Verifi is live — trade compliance, verified before the cargo moves.
Possitiv

Trust

Security at Possitiv.

Possitiv is built for regulated, enterprise-grade workflows — trade compliance, ESG, privacy, and producer responsibility. Security and resilience are foundational to how we design, build, and operate the platform.

Encryption in transit & at rest

All traffic between your browser and Possitiv is encrypted using TLS 1.2+. Customer data is encrypted at rest using AES-256 on managed cloud infrastructure.

Authentication & access

Email/password and supported SSO providers, with role-based access controls. Administrative actions are scoped to the principle of least privilege.

Hosting & isolation

Possitiv runs on hardened, enterprise-grade cloud providers with logical tenant isolation, segmented networks, and managed Postgres with row-level security.

Monitoring & logging

Application, infrastructure, and authentication events are continuously logged and monitored. Anomalies trigger alerts to our on-call engineers.

Secure development

Code is peer-reviewed, dependencies are scanned, and infrastructure changes go through a controlled deployment pipeline with audit trails.

Incident response

We maintain an incident response process covering detection, containment, eradication, recovery, and post-incident review. Customers affected by a material incident are notified without undue delay.

Shared responsibility

Possitiv secures the platform; you control who has access to your workspace, what data is uploaded, and how integrations are configured. Strong workspace hygiene matters.

Data privacy

Customer data is never sold and is not used to train third-party AI models. Subprocessors are vetted and bound by contractual security and confidentiality obligations.

Compliance program

Possitiv aligns its internal controls with widely-adopted frameworks including SOC 2, ISO/IEC 27001, India's DPDP Act, and GDPR. Certifications and third-party reports are pursued in line with customer demand and product maturity; current status is available on request under NDA.

Data residency & retention

Customer data is hosted in the region selected at provisioning. Retention follows the contract: data is retained for the lifetime of your subscription and deleted or anonymised within a commercially reasonable window after termination, unless retention is required by law.

Subprocessors

Possitiv uses a limited set of vetted subprocessors for hosting, email, analytics, and support. Each is bound by contractual security, confidentiality, and data-protection obligations. A current list is available on request.

Vulnerability disclosure

We welcome responsible disclosure of security issues. Email possitivlabs@gmail.com with details and steps to reproduce. Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate.

Contact

For security questions, DPAs, or audit requests, contact possitivlabs@gmail.com.