Trust of our customers is important to us and that’s why we are continuously improving our products and services in terms of security and privacy.
Microblink is ISO 27001 certified which means that we have set up our Information Security Management System according to related standard’s requirements. Ensuring systems and data confidentiality, integrity and availability is embedded in everything we do and we are regularly undergoing rigorous audits to prove it. In addition to regular ISO audits, Microblink also conducts regular SOC 2 audits in accordance with the AICPA attestation standards, to demonstrate even a higher level or assurance of security best practicesManagement of access, encryption and assets, combined with secure development and IT operations practices, are constantly assessed and reviewed in line with risk management.
Encompassing both our US and Croatian offices, the Scope of Microblink’s ISO 27001 certificate includes development, integration, support, sale and management of services in the field of computer vision technology for the purpose of scanning and verifying documents using advanced neural networks and deep learning techniques.
If you have additional questions about our security posture and practices or you want to report a possible vulnerability, please contact us directly at security@microblink.com.
Since 2023 Microblink has included ISO 27701 standard extension into our certification and audit scope. This means that we understand how precious personally identifiable information is and want to ensure the rights of individuals by restricting the access, retrieval, collection, disclosure, transmission and other forms of processing of data. We continuously identify privacy risks and reassess controls to mitigate them, and we are trying to reduce the likelihood of data breaches and privacy incidents.
Privacy by design and privacy by default principles, which are a requirement of the standard, are included in all of our internal processes, including product development. The scope of ISO 27701 certificate is the same as for ISO 27001 in the role of Microblink as a PII processor. If you are still concerned about sharing your client data or you have a compliance requirement, get in touch with our Sales team to check out our different product options regarding PII processing.
For more information on our dedication to data protection and privacy compliance, see our Privacy Policy.
You can find more about our implemented security best practices and overall compliance on our Trust Center, where you can also download documents regarding our ISO certificates, policies or other product compliance documentation.
At Microblink, we are committed to developing and deploying ML/AI solutions responsibly and ethically.
Our commitment to ethical AI begins at the foundational stage of data collection. We recognize that biased data can lead to biased AI models, and we have established rigorous policies to mitigate such risks. We have a comprehensive framework and policy for the development of ethical AI that can be shared upon request.
Microblink has a formal Information Security Policy in place which is based on ISO 27001:2022 international standard for information security, and related ISO 27701:2019 privacy extension of the standard. Microblink is certified according to those standards which ensure that the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization, and that information security management system requirements are integrated into the organization’s processes.
Microblink has an Information Security and IT Operations department whose manager is also responsible for the Information Security Management System in accordance with ISO 27001:2022 standard. Head of Information Security and IT Operations tasks include providing leadership and expertise in information security, supporting teams for implementing security controls and monitoring those controls, and cooperating with Board members on topics related to information security on a regular basis.
Microblink has appointed a Data Protection Officer and Privacy Information Management System (PIMS) Manager responsible for implementing, managing, and maintaining the PIMS within Microblink in accordance with ISO 27701:2019 standard, and duties related to privacy regulations, such as General Data Protection Regulation (GDPR).
Microblink has a well established Secure Software Development Lifecycle. It consists of risk identification and management in the development process, definition of security requirements, analysis of third party modules, code review process and vulnerability management through regular external pentests and a bug bounty program. Relevant critical and high risk findings are resolved before deployment to production, while other relevant findings are discussed with the responsible Engineering Manager and Head of Information Security or resolved during the regular development lifecycle.
Vulnerability disclosure is usually contractually defined with the customer. Upon disclosure of potential vulnerability to Microblink, which can be done via Customer Support, remediation of relevant critical-severity risks related to provided product is mitigated as soon as possible but usually no longer than thirty days from date of discovery, relevant high-risk vulnerabilities are mitigated within sixty days from date of discovery, while other relevant vulnerabilities are resolved during the regular software development lifecycle. When resolved, new releases deployed to fix such relevant critical and high vulnerability can be disclosed to the customers through release notes and Customer Support notifications.
Our source code is managed via Git Source Code Management on Bitbucket cloud and permissions for merging into main branches are set thus that only senior developers can perform the merge after making sure that code changes meet required quality standards and CI tests pass. The CI tests are always run both in “production build” (full optimizations) and “development builds” (most optimizations, assertions enabled, address and undefined-behavior sanitizer enabled) in order to catch memory errors and ensure the contributed code is free of bugs. Besides meeting quality standards, the senior developers are also required to check if the contribution contains any IP or security sensitive checks, such as license checks. Developers then have to validate that all these checks are performed using internal check mechanisms that are designed to be robust against binary cracking and decompilation, i.e. which obfuscate the sensitive decisions in code and sensitive hard-coded information that could help with decompilation (e.g. error messages).
Microblink has defined a Business Continuity Plan and Disaster Recovery Plan for internal critical systems which are regularly tested at least once a year. Information security aspects of business continuity management in Microblink are compliant with requirements of ISO 27001:2022 standard. When Microblink is in the role of a service provider in case of Cloud API type of product, the Cloud API service is set up in a High Availability mode on a third-party cloud computing infrastructure. In the case of other types of products such as mobile or browser SDK’s, or Self-Hosted API, the customer is responsible for BCM and DR solutions.
Microblink issues licenses for its products in a way that each license is tied to a unique identifier to ensure that if anybody has gotten their hands on your license key, they wouldn’t be able to use it. As a unique identifier for mobile SDK’s we are using app identifiers, for in-browser applications domain names, and for Linux systems the system DBUS UUID. All of our products send the license data to our licensing server for validation prior to scanning, and in that way protecting the customers and Microblink from license misuse.
Microblink does not conduct audits based on PCI DSS because we do not develop payment solutions and are not directly involved in the processing, storage, or transmission of cardholder data on behalf of another business. In case of SDK and Self-Hosted API products, the data processing results and PII / cardholder information never leave the end-user’s device (SDK) or customer’s server (Self-Hosted), and are never shared with Microblink. Furthermore, we believe that our ISO certificates, for which we are regularly audited, provide assurance that our security and privacy practices are well founded and continuously improved.
Microblink operates a bug bounty program to encourage responsible disclosure of security vulnerabilities, and values the contributions of the security community in helping us keep our products secure. Our program is open to independent security researchers, ethical hackers, and members of the general public who comply with our terms of responsible disclosure. You can read the details of our bug bounty program in our Bug Bounty Policy, such as applications in scope, eligible types of vulnerabilities, exclusions, how to submit and related rewards.
Microblink has completed a SOC 2 Type II audit conducted independently by a global leader in IT auditing. The audit is based upon TSP Section 100, 2017 Trust Services Criteria for Security and Availability, and all Microblink Identity products are in the scope. All available certifications and audit reports can be found in our Trust Center after ensuring that non-disclosure requirements have been met.
Exploring our solutions is just a click away. Try our products or have a chat with one of our experts to delve deeper into what we offer.
Introduction to ISO27k and ISO 27001 ISO/IEC 27000-series, or ISO27k in short, is a family of standards that set a comprehens…
Identity document verification ensures the authenticity of presented documents, which helps to mitigate the risk of fraudulen…
In the fast-paced digital world we live in, ensuring the safety and security of customer identity is of the utmost importance…
Among all participating vendors, Microblink was the only provider to meet RIVR “high performing” system benchmarks across every measured accuracy metric.
Continue Reading