Verbaco™ Security Overview

Verbaco™ security is built into every layer of the platform, from encryption and identity management to hosting architecture and data flow control. Designed for enterprise and public sector deployments, Verbaco™ follows industry-standard frameworks including the NCSC Cloud Security Principles, STRIDE threat modelling, and GDPR compliance.

We don’t treat security as a bolt-on. It’s foundational.

Secure by Design

Verbaco is architected for environments where data sensitivity, compliance, and uptime are non-negotiable.

  • Hosted on Azure Kubernetes Service (AKS)
    Leverages Microsoft’s trusted infrastructure with configurable security boundaries.
  • Azure API Management (APIM)
    All chatbot traffic is routed through secure gateways with version control, throttling, and OAuth2 token enforcement.
  • HTTPS Across All Endpoints
    TLS 1.3 enforced by default via DigiCert or Let’s Encrypt, managed with cert-manager on Kubernetes.
  • Container Hardening
    All images are scanned for vulnerabilities and signed before deployment.

Identity and Access Controls

  • Role-Based Access Control (RBAC)
    Manage user access across admin, editor, developer, and viewer roles.
  • Audit Logging
    Every admin action, LLM response, and API event is logged for traceability and non-repudiation.
  • Scoped API Keys
    API access can be restricted by bot, function, or time window.
  • SSO Integration (Optional)
    Support for Azure AD, SAML2, and OIDC for enterprise federation.

Threat Modelling with STRIDE

Verbaco implements threat modelling across all services using STRIDE:

  • Spoofing: API tokens, IP allow-lists, user auth
  • Tampering: Immutable logs, secure configs
  • Repudiation: Full audit trail, time-stamped LLM output logging
  • Information Disclosure: Field-level encryption, controlled LLM output
  • Denial of Service: APIM-based rate limiting and circuit breakers
  • Elevation of Privilege: Least privilege by default, admin segregation

Compliance Frameworks

Verbaco aligns with key public sector and enterprise security standards:

  • NCSC Cloud Security Principles (UK)
  • General Data Protection Regulation (GDPR)
  • ISO/IEC 27001 (via Azure hosting)
  • Data Residency Support (Optional UK/EU zone-only deployments)

Verbaco is suitable for use in:

  • Local and central government departments
  • Education and healthcare bodies
  • Regulated private sector (e.g. finance, utilities)

Data Privacy and Governance

  • PII Awareness: AI prompts can be scrubbed of personally identifiable information before transmission.
  • Data Residency: Optional Azure regions including UK South, North Europe, and others.
  • Data Retention Policies: Customisable logs and document retention.
  • Zero-Training Guarantee: No user data is used to train third-party models unless explicitly agreed.

Ongoing Assurance

  • Regular penetration testing by CREST-certified providers
  • Support for security audits under NDA
  • Vulnerability disclosure policy in place
  • Optional private or air-gapped deployments for high-assurance use cases

Need a Security Briefing?

We offer detailed documentation and security walkthroughs tailored to your industry or governance model.
Request a Security Pack or Book a Call with our technical team.

Scroll to Top