number to allow us to match products to ID’s completed and for internal billing purposes.
We NEVER keep any personal data related to any person you have verified.
Once a report has been downloaded, any data such as images and videos stored during our biometric verification process will be DELETED from our database.
If for any reason, you haven’t downloaded the report, your customer hasn’t completed the process or because you’re satisfied with just using APLY’s web interface, the maximum life span of a verification is 7 days. Beyond this, verification data is automatically cleansed, images and videos deleted, and the verification is archived as previously described
We are confident in our hosting services and development tools (Amazon Web Services/Heroku) and their expertise regarding internet security questions, we also know that not a single system on earth is 100% safe. APLY’s method of handling customer data ensures we and our clients have only very limited data in our database in case of a breach at any given time.
End to end data encryption: Every connection and data transfer is made through secure connections using HTTPS or SSH with credentials
AES-256 Encryption for images and videos. Our verification assets are stored on an encrypted disk
Verification assets are stored using 3 randomly generated keys to access them. It is impossible to predict what URL will be generated
AES-256 Encryption for our database. Our database is encrypted on disk
Our database and verification assets are not stored in the same location
The maximum lifespan of our data is 7 days
The Biometric and OCR technology has undergone penetration tests. Load tests are conducted four times a year on production environments and one time a year on test environments. The penetration tests cover OWASP Top 10, OWASP 3.0, SANS Top-25, Broken Authentication, Sensitive Data Exposure, XML, Broken Access Control, Security Misconfiguration, Cross Site Scripting (XSS) and Insecure Deserialisation. Daily server scans are conducted and are explicitly scanning for vulnerabilities in a broad range of categories, including backdoors and trojan horses, brute force attacks, CGI, databases, DNS and Bind, e-commerce applications, file sharing, SFTP, firewalls, General Remote Services, hardware and network appliances.
INTERNATIONAL STANDARDISATION ORGANISATION (ISO) CERTIFICATIONS
The Biometric & OCR technology has been ISO 27001 and ISO 22301 certified
ISO 27001 Focus
To protect confidentiality, integrity and availability of information within a company
Controls are developed through policies, procedures and technical implementation. ISO 27001 clearly identifies the risk in process management, legal protection, human resources, physical protection and many more as well as IT security
ISO 22301 Focus
The ISO 22031 is the Business Continuity Management System standard. This certification has been developed to ensure protection due to unexpected disruption and disaster. This policy provides asset owners, personnel and sub-contractors an understanding of what is required in the course of recovering from a disaster.