.png)
Why We Got ISO 27001 Certified Before Turning One
Verso runs thousands of AI-led video and voice interviews. People share opinions, habits, emotions, and personal stories on camera. That's sensitive data, not in the abstract compliance sense, but in the most literal way: real humans being honest about real things.So when we started building Verso, information security had to be foundational, not a roadmap item to deal with after a Series A or a first enterprise contract.
Today, we are officially ISO/IEC 27001 certified.What ISO 27001 actually means
ISO/IEC 27001 is the leading international standard for information security management, published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).In plain terms: an independent, accredited certification body audited every layer of how we handle data, from the way we design and develop our platform to how we deploy, test, and maintain it, and confirmed it meets the standard's requirements.This isn't a self-assessment. It's a structured, third-party audit covering people, processes, technology, infrastructure, and legal obligations.Here's what that looks like in practice at Verso:
• A full Information Security Management System (ISMS) purpose-built for a platform where the core product involves real people sharing real thoughts on camera.
• 100% of client data processed and stored in the EU. Supabase in Paris, OpenAI in Ireland, ElevenLabs and Langfuse in EU regions. No exceptions.
• Data processing agreements signed with every single subprocessor, all nine of them, from infrastructure to analytics.
• A structured risk audit covering the entire lifecycle: design, development, testing, deployment, and maintenance of our AI-powered qualitative research platform.
Why this early
A company less than a year old, ISO 27001 certification is unusual. Most startups treat compliance as a box to check once enterprise clients start asking for it, or once there's budget for a dedicated compliance hire.We did it differently because the nature of our product demanded it. Verso asks thousands of people to be honest, vulnerable, and specific, on video. A respondent explaining why they switched banks, how they feel about a brand, or what frustrates them about a product category is sharing something real. The minimum bar for handling that data is not "we'll get to it," but a rigorous, externally validated security framework built into the product from the start.We also didn't want to build fast and retrofit security later. Grafting an ISMS onto an existing product is painful and expensive. Building with it from the beginning means security decisions are embedded in the architecture rather than bolted on after the fact.
What this means for our clientsIf you're a consumer insights lead, a brand strategist, or a UX researcher running studies through Verso, here's what the certification translates to:
1. Stronger data protection. Your respondents' video interviews, transcripts, and analysis are governed by a management system that's been independently audited.
2. Reduced risk. You can point to a recognized international standard when your procurement, legal, or IT security teams ask how your research vendor handles data.
3. EU data residency. Not a policy, a technical reality. Every piece of client data stays within the European Union.
4. Ongoing commitment. ISO 27001 isn't a one-time badge. It requires continuous improvement and annual surveillance audits. The certification is valid for three years, with regular check-ins to maintain it.
What's next
The certification is a foundation, not a finish line. We're continuing to invest in security governance, including penetration testing engagements and an expanded trust center, because the standard we hold ourselves to isn't "what's required" but "what's warranted by the data we handle."Building an AI qualitative research platform means earning trust at scale. The least we can do is protect what people share with the same rigor we apply to analyzing it.