Frequently Asked Questions
Read our most frequently asked questions related to the security, reliability, privacy, and compliance of Virtru and how that impacts you.
Does Virtru have an information security program?
Yes!
You've come to the right place to find out more about our information security program. Refer to the details in the various sections of our security and compliance docs for more information.
Does Virtru undergo regular independent audits?
Yes!
We undergo FedRAMP and SOC 2 Type II assessments on an annual basis performed by Schellman & Company, a qualified independent assessment firm.
Is Virtru ISO 27001 certified?
No.
We are not currently ISO 27001 certified; however, we are FedRAMP moderate authorized and complete annual SOC 2 assessments. The requirements of these control frameworks align closely with the control requirements of ISO 27001.
Is Virtru HITRUST certified?
No; however, Virtru's FedRAMP and HIPAA programs tightly align our controls implementations with the HITRUST framework.
HITRUST is tightly aligned with the same control framework as FedRAMP. In fact, HITRUST used FedRAMP as a guide to updating their framework for the cloud. Virtru's information security program is based off of the FedRAMP moderate baseline. The FedRAMP Moderate baseline requires implementation of the moderate impact controls defined in NIST SP 800-53 rev. 4. You can see in the summary of changes for HITRUST framework v9.6 (the latest as the time of writing) that one of the main focus areas for this release was a closer mapping to the 800-53 control baseline. Further, Virtru overlays our control implementations to comply with those requirements of the HIPAA and HITECH security and breach rules to ensure appropriate protection of PHI. We offer a mapping of our controls to HIPAA/HITRUST in section 5 our SOC 2 report. Read about our FedRAMP and SOC 2 programs for more information.
So, while Virtru is not HITRUST certified, our security program and controls are aligned in compliance with the requirements that informed, and are required by, the HITRUST certification program.
Is Virtru PCI compliant?
Yes, but not certified.
In the context of processing your payments for use of our services - we processes your payments using a PCI certified third-party processor.
As it relates to the services we provide - the Virtru Data Protection Platform is not PCI certified; however, many customers leverage Virtru as a part of their PCI compliance program. Virtru's DLP rules can help prevent card holder data from being sent or shared unencrypted thus preventing exposure to third-party email service providers, and can be used in some cases to exclude cloud services from the scope of the PCI environment by encrypting documents with cardholder data before transmission.
Does Virtru store data in a shared platform with other customers?
Yes, we operate a community SaaS environment.
While data that we stores is stored in shared resources, data is segregated by unique organization IDs to ensure that your data is not accessible to other Virtru customers.
Does Virtru run a bug bounty program?
Yes!
Our bug bounty program is a cornerstone to our external assessment methodology. Read more about it here.
Does Virtru allow your customers to conduct security testing of your externally facing applications?
Typically, no.
We do not typically permit our customers to conduct security testing of our systems. We run a bug bounty program and undergo regular penetration testing to provide you assurance that our external facing applications are secure.
Is a Customer Key Server (CKS) required to use Virtru for compliance with CJIS, ITAR, etc.?
Not strictly, but 'it depends' and is highly encouraged.
A CKS provides you the benefit of holding the encryption key for content that you protect using Virtru. While this is not explicitly a requirement to enable compliance with frameworks and legislation such as CJIS or ITAR, we recommend that all customers conduct a thorough risk assessment of their use case for Virtru to determine whether the additional controls that a CKS provides is more appropriate for their risk posture.
Does Virtru have mandatory security awareness training for employees?
Yes!
We require all personnel to complete security awareness training upon hire and refresher training at least annually.