SECURITY & COMPLIANCE
The most advanced technologies to stay compliant to GDPR, KYC, AML
KYC / AML Compliance
Here at Sumsub data protection and financial compliance are at the core.
Global compliance
Sumsub’s identity verification platform is globally applicable, as our approach and methodology are carefully designed according to FATF recommendations regarding AML and CTF requirements (specifically, Article 10), which served the international basis for local AML laws.
Risk-based approach
The system is built on risk-based approach and follows global and local regulatory norms (including FATF, FINMA, FCA, CySEC, MAS). Our expertise in compliance and a range of technologies help businesses and financial authorities to speak in common language.
Enhanced KYC verification
The platform is equipped with tools for completely automatic verification as well as for checks based upon human review which is complied to current European legislation to non-face-to-face customer identification in banking industry.
Ongoing Monitoring
We constantly monitor all the existing users’ profiles to manage the risks associated with your customers. The system will notify you if the user has been put on a Sanction list or his document has expired, so, you can react immediately in case of any changes.
Data Privacy Compliance
We at Sum&Substance established a comprehensive ongoing GDPR compliance program and give trainings and meetings on how important Data protection is for the whole core team. Just to show how we built transparency, here are a few examples of what we have in place:
Customer Consent
We receive a customer consent before processing personal data. It is a separate checkbox before requesting a verification, so, a user clearly understands, what exactly he or she agrees with.
Clear Privacy Policy
In the policy it is stated comprehensively, how the data will be used and for how long to give a user transparency and fair information about the purposes and methods of processing.
European Data Centers and Data Protection Officer
We store all the data in Amazon GDPR compliant servers which are located in EU. Overall responsibility for all data lies on DPO (Data Protection Officer), who lives and work in Berlin,Germany and doesn’t have any conflict of interest.
The right to be forgotten
Our uses have the right to withdraw the consent in a reasonable timeframe. To revoke an approval it is needed only to drop a message to [email protected]
Breach Notification
Despite of all the preparations, something always can go wrong. We have a tested process and technologies that allows us to detect and address breaches within 72 hours.
Bank-level security
We know that data security is paramount, that’s why we’d like to tell you a bit about how we ensure it.
Secure data Storage
User data is stored in an encrypted format on our servers, which are kept at Uptime Institute classified Tier III data centers compliant with TIA-942 and PCI DSS standards. The data centers are protected technically and guarded physically around the clock by specially audited security personnel.
Leading Encryption Technologies
All data transfered on a protected channel with cryptographic encryption based on the TLS 1.2 protocol. Decryption keys are stored separately from the actual data, so people with criminal intent won’t get access to your sensitive data.
Independent Testing
We work with independent experts from the sphere of information security in order to find and prevent potential vulnerabilities. Our site, iFrame, and API undergo constant penetration testing, security checks, threat detection, and testing of “white” and “black” drawers.
Constant Monitoring
Our information security team performs regular checks on all aspects of our security systems.
