Security

Certifications and attestations

SOC 2 Type 1

Sumsub successfully completed its SOC 2 Type 1 examination, which was proctored by independent auditor BARR Advisory, P.A. This assessment confirms that Sumsub has rigorous security controls against unauthorized access, disclosure or damage of data. If you are interested in a copy of our SOC 2 Type 1 report, please reach out to [email protected].

SOC 2 Type 2

Sumsub successfully completed its SOC 2 Type 2 examination, which was proctored by independent auditor BARR Advisory, P.A. The report issued October 21, 2022 include independent assessment of Sumsub security controls and its eficiency against unauthorized access, disclosure or damage of data. If you are interested in a copy of our SOC 2 Type 2 report, please reach out to [email protected].

ISO/IEC 27001

This standard covers the security of development, implementation, functioning, monitoring, analysis, support and improvement of Sumsub's ISMS (Information Security Management System), which is audited on an annual basis. This certification means that our information sources are well protected.

ISO/IEC 27017

This certification demonstrates that Sumsub adheres to technical and organizational measures regarding risk assessments, equipment, software controls, personnel work, the backup procedure and other processes related to cloud service security.

ISO/IEC 27018

This certificate confirms that Sumsub has commonly accepted control objectives and guidelines for implementing measures to protect Personally Identifiable Information (PII) privacy principles in the public cloud computing environment.

PCI/DSS

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from major card schemes. This certification confirms that Sumsub is fully compliant with high standards for secure storage and processing of bank card data.

Web application assessments

Sumsub has independent penetration tests conducted periodically to identify potential weaknesses related to inadvertent misconfiguration, weak authentication, insufficient error handling, sensitive information leakage, and others.

ASV scanning

Clone Systems are engaged to perform quarterly external vulnerability scans via an Approved Scanning Vendor (ASV). This assessment contributes to building up strong security system against malware attacks or other breaches.

Protection against presentation attacks

Sumsub’s in house Liveness technology has been tested by iBeta according to the ISO 30107-3 Biometric Presentation Attack Detection Standard and successfully deters Level-1 vectors of attack.

Privacy

Our internal privacy procedures are structured according to the UK GDPR and the EU GDPR. Sumsub has also implemented the CCPA and other applicable legal requirements to ensure the privacy of our client’s customers. We continue to improve privacy frameworks and address other compliance requirements on an ongoing basis. For more information, please see our Privacy Notice.

EU GDPR compliance

Sumsub’s policies, procedures, and workflows regarding personal data processing of EU residents are fully compliant with the requirements of the EU GDPR. External and internal evaluations of Sumsub's compliance with the EU GDPR are conducted annually.

UK GDPR and DPA 2018 compliance

Sumsub has implemented the UK GDPR and the DPA 2018 requirements into internal data protection framework. Besides, Sumsub is registered with the Information Commissioner’s Office in line with the UK Data Protection Act 2018. Our Data Protection Registration Number is ZA 222205. Sumsub's compliance with UK data protection and security requirements are evaluated annually.

ACCS 2:2021 Technical Requirements for Data Protection and Privacy

Sum and Substance was assessed by The Age Check Certification Scheme Ltd and found to meet ACCS 2:2021 Technical Requirements for Data Protection and Privacy according to certification criteria approved by the Information Commissioner’s Office following the Commissioner’s tasks and powers under Articles 57(1)(n) and 58(3)(f) pursuant to Article 42(5) of the UK General Data Protection Regulation.

e-IDVT Technical Requirements for Identity Document Validation Technology

Sum and Substance was assessed by The Age Check Certification Scheme Ltd and found to meet the e-IDVT Technical Requirements for Identity Document Validation Technology according to certification criteria defined under the UK Home Office Guidance Document for Identity Document Validation Technology requirements 2018.

Age Verification System (AVS)

KJM (The Commission for the Protection of Minors in the Media (Germany) found that the concept of Sum and Substance Ltd is suitable as a total solution for an Age Verification System (AVS) within the meaning of Article 4 (2) sentence 2 Jugendmedienschutz-Staatsvertrag (JMStV).

Other compliance measures

Sumsub's business activity spans the entire world, which means that we continuously meet additional regulatory requirements in the data protection framework. We protect California residents’ personal information based on required measures. For more information, please refer to the CCPA Privacy Notification. Where the data protection laws of Illinois, Washington, or Texas apply, please refer to the “Special notice to residents of the states of Illinois, Washington, or Texas (USA)” (Provision 19 of this Privacy Notice) for more information.

System access and customization

Sumsub offers a number of measures to keep your account safe.

Secure authentication

Access to the system is as protected as it can get. Passwords are encrypted and 2-factor authentication is enabled by default for additional security. You can also opt for Google Account login and SSO, which can be enabled in the Sumsub dashboard.

Anomaly detection tools

Our product is equipped with automatic anomaly detection tools that track suspicious actions—such as logins from different devices, repeat password guesses, or API keys—and immediately alerts your tech team and administrators in case of a possible breach attempt.

User permissions

Permission levels and roles can be set up for your team for additional security. This includesaccess to settings, billing, user data, and the ability to send or edit messages. Read more about permissions and roles customization in our helpdesk article.