Back to Compliance Portal

Compliance document

Encryption Overview

Overview of encryption expectations for VerbalCheck data in transit and at rest.

Status

Published overview

Effective date

June 2026

Audience

IT security reviewers, CIOs, CISOs, and procurement teams

Encryption in transit

  • Production web traffic is delivered over HTTPS.
  • LMS launch and API calls should use HTTPS endpoints.
  • Outbound LMS requests enforce HTTPS and configured host allowlists.

Encryption at rest

Database, object storage, and hosting providers are expected to use provider-backed encryption at rest for production data. Specific encryption implementation details depend on the configured provider, plan, region, and customer agreement.

Secrets and credentials

  • Production secrets should be stored in deployment provider environment variables, not committed to source control.
  • JWT secrets must be strong and unique per environment.
  • High-value API keys should be rotated when exposure or operational risk is identified.