Security & Compliance

SECURITY & COMPLIANCE

The most advanced technologies to stay compliant to GDPR, KYC, AML

security_02_copy (1)

KYC / AML Compliance

Here at Sumsub data protection and financial compliance are at the core.

Global compliance

Sumsub’s identity verification platform is globally applicable, as our approach and methodology are carefully designed according to FATF recommendations regarding AML and CTF requirements (specifically, Article 10), which served the international basis for local AML laws.

Risk-based approach

The system is built on risk-based approach and follows global and local regulatory norms (including FATF, FINMA, FCA, CySEC, MAS). Our expertise in compliance and a range of technologies help businesses and financial authorities to speak in common language.

Enhanced KYC verification

The platform is equipped with tools for completely automatic verification as well as for checks based upon human review which is complied to current European legislation to non-face-to-face customer identification in banking industry.

Ongoing Monitoring

We constantly monitor all the existing users’ profiles to manage the risks associated with your customers. The system will notify you if the user has been put on a Sanction list or his document has expired, so, you can react immediately in case of any changes.

security_02_copy (1)

Data Privacy Compliance

We at Sum&Substance established a comprehensive ongoing GDPR compliance program and give trainings and meetings on how important Data protection is for the whole core team. Just to show how we built transparency, here are a few examples of what we have in place: 

Customer Consent

We receive a customer consent before processing personal data. It is a separate checkbox before requesting a verification, so, a user clearly understands, what exactly he or she agrees with.

Clear Privacy Policy

In the policy it is stated comprehensively, how the data will be used and for how long to give a user transparency and fair information about the purposes and methods of processing.

European Data Centers and Data Protection Officer

We store all the data in Amazon GDPR compliant servers which are located in EU. Overall responsibility for all data lies on DPO (Data Protection Officer), who lives and work in Berlin,Germany and doesn’t have any conflict of interest.

The right to be forgotten

Our uses have the right to withdraw the consent in a reasonable timeframe. To revoke an approval it is needed only to drop a message to [email protected]

Breach Notification

Despite of all the preparations, something always can go wrong. We have a tested process and technologies that allows us to detect and address breaches within 72 hours.

Read more about GDPR and how to make your business compliant →

security_01_copy

Bank-level security

We know that data security is paramount, that’s why we’d like to tell you a bit about how we ensure it.

Secure data Storage

User data is stored in an encrypted format on our servers, which are kept at Uptime Institute classified Tier III data centers compliant with TIA-942 and PCI DSS standards. The data centers are protected technically and guarded physically around the clock by specially audited security personnel. 

Leading Encryption Technologies

All data transfered on a protected channel with cryptographic encryption based on the TLS 1.2 protocol. Decryption keys are stored separately from the actual data, so people with criminal intent won’t get access to your sensitive data. 

Independent Testing

We work with independent experts from the sphere of information security in order to find and prevent potential vulnerabilities. Our site, iFrame, and API undergo constant penetration testing, security checks, threat detection, and testing of “white” and “black” drawers.

Constant Monitoring

Our information security team performs regular checks on all aspects of our security systems.