Privacy Policy

Effective date: October 12, 2025

1. Overview

Veraproof Pty Ltd ("Veraproof", "we", "us", or "our") provides secure identity and provisioning services through two Software-as-a-Service (SaaS) products:

  • Scimify
  • Challenge

This Privacy Policy explains how Veraproof collects, uses, stores, and protects your information when you use these products.

2. Information We Collect and Process

a. Scimify

When using Scimify, we process and store the following information:

  • User profiles: Full name and email address (for provisioning users and group members).
  • Group names: Used for group provisioning.
  • API tokens: Application-specific integration tokens required to sync users and groups between your Identity Provider (IdP) and target SaaS applications. Tokens are stored with least-privilege architecture and encryption at rest.

b. Challenge

When using Challenge, we process and store:

  • IdP user profiles: Full name and email address.
  • Slack user profile information.
  • Slack API token – used for verification workflows and integrations.
  • Device fingerprinting metadata, public IP addresses, and geolocation data – collected for security and fraud prevention purposes during verification workflows.

c. Common Practices

  • We do not store user passwords.
  • Authentication is performed via federated logins (Slack, GitHub, Google) or via OIDC SSO connected to your organisation's IdP.
  • We log metadata necessary for operational security (IP addresses, timestamps, and API usage metrics).

3. How We Use the Information

We use your information to:

  • Provide, operate, and improve Scimify and Challenge services.
  • Provision, synchronise, and verify user and group data between systems.
  • Communicate about service incidents, security updates, or subscription matters.
  • Provide optional product updates and new feature announcements (you may opt out at any time).
  • Comply with applicable laws, security obligations, and audit requirements.

We never sell or rent customer data.

4. Data Storage and Security

  • Data is hosted in AWS regions within Australia and on Veraproof's private hosting infrastructure.
  • We follow security industry best practices and align with SOC 1 controls.
  • All data is encrypted in transit (TLS 1.2+) and at rest (AES-256 or equivalent).
  • Access to production systems is restricted by least-privilege principles and audited regularly.
  • Administrative access is protected by multi-factor authentication (MFA).

5. Data Retention and Deletion

We retain customer data until the customer requests deletion or terminates their subscription.

Upon request or termination, we will permanently delete customer data from all systems (including backups) within a reasonable period.

Customers may request deletion or export of their data by contacting us at support@veraproof.io or via the shared Slack support channel.

6. Sharing and Disclosure

We may share limited information with:

  • Service providers (e.g., AWS, Cloudflare, Stripe, Slack API) strictly as needed to deliver our services.
  • Legal authorities only if required by applicable law or valid legal process.
  • Enterprise partners under written agreements that include confidentiality and data-protection obligations.

We do not disclose customer data for marketing or advertising purposes.

7. International Data Transfers

Where customers or integrations operate outside Australia, data may be transferred between regions to complete provisioning or verification functions. All transfers comply with applicable privacy laws, and equivalent safeguards are applied.

8. Your Rights

Depending on your jurisdiction (including Australia, the EU, and UK), you may have rights to:

  • Access and correct your personal data.
  • Request deletion ("right to be forgotten").
  • Object to or restrict certain processing.
  • Lodge a complaint with your local privacy authority (e.g., OAIC in Australia).

To exercise these rights, contact support@veraproof.io.

9. Communications

We primarily communicate via email or shared Slack channels established with customers.

Customers may opt out of non-essential product update emails using the unsubscribe link in each message or by contacting us.

10. Updates to This Policy

We may update this Privacy Policy from time to time. The latest version will always be available on our website at https://veraproof.io/privacy/.

If changes materially affect your rights, we'll notify you via email or in-app notice.

11. Contact

Veraproof Pty Ltd

Victoria, Australia

Email: support@veraproof.io

Slack: Shared support channel (for participating enterprise customers)