Frequently Asked Questions

Yes! You've come to the right place to find out more about our information security program. Refer to the details in the various sections of our security and compliance docs for more information.

Yes! We undergo FedRAMP and SOC 2 Type II assessments on an annual basis performed by Schellman & Company, a qualified independent assessment firm.

No. We are not currently ISO 27001 certified; however, we are FedRAMP moderate authorized and complete annual SOC 2 assessments. The requirements of these control frameworks align closely with the control requirements of ISO 27001.

No; however, Virtru's FedRAMP and HIPAA programs tightly align our controls implementations with the HITRUST framework. HITRUST is tightly aligned with the same control framework as FedRAMP. Virtru's information security program is based off of the FedRAMP moderate baseline. We offer a mapping of our controls to HIPAA/HITRUST in section 5 of our SOC 2 report. Read about our FedRAMP and SOC 2 programs for more information.

Yes! In the context of processing your payments for use of our services — we process your payments using a PCI certified third-party processor. As it relates to the services we provide, the Virtru Data Security Platform (DSP) is PCI DSS certified. Read more about PCI compliance here.

Yes, we operate a community SaaS environment. While data that we store is stored in shared resources, data is segregated by unique organization IDs to ensure that your data is not accessible to other Virtru customers.

Yes! Our bug bounty program is a cornerstone to our external assessment methodology. Read more about it here.

Typically, no. We do not typically permit our customers to conduct security testing of our systems. We run a bug bounty program and undergo regular penetration testing to provide you assurance that our external facing applications are secure.

Not strictly, but 'it depends' and is highly encouraged. A CKS provides you the benefit of holding the encryption key for content that you protect using Virtru. While this is not explicitly a requirement to enable compliance with frameworks and legislation such as CJIS or ITAR, we recommend that all customers conduct a thorough risk assessment of their use case for Virtru to determine whether the additional controls that a CKS provides is more appropriate for their risk posture.

Yes! We require all personnel to complete security awareness training upon hire and refresher training at least annually.

Does Virtru have an information security program?

Does Virtru undergo regular independent audits?

Is Virtru ISO 27001 certified?

Is Virtru HITRUST certified?

Is Virtru PCI compliant?

Does Virtru store data in a shared platform with other customers?

Does Virtru run a bug bounty program?

Does Virtru allow your customers to conduct security testing of your externally facing applications?

Is a Customer Key Server (CKS) required to use Virtru for compliance with CJIS, ITAR, etc.?

Does Virtru have mandatory security awareness training for employees?