Security first

Reliability and trustworthiness of the systems and services is our top priority

All our development activities aim for reliable, robust and secure services. This work is supported and promoted by top executives and Virta has established Information Security Management System (ISMS) lead by Information Security Management Team. Daily security duties and activities are led by Chief Information Security Officer. Information Security Management System of Virta is ISO27001:2013 certification.


Ensuring security is continuous process and Virta has defined a risk management process to ensure the security keeps up with changing threat landscape. All risks identified are always assigned an owner and treated.

 


Security of the online services

 

Virta's publicly available customer systems are developed according Virta's internal guidelines including security requirements. For application development OWASP ASVS is used as reference and secure development training is provided for developers. All changes are reviewed before deployed and tested in test environment before taken into production use. All changes in the code can be traced back and full audit trail of changes exists.

Virta conducts regularly vulnerability scans, security assessment and penetration testing. Vulnerability scans are run automatically weekly and thorough penetration testing is done by independent cybersecurity companies against public interfaces regularly. All found issues are analyzed and appropriate fixes and mitigations are deployed.

Publicly available applications and interfaces are hosted in Amazon AWS and access to these systems is strictly limited to named and approved personnel. AWS provides high reliability and scalability to our services. All secrets (keys, service passwords and similar information) are stored in encrypted form. Only industry standard cryptographic solutions are used.

 

Data location and protection

 

Customer and user data are stored in EU. Online services and databases are stored in Amazon AWS cloud’s EU regions. Access to these resources is strictly limited to specific personnel having direct business need for access. All access rights are requested and granted only based on validated business needs, documented in separate tool and access rights are reviewed annually.

Virta only collects PII (Personally Identifiable Information) which is necessary to provide the services. Data collected is stored as long as there is valid need. Virta has set in place the data protection guidelines, including internal training for personnel having access to customer data, internal data protection handbook and notification practices.
For more information about registered rights and other privacy details, see Virta’s Privacy Policy (https://www.virta.global/privacy-policy).

 

Secure payments


Payment card details (credit/debit card) are handled and stored by our PCI-DSS certified partner Payment Highway.

 

Modern and secure infrastructure


All Virta services are running in modern, protected and scalable cloud services with various certifications such as ISO27001:2013, SOC2 and similar (for full list, check here: https://aws.amazon.com/compliance/programs/). Systems are not depended on one data center. Our automated deployment pipeline keeps the production environment always running with latest security patches installed and any deviations are monitored using continuous vulnerability scans.

 

Responsible disclosure


The security of customer's data is our top priority. We pay a lot of attention to this during development phase but sometimes bugs and vulnerabilities may escape our attention. If you believe you have discovered a vulnerability or security bug in our systems we would greatly appreciate if you notify us as soon as possible. This helps us to mitigate it quickly in order to protect the data stored in our system.

For more information or for notification of possible security issue you can reach our security team via email responsible-disclosure@virta.global

Respect privacy. Make a good faith effort not to access or destroy another user's data when reporting or verifying your finding. Never willfully exploit others without their permission.

We would also like to thank you following individuals who have contributed to security of our systems and users:
Max Lassila
Michael Kessler (@mike_knight)