Skip to content

TRUST CENTER

Built so we can't betray you.

Verification only works if the verifier is trustworthy. Every claim below is implemented in code and running in production today — nothing on this page is aspirational.

Ephemeral processing

Uploads stream to an isolated analysis worker and are deleted the moment the run ends — success or failure, on every code path. Media never touches long-term storage, never trains models, and never leaves the processing environment.

Authenticated results

Every analysis result is sealed by the backend with authenticated encryption (ChaCha20-Poly1305) before it travels back through the browser. A tampered or replayed result is rejected — the score you see is the score the engine produced.

Single-use upload tickets

Uploads are authorized by short-lived, HMAC-signed, single-use tickets minted per analysis. A leaked ticket expires in minutes and cannot be replayed.

Payments we never see

Billing runs through Paddle as merchant of record. Card numbers never reach Verifyco systems; we store only the plan, credit balance and transaction references needed for your account.

Hardened account security

Passwords are bcrypt-hashed; verification and reset tokens are stored hashed and are strictly single-use; sensitive changes revoke all outstanding sessions; sign-in and abuse-prone endpoints are rate limited.

Private-by-default reports

Reports belong to your account only. Sharing is explicit opt-in and exposes a redacted scoreboard — never your detailed findings — behind a revocable, unguessable link.

WHAT WE STORE — AND WHAT WE NEVER DO

Stored (minimum necessary)

  • · Account: email, name, sign-in provider, bcrypt password hash if set.
  • · Analysis reports: the JSON verdict and layer findings — never the media.
  • · Billing: plan, credit ledger and Paddle transaction references.
  • · Operational signals: anonymized failure counters for reliability monitoring.

Never

  • · No persistent storage of uploaded or link-fetched media, on any path.
  • · No training of models on user content.
  • · No sale or sharing of personal data; no third-party ad trackers.
  • · No card data — Paddle (merchant of record) handles all payment details.

INFRASTRUCTURE & SUBPROCESSORS

  • Vercelweb application hosting (TLS everywhere)
  • Renderisolated analysis compute — where media is processed and deleted
  • NeonPostgres database (accounts, reports, billing state)
  • Paddlemerchant of record — payments, tax, invoices
  • Google Workspacetransactional email

Each processes only what its role requires. Details in the Privacy Policy.

COMPLIANCE — HONESTLY STATED

  • In effect: GDPR & KVKK alignment — self-serve access, correction and erasure (delete individual reports or your whole account, including for social sign-ins); EU-style consumer rights honoured in our Refund Policy.
  • In effect: Encrypted transport (TLS 1.2+) end to end; authenticated result sealing; secrets held in platform vaults, never in the repository.
  • Roadmap: SOC 2 and ISO 27001 audits are planned as the company grows. We do not display badges for audits we haven't passed.

Found a vulnerability?

We welcome good-faith security research. Report issues to support@verifyco.info with reproduction steps — we respond within 2 business days and will credit verified reports if you wish.