SECURITY & COMPLIANCE
The most advanced technologies to keep you compliant with GDPR and KYC/AML requirements
KYC / AML Compliance
Here at Sumsub, data protection and financial compliance are at our core.
Global compliance
Sumsub’s identity verification platform is globally applicable, as our approach and methodology are carefully designed according to the FATF recommendations regarding AML and CTF requirements (specifically, Article 10), which serves as the international basis for local AML laws.
Risk-based approach
Our system is based on a risk-based approach and follows global and local regulatory norms (FATF, FINMA, FCA, CySEC, MAS). Our expertise in compliance and our provision of a range of technologies help businesses and financial authorities to speak in a common language.
Enhanced KYC verification
Our platform is equipped with tools that enable completely automatic verification as well as checks based upon human review in line with the current European legislation on non-face-to-face customer identification in the banking industry.
Ongoing monitoring
We constantly monitor all the existing user profiles to manage the risks associated with your customers. The system will notify you if a user has been put on a Sanctions list or his document has expired. Because of this, you can react immediately in case of any changes.
Compliance With Data Privacy Laws
At Sum&Substance, we have established a comprehensive ongoing GDPR compliance program while providing training to our staff and conducting meetings on how important data protection is for the entire core team. To illustrate just how we have reached transparency, here are a few examples of what we currently have in place:
Customer consent
We receive customer consent before processing personal data. The request for consent is placed in a separate checkbox before verification, so a user clearly understands what they are agreeing with.
Clear privacy policy
In our policy it is clearly stated how the user’s data is going to be used and for how long. It gives users transparency and information about the purposes and methods of processing.
European data centers and data protection officer
We store all the data in Amazon GDPR compliant servers, which are located in the EU. Overall responsibility for all data lies on the DPO (Data Protection Officer).
The right to revoke consent
Our users have the right to withdraw consent within a reasonable timeframe. To revoke an approval, all they have to do is to send a message to [email protected]
Breach alerts
Despite all of the preparations, there is always a chance that something can go wrong. We have tested our processes and technologies and are ready to detect and address breaches within 72 hours.
Bank-level security
We know that data security is paramount, that’s why we’d like to tell you a bit about how we ensure it.
Secure data storage
User data is stored in an encrypted format on our servers, which are kept at Uptime Institute classified Tier III data centers compliant with TIA-942 and PCI DSS standards. The data centers are protected technically and guarded physically around the clock by specially audited security personnel.
Leading encryption technologies
All data is transferred via a protected channel with cryptographic encryption based on the TLS 1.2 protocol. Decryption keys are stored separately from the actual data, so people with criminal intent won’t get access to your sensitive data.
Independent testing
We work with independent experts in information security, in order to find and prevent potential vulnerabilities. Our site, iFrame, and API constantly undergo penetration testing, security checks, threat detection, black box and white box testing.
Constant monitoring
Our information security team performs regular checks on all aspects of our security systems.