Security Disclosure

1. Our Security Commitment

MYID Self Verify is purpose-built to secure enterprise identity infrastructure. We are an identity security platform, and we hold ourselves to the same standard we help our clients achieve. This Security Disclosure describes the controls, architecture, and practices that protect our platform and the Client data entrusted to us.

To report a vulnerability or security concern, contact: security@ext.myidselfverify.com

2. Infrastructure and Hosting

• Cloud Provider: Microsoft Azure
• Data Residency: All Client data is stored and processed within designated Azure regions. Available regions are US-East (United States) and UAE-North (United Arab Emirates). Region selection is configured per Client.
• Network Security: Web application firewall (WAF), network security groups, and DDoS protection enforced at infrastructure and application layers; production, staging, and development environments are fully segregated.
• Physical Security: All physical infrastructure is managed by Microsoft Azure, which maintains SOC 2 Type II and ISO 27001 certification at the data center level.

3. Data Security

4. Access Control

• All internal access to production systems is restricted to authorized SPS personnel on a least-privilege, need-to-know basis
• MFA is mandatory for all SPS employee access to production environments — we operate on the same zero-trust principles we deliver to clients
• Privileged access is time-limited, logged, and subject to quarterly review
• Employee and contractor offboarding triggers immediate, automated access revocation across all connected systems
• All third-party vendor access is governed by security review, contractual obligations, and scoped to the minimum required for their service function

5. Application Security

• Secure Software Development Lifecycle (SSDLC) with mandatory security review gates at each development stage
• Static Application Security Testing (SAST) and software composition analysis (dependency vulnerability scanning) integrated into the CI/CD pipeline
• Dynamic Application Security Testing (DAST) performed on each major release cycle
• Annual third-party penetration testing by an independent security firm; critical and high findings remediated within 30 days of identification
• OWASP Top 10 mitigations enforced by design
• Parameterized queries and strict input validation enforced to prevent injection attacks
• API authentication via OAuth 2.0 and OIDC; rate limiting and abuse detection enforced on all API endpoints

6. Platform Identity and Authentication Security

The MYID Self Verify platform enforces the following controls for Client environments:

• 100% MFA coverage, required for all End User and administrator sessions — no exceptions
• Adaptive, risk-based authentication with per-event risk scoring
• Autonomous session termination upon threat confirmation by the user or MYID Autopilot
• Automated credential rotation triggered by security events
• SAML 2.0, OIDC, SCIM 2.0 federation support for seamless integration with existing identity stacks
• Vendor-agnostic integration with IBM ISIM/ISAM, IBM Verify, Okta, Microsoft Entra ID, Ping Identity, Active Directory, and other leading IAM platforms
• Tamper-evident audit logging of all authentication and administrative events, written in real time

7. Threat Detection and Monitoring

• 24/7 automated platform monitoring with real-time alerting and escalation
• Behavioral anomaly detection on login patterns, device fingerprinting, and geolocation signals
• SIEM/XDR integration support including IBM QRadar, Splunk, and other major platforms — event forwarding configured per Client
• Real-time security alerts surfaced to Client security teams via MYID Protect
• MYID Autopilot can autonomously contain threats in under 60 seconds — killing sessions, rotating credentials, and generating compliance evidence with zero IT intervention required

8. Incident Response

In the event of a security incident affecting Client Data, SPS follows a documented incident response process:

Notifications are sent to the Client's account email of record. Clients are strongly encouraged to maintain a current security contact in their account settings.

9. Business Continuity and Disaster Recovery

• Recovery Time Objective (RTO): 2 hours
• Recovery Point Objective (RPO): 2 hours
• DR failover tested annually using Azure-native geo-redundant infrastructure
• Platform uptime target: 99.99% per calendar month, consistent with Microsoft Azure infrastructure SLAs
• Redundant deployment across Azure availability zones within each data residency region

10. Compliance Posture

MYID Self Verify is operated on Microsoft Azure infrastructure, which holds the following certifications at the data center and infrastructure level: SOC 2 Type II, ISO/IEC 27001, FedRAMP High (US region), and others. SPS, Inc. leverages these inherited controls as part of its security program. At the application and organizational level, SPS is working to formalize its compliance posture as the platform scales. Clients with specific compliance requirements are encouraged to contact us directly.

Compliance documentation and security questionnaire responses are available to Clients and qualified prospects. Contact security@ext.myidselfverify.com.

11. Sub-Processor and Vendor Security

All third-party vendors and sub-processors with access to Client Data are subject to security and privacy due diligence review prior to engagement; contractual data protection and confidentiality obligations; annual security posture review; and inclusion in the DPA sub-processor schedule, with Client notification of any material additions or changes.

12. Employee Security

• Background screening for all employees and contractors with access to production systems or Client Data
• Security awareness training at onboarding and annually thereafter
• Acceptable use, confidentiality, and data handling agreements signed by all personnel
• Phishing simulation exercises conducted regularly
• Security incident reporting procedures communicated to all staff

13. Responsible Disclosure

SPS welcomes good-faith reports of security vulnerabilities affecting MYID Self Verify.

• Do not exploit, publicly disclose, or share the vulnerability with third parties before we have had a reasonable opportunity to investigate and remediate
• Submit a detailed report to security@ext.myidselfverify.com, including a description of the vulnerability, steps to reproduce, and potential impact
• We will acknowledge receipt within 2 business days
• We will provide a remediation timeline and keep you informed of progress
• SPS will not pursue legal action against researchers who act in good faith under these guidelines

We do not currently operate a formal bug bounty program, but we do recognize responsible disclosures and are committed to remediation.

14. Contact