We at Virta take a 360-degree approach to security. All our activities aim for reliable, robust and secure services. This work is supported and promoted by top executives and Virta has established Information Security Management System (ISMS) lead by Information Security Management Team. Daily security duties and activities are led by Chief Information Security Officer. Information Security Management System of Virta is ISO27001:2013 certification.
Ensuring security is continuous process and Virta has defined a risk management process to ensure the security keeps up with changing threat landscape. All risks identified are always assigned an owner and treated.
Virta is an ISO27001-certified EV charging platform. ISO27001 is an internationally recognized information security standard that ensures that strict security controls are in place to protect customer data and the operation of products and services is secure.
In addition, Virta has obtained a Service Organizations Controls (SOC) 2 Type 2 certification for Security and Availability. SOC 2 is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). SOC 2 are examination engagements performed by an external service auditor that thoroughly examine all the controls and processes involved in storing, handling and transmitting data securely.
Achieving SOC 2 certification for Security and Availability reinforces Virta’s commitment to maintain the most stringent controls for protecting and securing customer information.
Virta's publicly available customer systems are developed according Virta's internal guidelines including security requirements. For application development OWASP ASVS is used as reference and secure development training is provided for developers. All changes are reviewed before deployed and tested in test environment before taken into production use. All changes in the code can be traced back and full audit trail of changes exists.
Virta conducts regularly vulnerability scans, security assessment and penetration testing. Vulnerability scans are run automatically weekly and thorough penetration testing is done by independent cybersecurity companies against public interfaces regularly. All found issues are analyzed and appropriate fixes and mitigations are deployed.
Publicly available applications and interfaces are hosted in Amazon AWS and access to these systems is strictly limited to named and approved personnel. AWS provides high reliability and scalability to our services. All secrets (keys, service passwords and similar information) are stored in encrypted form. Only industry standard cryptographic solutions are used.
Customer and user data are stored in EU. Online services and databases are stored in Amazon AWS cloud’s EU regions. Access to these resources is strictly limited to specific personnel having direct business need for access. All access rights are requested and granted only based on validated business needs, documented in separate tool and access rights are reviewed annually.
Virta only collects PII (Personally Identifiable Information) which is necessary to provide the services. Data collected is stored as long as there is valid need. Virta has set in place the data protection guidelines, including internal training for personnel having access to customer data, internal data protection handbook and notification practices.
Payment card details (credit/debit card) are handled and stored by our PCI-DSS certified partner Payment Highway.
All Virta services are running in modern, protected and scalable cloud services with various certifications such as ISO27001:2013, SOC2 and similar (for full list, check here: https://aws.amazon.com/compliance/programs/). Systems are not depended on one data center. Our automated deployment pipeline keeps the production environment always running with latest security patches installed and any deviations are monitored using continuous vulnerability scans.