TRUST CENTER
Built so we can't betray you.
Verification only works if the verifier is trustworthy. Every claim below is implemented in code and running in production today — nothing on this page is aspirational.
Ephemeral processing
Uploads stream to an isolated analysis worker and are deleted the moment the run ends — success or failure, on every code path. Media never touches long-term storage, never trains models, and never leaves the processing environment.
Authenticated results
Every analysis result is sealed by the backend with authenticated encryption (ChaCha20-Poly1305) before it travels back through the browser. A tampered or replayed result is rejected — the score you see is the score the engine produced.
Single-use upload tickets
Uploads are authorized by short-lived, HMAC-signed, single-use tickets minted per analysis. A leaked ticket expires in minutes and cannot be replayed.
Payments we never see
Billing runs through Paddle as merchant of record. Card numbers never reach Verifyco systems; we store only the plan, credit balance and transaction references needed for your account.
Hardened account security
Passwords are bcrypt-hashed; verification and reset tokens are stored hashed and are strictly single-use; sensitive changes revoke all outstanding sessions; sign-in and abuse-prone endpoints are rate limited.
Private-by-default reports
Reports belong to your account only. Sharing is explicit opt-in and exposes a redacted scoreboard — never your detailed findings — behind a revocable, unguessable link.
WHAT WE STORE — AND WHAT WE NEVER DO
Stored (minimum necessary)
- · Account: email, name, sign-in provider, bcrypt password hash if set.
- · Analysis reports: the JSON verdict and layer findings — never the media.
- · Billing: plan, credit ledger and Paddle transaction references.
- · Operational signals: anonymized failure counters for reliability monitoring.
Never
- · No persistent storage of uploaded or link-fetched media, on any path.
- · No training of models on user content.
- · No sale or sharing of personal data; no third-party ad trackers.
- · No card data — Paddle (merchant of record) handles all payment details.
INFRASTRUCTURE & SUBPROCESSORS
- Vercelweb application hosting (TLS everywhere)
- Renderisolated analysis compute — where media is processed and deleted
- NeonPostgres database (accounts, reports, billing state)
- Paddlemerchant of record — payments, tax, invoices
- Google Workspacetransactional email
Each processes only what its role requires. Details in the Privacy Policy.
COMPLIANCE — HONESTLY STATED
- In effect: GDPR & KVKK alignment — self-serve access, correction and erasure (delete individual reports or your whole account, including for social sign-ins); EU-style consumer rights honoured in our Refund Policy.
- In effect: Encrypted transport (TLS 1.2+) end to end; authenticated result sealing; secrets held in platform vaults, never in the repository.
- Roadmap: SOC 2 and ISO 27001 audits are planned as the company grows. We do not display badges for audits we haven't passed.
Found a vulnerability?
We welcome good-faith security research. Report issues to support@verifyco.info with reproduction steps — we respond within 2 business days and will credit verified reports if you wish.



