SECURITY AT VIRTA

Reliability and trustworthiness of our systems and services are our priorities

We at Virta take a 360-degree approach to security. All our activities aim for reliable, robust and secure services. This work is supported and promoted by top executives and Virta has established Information Security Management System (ISMS) lead by Information Security Management Team. Daily security duties and activities are led by Chief Information Security Officer. Information Security Management System of Virta is ISO 27001:2013 certification.

Ensuring security is continuous process and Virta has defined a risk management process to ensure the security keeps up with changing threat landscape. All risks identified are always assigned an owner and treated.

Certificates

ISO 27001 certification

Virta is an ISO 27001-certified EV charging company. ISO 27001 is an internationally recognised information security standard that ensures that strict security controls are in place to protect customer data and the operation of products and services is secure.

Kiwa Certified ISO/IEC 27001 logotype

SOC 2 certification

Virta has obtained a Service Organizations Controls (SOC) 2 Type 2 certification for Security and Availability. SOC 2 is an internationally recognised auditing standard developed by the American Institute of Certified Public Accountants (AICPA). SOC 2 are examination engagements performed by an external service auditor that thoroughly examine all the controls and processes involved in storing, handling and transmitting data securely.

Achieving SOC 2 certification for Security and Availability reinforces Virta’s commitment to maintain the most stringent controls for protecting and securing customer information.

SOC 2 certification logotype from AICPA (American Institute of Certified Public Accountants)

Security of the online services

Virta's publicly available customer systems are developed according Virta's internal guidelines including security requirements. For application development OWASP ASVS is used as reference and secure development training is provided for developers. All changes are reviewed before deployed and tested in test environment before taken into production use. All changes in the code can be traced back and full audit trail of changes exists.

Virta conducts regularly vulnerability scans, security assessment and penetration testing. Vulnerability scans are run automatically weekly and thorough penetration testing is done by independent cybersecurity companies against public interfaces regularly. All found issues are analyzed and appropriate fixes and mitigations are deployed.

Publicly available applications and interfaces are hosted in Amazon AWS and access to these systems is strictly limited to named and approved personnel. AWS provides high reliability and scalability to our services. All secrets (keys, service passwords and similar information) are stored in encrypted form. Only industry standard cryptographic solutions are used.

Responsible disclosure

The security of customer's data is our top priority. We pay a lot of attention to this during development phase but sometimes bugs and vulnerabilities may escape our attention. If you believe you have discovered a vulnerability or security bug in our systems we would greatly appreciate if you notify us as soon as possible. This helps us to mitigate it quickly in order to protect the data stored in our system.

For more information or for notification of possible security issue you can reach our security team via email responsible-disclosure@virta.global

Respect privacy. Make a good faith effort not to access or destroy another user's data when reporting or verifying your finding. Never will-fully exploit others without their permission.

Data location & protection

Customer and user data are stored in EU. Online services and databases are stored in Amazon AWS cloud’s EU regions. Access to these resources is strictly limited to specific personnel having direct business need for access. All access rights are requested and granted only based on validated business needs, documented in separate tool and access rights are reviewed annually.

Virta only collects PII (Personally Identifiable Information) which is necessary to provide the services. Data collected is stored as long as there is valid need. Virta has set in place the data protection guidelines, including internal training for personnel having access to customer data, internal data protection handbook and notification practices.

For more information about registered rights and other privacy details, see Virta’s Privacy Policy.

Modern & secure infrastructure

All Virta services are running in modern, protected and scalable cloud services with various certifications such as ISO 27001:2013, SOC 2 and similar (for full list, check here: https://aws.amazon.com/compliance/programs/). Systems are not depended on one data center. Our automated deployment pipeline keeps the production environment always running with latest security patches installed and any deviations are monitored using continuous vulnerability scans.

Secure payments

Payment card details (credit/debit card) are handled and stored by our PCI-DSS certified partner Payment Highway.