Security and Compliance
Last updated: 2 September 2021
At Onfido, security and compliance are essential to our mission of creating a more open world, where identity is the key to access. This means providing identity verification checks and handling data in the most robust and secure manner possible for our clients.
From financial services firms to marketplaces and community giants, we are trusted by thousands of companies across the world, including some of the world’s leading organisations.
SOC 2 Type II Compliant & ISO 27001 Certified
Onfido is proud to announce that we are now both SOC 2 Type II compliant and ISO 27001 certified. Onfido has been ISO 27001 certified since 2017, and the receipt of our SOC 2 Type II report verifies that our controls relating to information security, systems availability, and data confidentiality meet the American Institute of Certified Public Accountants’ (AICPA) industry standards.
SOC 2 Type II Security, Availability & Confidentiality Report
Our SOC2 Type II Report is complete and available for customers and prospects. The Report includes management’s description of Onfido’s trust services and controls, as well as the independent auditor’s opinion from BDO Limited relating to Onfido’s system design and operating effectiveness.
A Type II report follows a more demanding testing approach than a Type I, as it verifies that our controls relating to information security, systems availability, and data confidentiality operated effectively to meet the Trust Services Criteria over a period of time.
Onfido’s Identity Verification services are audited at least annually against the SOC 2 framework by third-party auditors. SOC 2 is widely regarded as one of the most rigorous and respected security auditing standards.
ISO 27001 Certified since 2017
YesWeHack is engaged in an ongoing, private bug bounty program covering Onfido main services and web applications. Testers are selected among the top tier hackers on YesWeHack platform and are provided with access to our testing environment as well as all the details needed for their activity. Security is a critical requirement for us and an integral part of our solution, and this program enhance our security posture by helping us in quickly identifying and fixing critical vulnerabilities at scale.