Trust · last updated 2026-06-08
Security & trust

How we protect your data.

Security is a precondition for shipping into real operations. Here's how we approach it across infrastructure, code, and process.

The short version.

All data in transit and at rest is encrypted. Customer data is segregated by tenant. Access is least-privilege, audited, and requires hardware-backed MFA for engineers. We run on hardened cloud infrastructure with continuous vulnerability scanning. We disclose incidents promptly per contractual SLAs.

What we do — by area.

Encryption

In transit & at rest.

TLS 1.3 for all network traffic. AES-256 for data at rest. Keys managed via cloud KMS with rotation.

Access control

Least privilege, MFA, audited.

Role-based access, hardware-backed MFA for all engineers, just-in-time elevation, full audit log.

Tenant isolation

Logical & physical separation.

Customer data is logically segregated by tenant. Enterprise tier supports dedicated infrastructure on request.

Vulnerability mgmt

Continuous scanning + patches.

SAST/DAST in CI, weekly dependency scans, container vulnerability checks, quarterly third-party pen tests.

Monitoring

24/7 SIEM + alerting.

Real-time security event monitoring with on-call rotation. Anomaly detection on auth and admin actions.

Resilience

Backups + DR.

Daily encrypted backups with point-in-time recovery. Disaster recovery plan tested quarterly.

Compliance & certifications.

Production targets:

  • SOC 2 Type II — audit underway, completion target Q4 2026.
  • ISO/IEC 27001 — certification path planned for 2027.
  • GDPR — compliant; Data Processing Addendum available on request.
  • Industry-specific — additional compliance frameworks (e.g., HIPAA, PCI DSS) available on enterprise engagements.

Responsible disclosure.

Found a vulnerability? Please report it directly to security@virtusoperandi.com. We commit to:

  • Acknowledging your report within 2 business days;
  • Providing a remediation timeline within 10 business days;
  • Crediting you in our security acknowledgements (unless you prefer otherwise);
  • Not pursuing legal action against good-faith security research conducted under this policy.

Please do not exploit findings, access customer data, or disrupt the Service. Coordinate with us before public disclosure.

Customer responsibilities.

Security is shared. Customers are responsible for:

  • Managing user accounts and credentials in your tenant;
  • Configuring access controls appropriate to your data sensitivity;
  • Promptly reporting suspected unauthorized access;
  • Following secure development practices when extending the platform via Agents or AI Factory.

Contact.

Security questions, audit requests, or DPA requests: security@virtusoperandi.com.

Preview state. Compliance certifications are pursued targets, not yet awarded. Audit reports and DPA template will be linked here once available.