Compliance

Built for regulation.
Engineered for trust.

Verity is designed from the ground up to meet — and exceed — the strictest requirements in background screening, privacy, data protection, and identity law.

Compliance isn’t an overlay. It’s the architecture.

This page outlines the regulatory foundations, controls, and safeguards that define how Verity operates.

The regulatory foundation

The laws and standards Verity is built to uphold from the first step.

Verity incorporates the requirements of:

  • FCRA — Fair Credit Reporting Act
  • DPPA — Driver’s Privacy Protection Act
  • State-specific background check statutes
  • PBSA accreditation standards (alignment + roadmap)
  • GDPR principles (data minimization, purpose limitation, transparency)
  • EEOC guidance (Fair Chance and individualized assessment)
  • Digital identity regulations involving consent, proofing, and data handling

Every workflow — from identity verification to disclosure to credential issuance — is shaped around these constraints.

FCRA: Compliance by design

Every step of the workflow enforces the rules, not just the results.

Verity encodes the full FCRA ceremony:

  • Clear and standalone disclosures
  • Written electronic authorization
  • State-specific addenda and supplemental notices
  • Permissible purpose validation
  • Adverse action pathways
  • Retention, access, and audit controls

Candidates always know:

  • What is being checked
  • Why it’s being checked
  • Who will see the results
  • What rights they have

Audit-grade records are generated and cryptographically sealed for every consent event.

State-level compliance

Jurisdiction matters — Verity handles the complexity automatically.

State laws vary in:

  • Look-back rules
  • Disclosure requirements
  • Employer restrictions
  • Ban-the-box rules
  • Sector-specific constraints
  • Required candidate notices

Verity applies these rules dynamically — tailoring forms, disclosures, and permissible fields based on:

  • Candidate’s location
  • Role type
  • Employer’s jurisdiction
  • Industry-specific regulations

Compliance becomes consistent, regardless of who is running the check.

PBSA alignment

Structured for accreditation — with industry-recognized expertise.

Verity’s screening operations are built under the guidance of PBSA-trained professionals and national compliance leaders.

The system is aligned with key PBSA pillars:

  • Staff training and process consistency
  • Secure data handling and transmission
  • Quality assurance
  • Investigative procedures
  • Federal and state law adherence

A roadmap to formal PBSA accreditation is embedded into operational practice.

Privacy & data protection

Verity minimizes, protects, and compartmentalizes every piece of data.

Core principles:

The system is aligned with key PBSA pillars:

  • Data minimization
    Only collect what is required for the check.
  • Least-privilege disclosure
    Employers only receive fields they’re legally permitted to view.
  • End-to-end encryption
    Data is encrypted in transit, at rest, and at the credential level.
  • Zero-biometrics architecture
    Biometrics never leave the device and are never stored server-side.
  • Data minimization
    Only collect what is required for the check.
  • Compartmentalized storage
    Identity, verification data, and credential data are separated and access-controlled.
  • Strict retention policy
    Data retained only as long as legally permissible — and no longer.

Transparency isn’t a feature. It’s an operational requirement.

Selective disclosure

Proof without overexposure.

Verity’s selective disclosure engine ensures:

  • Employers see only the fields they need
  • Redacted data is cryptographically hidden, not just “removed”
  • Disclosure rules match jurisdictional and employer-specific policies
  • Candidates remain in control of what is shared

Example:

A healthcare employer requiring only a sanctions check sees only the sanctions result — not employment history, address history, or unrelated criminal data.

Proof becomes precise.

Identity-bound verification

Credentials cannot be forwarded, forged, or separated from the person they represent.

Every issued credential is:

  • Encrypted to the candidate’s device-held key
  • Accessible only with local biometric presence
  • Valid only for the intended recipient (audience binding)
  • Protected against replay and duplication
  • Anchored to a transparency log for tamper evidence

This closes a major compliance gap — ensuring the person presenting the credential is the one who was actually screened.

Auditability & transparency

Every action has a traceable, tamper-evident record.

Verity maintains:

  • Consent audit logs
  • Disclosure logs
  • Share events
  • Adverse action steps
  • Credential issuance anchors
  • Delta refresh history
  • Verifier actions

Credentials are anchored to a transparency log using Merkle commitments, ensuring:

  • Timestamps
  • Integrity
  • Non-repudiation
  • Tamper detection

Audits become simple, consistent, and reliable.

Security posture

Verified trust demands verified security.

Verity implements:

  • End-to-end encryption
  • Device-held keys
  • Secure enclave operations
  • Integrity hashing
  • TLS 1.3 mandatory transport
  • OWASP ASVS-aligned development
  • Continuous penetration testing
  • Zero-trust access frameworks
  • SOC 2–aligned controls (roadmap for certification)

Security is not implied — it is enforced.

Compliance, elevated to architecture.

Most systems treat compliance as paperwork. Verity treats it as structure, logic, and design. Every action, credential, and disclosure flows from a regulated, auditable foundation.

Compliance becomes continuous.
Continuous compliance becomes trust.

Explore Use Cases →