To identify and manage information security risks at Onfido, we have implemented a number of technical and operational initiatives, including establishing an information security management system (our “ISMS”), based on international best practice for information security (ISO27001:2013). The purpose of the ISMS, is to protect the confidentiality, integrity and availability of information and minimise security risks. Specifically, the ISMS has been designed to address the following objectives:
If you think you have identified a security vulnerability or bug in our Identity Verification Services, please report it to the Onfido security team at firstname.lastname@example.org and as described in the Onfido Responsible Security Bug Disclosure Policy.
Onfido holds certificate number IS 660122 for operating an Information Security Management System which complies with the requirements of ISO/IEC 27001:2013, certified by the British Standards Institute.
This external audit takes place on an annual basis in order to maintain certification.
Security and compliance work is collaboratively managed and executed by a dedicated group of highly skilled individuals within the business. Such individuals work across different business functions, including IT, engineering, security, legal, compliance, operations and facilities.
Onfido’s senior leadership team meet periodically to discuss security and compliance, and are presented with key metrics, current risks and potential blockers to managing security and compliance.
All Onfido employees receive information security and privacy awareness training to ensure that they are aware of their responsibilities and security risks. This happens in different forms, including group training, company wide presentations and E-learning on an ongoing basis.
The Onfido Disaster Preparedness and Recovery Team manages information security incidents at Onfido, including those that impact business continuity. This team is formed of individuals from parts of the business which includes security, legal, compliance, partnerships management, IT & engineering, public relations and human resources. We have the following in place to support our SIM efforts:
In order to reduce the risk of unauthorised access or loss of information, Onfido enforces a clear desk and screen policy as follows:
Onfido is committed to hiring exceptional talent into a secure working environment. This is to ensure the safeguarding of information and infrastructure at Onfido and to maintain an effective information security management system. As a result, it is Onfido’s policy to conduct background checks on all individuals who are given access to Onfido systems. The following checks are conducted at a minimum:
Onfido has implemented controls in order to prevent unauthorized physical access, damage and interference to Onfido’s information and information and information processing areas. These controls include:
System, application and network Security is an ever evolving topic. This is why we have a dedicated team of security engineers driving the topic and developing, evaluating and integrating security technologies, solutions and frameworks.