Information Security Policy

About This Policy

This Information Security Policy outlines how VerifyNow, operated by Urban Luxury Brands (Pty) Ltd (Reg. 2007/013732/07), protects your data. Our security practices are designed to meet South African regulatory requirements, including POPIA (Protection of Personal Information Act) and FICA (Financial Intelligence Centre Act).

We are committed to protecting the confidentiality, integrity, and availability of all data processed through our verification services.

Data Protection

Encryption in Transit

• All data in transit is encrypted using HTTPS with TLS 1.3 (with TLS 1.2+ supported where required for compatibility)
• Automatic managed TLS certificates with HTTPS-only enforcement
• API requests require secure authentication via API keys
• Sensitive data is handled according to POPIA requirements

Encryption at Rest

• AES-256 or equivalent managed encryption for stored data
• Encryption keys managed by infrastructure providers with appropriate controls
• Secure key rotation and management practices

Data Residency

• All personal data is processed and stored in South Africa
• We maintain data residency to comply with local regulatory requirements
• No personal data is transferred outside of South Africa without appropriate safeguards

Access Control

• API access requires authentication via unique API keys
• Dashboard access requires user authentication
• Role-based access controls limit data access to authorized personnel
• All API calls are logged for audit purposes

Access Governance

• Multi-factor authentication (MFA) required for administrative access
• Principle of least privilege applied to all system access
• Regular access reviews and prompt deprovisioning
• Segregation of duties for sensitive operations

Infrastructure Security

• Global edge network with distributed DDoS protection
• Web Application Firewall (WAF) protecting against common web attacks
• Bot protection and rate limiting to prevent abuse
• Serverless architecture reducing attack surface (no persistent servers to compromise)
• Automatic managed TLS certificates with HTTPS-only enforcement
• Content encryption at the edge for enhanced performance and security

Vulnerability and Patch Management

• Automatic security patching on infrastructure components
• Regular vulnerability assessments and remediation
• Dependency scanning and updates for application components

Backup and Recovery

• Automated backups with geographic redundancy
• Regular testing of recovery procedures
• Specific RTO/RPO targets available on request for enterprise customers

Regulatory Compliance

POPIA (Protection of Personal Information Act)

Our data handling practices are aligned with POPIA requirements, including:

• Purpose limitation - data is used only for verification purposes
• Data minimization - we collect only what is necessary
• Retention policies - data is retained only as required
• Data subject rights - we support rights requests

FICA (Financial Intelligence Centre Act)

Our verification services support FICA compliance requirements for:

• Customer identification and verification
• Politically exposed persons (PEP) screening
• Sanctions list screening
• Audit trail maintenance

Security Monitoring & Incident Response

• Continuous monitoring of systems for security events
• Security incidents are investigated and addressed promptly
• Documented incident response procedures with defined escalation paths
• Post-incident reviews and preventive measure implementation