Access & Authentication Controls

Virtru enforces rigorous access and authentication policies to safeguard customer data within our SaaS environment. Our approach is designed around the principles of least privilege, strict identity verification, and continuous monitoring.

Identity & Authentication

All access to Virtru systems requires authentication through a centralized Single Sign-On (SSO) provider. We strictly enforce hardware-based Multi-Factor Authentication (MFA), requiring FIDO 2.0 security keys for all personnel. Systems that do not support SSO and hardware MFA are strictly prohibited within our environment.

Access Control & Authorization

Access to systems and data is governed by Role-Based Access Control (RBAC) and the principle of least privilege. Access rights are explicitly mapped to job responsibilities, and production environment access requires formal approval. We enforce segregation of duties and mandate the use of company-owned, managed devices over encrypted channels for all administrative access.

Session & Account Management

To prevent passive data exposure, user sessions are enforced with a 10-minute inactivity auto-lock. Virtru maintains strict account lifecycle management: every user is assigned a unique, non-shared identifier, access is entirely revoked within 24 hours of personnel termination, and accounts are automatically disabled after 90 days of inactivity.

Continuous Monitoring

All access events and privileged function usage are comprehensively logged. We conduct continuous control assessments, periodic access reviews, and actively monitor for atypical usage to ensure ongoing security.