Security & Compliance

Comprehensive security features and compliance capabilities to protect your data and meet regulatory requirements. Enterprise-grade security for teams of all sizes.

Security Overview

Verk implements multi-layered security controls:

Infrastructure Security:

• AWS cloud infrastructure
• SOC 2 Type II certified
• ISO 27001 compliant
• Regular penetration testing
• 24/7 security monitoring

Data Security:

• Encryption at rest (AES-256)
• Encryption in transit (TLS 1.3)
• Encrypted backups
• Secure key management
• Data isolation per organization

Application Security:

• Role-based access control (RBAC)
• Multi-factor authentication (MFA)
• API key management
• Session security
• Input validation and sanitization

Compliance:

• GDPR compliant
• CCPA compliant
• HIPAA capable (Enterprise)
• SOC 2 Type II certified
• Regular security audits

Authentication & Access

User Authentication

Password Requirements:

Default policy:
- Minimum 8 characters
- At least 1 uppercase letter
- At least 1 lowercase letter
- At least 1 number
- At least 1 special character
- Cannot reuse last 5 passwords
- Password expiry: 90 days (optional)

Configure Password Policy:

1. Settings → Security → Password Policy
2. Set requirements:
 - Minimum length (8-32)
 - Character requirements
 - Password expiration
 - Reuse prevention (1-10)
 - Account lockout (after X failed attempts)
3. Save policy
4. Applies to all new passwords

Account Lockout:

Settings → Security → Account Lockout

Configure:
- Failed login attempts: 5 (default)
- Lockout duration: 30 minutes
- Notify user on lockout: Yes
- Notify admins: Yes
- Reset counter after: 15 minutes of no attempts

Multi-Factor Authentication (MFA)

Enable MFA for Organization:

1. Settings → Security → MFA
2. Choose enforcement level:
 - Optional (users can enable)
 - Required for admins
 - Required for all users
3. Allowed methods:
  Authenticator app (TOTP)
  SMS (if enabled)
  Hardware keys (Enterprise)
4. Grace period: 7 days
5. Save settings

User MFA Setup:

1. User Settings → Security → MFA
2. Click "Enable MFA"
3. Choose method:
 - Authenticator app (recommended)
 - SMS to phone number
 - Hardware security key
4. Follow setup instructions
5. Save backup codes
6. Verify with test code
7. MFA enabled

MFA Recovery:

If user loses MFA device:
1. User clicks "Can't access MFA?"
2. Enters email
3. Admin receives notification
4. Admin verifies identity
5. Admin resets MFA:
 Settings → Members → User → Reset MFA
6. User sets up MFA again

Backup Codes:

Generate backup codes:
1. Settings → Security → MFA
2. Click "View Backup Codes"
3. Generate new codes (10 codes)
4. Download and store securely
5. Each code single-use only

Single Sign-On (SSO)

Enterprise Feature: SAML 2.0 and OAuth 2.0/OIDC

Configure SAML SSO:

1. Settings → Security → SSO
2. Choose SAML 2.0
3. Enter IdP details:
 - SSO URL
 - Entity ID
 - X.509 Certificate
 - Attribute mapping:
  * Email
  * First name
  * Last name
  * User ID
4. Download SP metadata
5. Configure in your IdP
6. Test SSO connection
7. Enable SSO
8. Optionally enforce SSO (disable password login)

Supported Identity Providers:

• Okta
• Azure AD / Microsoft Entra
• Google Workspace
• OneLogin
• Auth0
• Custom SAML 2.0 providers

SSO Settings:

Configure:
- Just-in-time (JIT) provisioning
- Default role for new users
- Automatic group mapping
- Force re-authentication interval
- Allow password fallback

Session Management

Session Settings:

Settings → Security → Sessions

Configure:
- Session timeout: 30 minutes (default)
- Maximum session length: 12 hours
- Remember device: 30 days
- Concurrent sessions: 3 per user
- Require re-auth for sensitive actions

Active Session Management:

User can view/manage sessions:
1. User Settings → Security → Active Sessions
2. See list:
 - Device type
 - Browser
 - IP address
 - Location (approximate)
 - Last activity
 - Created date
3. Revoke individual sessions
4. Revoke all other sessions

Admin Session Controls:

Admins can force logout:
1. Settings → Members → Select user
2. Click "View Sessions"
3. Revoke specific sessions
4. Or "Revoke All Sessions"
5. User logged out immediately

Authorization & Permissions

Role-Based Access Control

Built-in Roles:

Admin:

Permissions:
- Full system access
- Manage users and roles
- Configure security settings
- Access billing
- View audit logs
- Delete organization

Member:

Permissions:
- Create and manage own tasks
- Create projects (if enabled)
- Invite members (if enabled)
- Access assigned projects
- Comment and collaborate
- Upload files

Guest:

Permissions:
- View assigned projects (read-only)
- Comment on tasks (if enabled)
- View files
- No creation/deletion rights

Custom Roles

Create Custom Role:

1. Settings → Security → Roles → Create
2. Define role:
 - Role name
 - Description
 - Base template (None, Member, Guest)
3. Set permissions:

 Tasks:
  Create tasks
  Edit own tasks
  Edit all tasks
  Delete own tasks
  Delete all tasks
  Assign tasks

 Projects:
  Create projects
  Edit projects
  Delete projects
  Archive projects

 Members:
  View members
  Invite members
  Remove members
  Manage roles

 Settings:
  View settings
  Edit settings
  Security settings
  Billing access

 Data:
  Export data
  Delete data
  View audit logs

4. Save role
5. Assign to users

Project-Level Permissions:

Per-project access control:
1. Open project → Settings → Permissions
2. Set default role for members
3. Override for specific users:
 - Admin (full control)
 - Editor (create/edit/delete)
 - Contributor (create/edit own)
 - Viewer (read-only)
4. Configure:
  Allow comments
  Allow file uploads
  Allow exports
  Allow member invites

API Access Control

API Key Permissions:

Create scoped API keys:
1. Settings → API Keys → Create
2. Configure:
 - Key name
 - Expiration date
 - Rate limit
 - Scopes:
  * tasks:read
  * tasks:write
  * tasks:delete
  * projects:read
  * projects:write
  * projects:delete
  * members:read
  * members:write
  * files:read
  * files:write
3. Generate key
4. Copy key (shown once)
5. Store securely

API Key Best Practices:

• Use separate keys per integration
• Apply principle of least privilege
• Set expiration dates
• Rotate keys regularly (quarterly)
• Revoke unused keys
• Monitor key usage
• Never commit keys to code repositories

Data Security

Encryption

Encryption at Rest:

Data encrypted using:
- Algorithm: AES-256-GCM
- Key management: AWS KMS
- Encrypted fields:
 * Task content
 * Comments
 * File contents
 * Personal information
 * API keys
 * Integration credentials

Encryption in Transit:

All connections secured with:
- Protocol: TLS 1.3 (minimum TLS 1.2)
- Certificate: SHA-256 RSA
- Perfect Forward Secrecy (PFS)
- HSTS enabled
- Secure cipher suites only

File Encryption:

Files stored in S3 with:
- Server-side encryption (SSE-S3)
- Encryption key rotation
- Secure presigned URLs
- Time-limited access
- IP restrictions (optional)

Data Isolation

Organization Separation:

Each organization is isolated:
- Separate database schema
- Separate file storage
- Separate encryption keys
- No data sharing between orgs
- Complete logical separation

Geographic Data Residency:

Enterprise feature:
- Choose data region:
 * US (United States)
 * EU (European Union)
 * UK (United Kingdom)
 * AU (Australia)
 * CA (Canada)
- Data stays in chosen region
- Backup in same region
- Compliance with local laws

Data Retention & Deletion

Retention Policies:

Settings → Compliance → Retention

Configure:
- Active data: Indefinite (default)
- Deleted tasks: 30-90 days
- Deleted projects: 90 days
- User accounts: 30 days after removal
- Audit logs: 1 year (Enterprise)
- Backups: 7-90 days (plan dependent)

Secure Deletion:

When data is deleted:
1. Moved to trash (retention period)
2. After retention: Marked for deletion
3. Encryption keys destroyed
4. Data overwritten
5. Backups purged after retention
6. Permanent deletion confirmed

User Data Deletion (GDPR):

Process:
1. User requests deletion
2. Admin reviews request
3. Grace period (30 days)
4. Data exported (if requested)
5. Account deactivated
6. Data permanently deleted:
 - All tasks created
 - All comments
 - All files
 - Profile information
 - Activity logs
7. Anonymize audit logs (retain for compliance)
8. Confirmation sent

Network Security

IP Whitelisting

Configure IP Whitelist (Enterprise):

1. Settings → Security → IP Whitelist
2. Click "Add IP Range"
3. Enter:
 - IP address or CIDR range
 - Description (e.g., "Office Network")
 - Enabled status
4. Save
5. Test access from allowed IP
6. Repeat for all ranges
7. Enable enforcement

Example IP Rules:

Office Network: 203.0.113.0/24
VPN Gateway: 198.51.100.50/32
Cloud Provider: 192.0.2.0/24

IP Whitelist Bypass:

Emergency access:
1. Contact support
2. Verify identity
3. Temporary bypass granted (24 hours)
4. Admin notified
5. Audit log entry created

DDoS Protection

Protection Measures:

Built-in protections:
- AWS Shield Standard
- Rate limiting
- Traffic analysis
- Geographic filtering
- Bot detection
- Automatic mitigation

Enterprise protection:
- AWS Shield Advanced
- Custom rate limits
- WAF rules
- 24/7 DDoS response team

Compliance

GDPR Compliance

Data Subject Rights:

Right to Access:

User requests data export:
1. Settings → Privacy → Request Data
2. Confirm identity
3. System generates export:
 - All personal data
 - Tasks and comments
 - Files uploaded
 - Activity history
4. Download link (48-hour expiry)
5. Encrypted download

Right to Rectification:

Users can update:
- Profile information
- Email address
- Contact details
- Preferences

Admins can update on behalf of users

Right to Erasure:

User requests deletion:
1. Settings → Privacy → Delete Account
2. Review deletion scope
3. 30-day grace period
4. Data permanently deleted
5. Cannot be recovered
6. Email confirmation sent

Right to Data Portability:

Export formats:
- JSON (machine-readable)
- CSV (spreadsheet)
- PDF (human-readable)
All include complete data

Data Processing Agreement:

Available for Enterprise:
- DPA signed upon request
- GDPR Article 28 compliant
- Sub-processor list maintained
- Annual compliance review

CCPA Compliance

Consumer Rights:

Right to Know:

Users can request:
- Categories of data collected
- Specific pieces of data
- Sources of data
- Purpose of collection
- Third parties data shared with

Right to Delete:

Same as GDPR right to erasure
Exceptions:
- Legal compliance
- Security purposes
- Internal lawful uses

Right to Opt-Out:

Users can opt-out of:
- Marketing emails
- Product analytics
- Third-party sharing
- Cookies (non-essential)

HIPAA Compliance

Enterprise Feature: HIPAA-ready infrastructure

HIPAA Controls:

Technical safeguards:
- Encryption (at rest and in transit)
- Access controls
- Audit logs
- Integrity controls
- Transmission security

Administrative safeguards:
- Security management
- Workforce training
- Contingency planning
- Business associate agreements

Physical safeguards:
- Facility access controls
- Workstation security
- Device and media controls

BAA Available:

Business Associate Agreement:
- Required for HIPAA compliance
- Enterprise plan required
- Contact sales for BAA
- Annual compliance review
- Regular security audits

SOC 2 Compliance

Type II Report:

Verk is SOC 2 Type II certified:
- Security
- Availability
- Processing integrity
- Confidentiality
- Privacy

Annual audit by third-party
Report available upon request (NDA required)

Control Objectives:

Security:
- Access controls
- Logical security
- Change management
- Risk assessment

Availability:
- 99.9% uptime SLA
- Disaster recovery
- Monitoring
- Incident response

Confidentiality:
- Data encryption
- Secure disposal
- Access restrictions

Audit Logs

Comprehensive Logging

Logged Events:

User Actions:

- User login/logout
- Failed login attempts
- Password changes
- MFA enable/disable
- Profile updates
- Session creation/termination

Data Operations:

- Task created/updated/deleted
- Project created/updated/deleted
- Comment added/edited/deleted
- File uploaded/downloaded/deleted
- Member added/removed
- Role changes

Administrative Actions:

- Settings changes
- Security policy updates
- API key creation/revocation
- Webhook configuration
- Integration changes
- Backup/restore operations
- Data exports

Security Events:

- Failed authentication
- Suspicious activity
- Rate limit exceeded
- API errors
- Permission denied
- IP whitelist violations

Viewing Audit Logs

Access Audit Logs:

1. Settings → Security → Audit Logs
2. Filter by:
 - Date range
 - User
 - Action type
 - Resource type
 - IP address
 - Status (success/failure)
3. Sort by date/time
4. View details for each event

Audit Log Details:

Each log entry includes:
- Timestamp (UTC)
- User (email and ID)
- Action performed
- Resource affected
- IP address
- User agent
- Geolocation (approximate)
- Status (success/failure)
- Changes made (before/after)

Audit Log Export

Export Logs:

1. Settings → Security → Audit Logs
2. Apply filters
3. Click "Export"
4. Choose format:
 - CSV (spreadsheet)
 - JSON (machine-readable)
 - PDF (report)
5. Receive email when ready
6. Download (secure link, 24-hour expiry)

Automated Log Exports:

Settings → Security → Log Exports → Schedule

Configure:
- Frequency: Daily, Weekly, Monthly
- Delivery:
 * Email
 * SFTP
 * S3 bucket
 * Syslog
 * SIEM integration
- Retention: Configure in SIEM

Log Retention

Retention by plan:
- Free: 30 days
- Pro: 1 year
- Enterprise: Unlimited

Long-term retention:
- Export to external SIEM
- Store in your S3 bucket
- Archive for compliance

Security Monitoring

Real-Time Alerts

Configure Security Alerts:

Settings → Security → Alerts

Alert types:
 Failed login attempts (threshold: 5)
 Unusual login location
 New device login
 MFA disabled
 API rate limit exceeded
 Data export
 User role change
 Security settings changed
 Integration added
 Suspicious activity detected

Recipients:
- Admins (default)
- Security team emails
- Slack/Teams webhook
- PagerDuty integration

Alert Examples:

High-priority alerts:
- 10+ failed logins in 5 minutes
- Login from new country
- Admin role granted
- MFA disabled for admin
- Mass data export
- API key leaked (detected in GitHub)

Medium-priority alerts:
- New device login
- Password changed
- New integration connected
- Unusual API usage pattern

Security Dashboard

Monitor Security Metrics:

Dashboard → Security Overview

Metrics:
- Failed login attempts (last 24h)
- Active sessions
- MFA adoption rate
- API key usage
- Recent security events
- System health
- Compliance status

Incident Response

Security Incident Process

Incident Response Plan:

1. Detection
 - Automated monitoring
 - User reports
 - Security alerts

2. Containment
 - Isolate affected systems
 - Revoke compromised credentials
 - Block malicious IPs
 - Disable affected features

3. Investigation
 - Review audit logs
 - Identify scope
 - Determine cause
 - Document findings

4. Remediation
 - Fix vulnerabilities
 - Update security controls
 - Reset affected credentials
 - Notify affected users

5. Post-Incident
 - Document lessons learned
 - Update procedures
 - Implement preventive measures
 - Train team

Report Security Issue:

Contact: security@verk.com

Include:
- Description of issue
- Steps to reproduce
- Potential impact
- Screenshots/evidence
- Your contact info

Response time:
- Critical: 2 hours
- High: 8 hours
- Medium: 24 hours
- Low: 5 business days

Vulnerability Disclosure

Responsible Disclosure:

We welcome security researchers:
1. Report vulnerability privately
2. Allow 90 days for remediation
3. We'll acknowledge within 24 hours
4. Keep you updated on progress
5. Credit you (if desired) after fix

Do not:
- Test on production data
- Access other users' data
- Perform DoS attacks
- Spam or social engineer

Best Practices

For Administrators

Security Checklist:

 Enable MFA for all users
 Configure password policy
 Set up IP whitelist (if applicable)
 Review user roles regularly
 Rotate API keys quarterly
 Enable security alerts
 Review audit logs weekly
 Configure data retention policies
 Enable session timeouts
 Document security procedures
 Train users on security
 Test disaster recovery plan

Regular Security Reviews:

Weekly:
- Review failed login attempts
- Check active sessions
- Monitor API usage
- Review security alerts

Monthly:
- Audit user roles
- Review API keys
- Check MFA adoption
- Update security docs

Quarterly:
- Security training
- Penetration testing (Enterprise)
- Policy review
- Compliance audit

For Users

User Security Best Practices:

 Use strong, unique password
 Enable MFA
 Never share your password
 Don't share API keys
 Log out on shared devices
 Be cautious of phishing
 Report suspicious activity
 Keep software updated
 Use secure networks
 Review active sessions

Recognizing Phishing:

Red flags:
- Urgent action required
- Suspicious sender address
- Generic greetings
- Spelling/grammar errors
- Unexpected attachments
- Requests for credentials
- Mismatched URLs

If suspicious:
- Don't click links
- Don't download attachments
- Report to security@verk.com
- Verify through official channels

Security Certifications

Current Certifications:

• SOC 2 Type II
• ISO 27001
• GDPR compliant
• CCPA compliant
• Privacy Shield (where applicable)

Regular Audits:

• Annual SOC 2 audit
• Quarterly penetration testing
• Monthly vulnerability scans
• Continuous compliance monitoring

Request Security Documentation:

Available documents:
- SOC 2 Report (NDA required)
- Security whitepaper
- Compliance questionnaires
- DPA/BAA templates
- Penetration test summaries

Contact: security@verk.com

Related Documentation

• Admin Controls - User management
• Backup & Recovery - Data protection
• API Keys - API security
• Integrations - Third-party security

---

Security concerns? Contact security@verk.com immediately.