Virtuo Security Program
At Virtuo, trust is the foundation of every client relationship. Since 2017, we’ve delivered secure and innovative digital solutions for the PropTech industry, guided by a commitment to data integrity, transparency, and continuous improvement.
Our security program follows SOC 2 Type II standards, with controls that are carefully designed, consistently applied, and independently audited. We take a proactive approach to protecting the confidentiality, integrity, and availability of client data.
This page offers a clear view into our security practices, compliance certifications, and the steps we take to safeguard information. We believe that trust is earned through accountability and maintained through ongoing diligence.
Virtuo’s security program is built off five foundational principles:
Least Privilege Access
Employees only access data necessary for their roles.
Defense in Depth
Multiple layers of security across infrastructure, application, and endpoints.
Consistent Control Application
Policies and controls are uniformly enforced across environments.
Iterative Improvement
Controls are reviewed and refined regularly.
Transparency and Accountability
Security decisions are documented and auditable.
All information systems developed and/or controlled by Virtuo which store or transmit confidential data are encrypted.
Our team will evaluate the risks inherent in processing and storing data, and shall implement cryptographic controls to mitigate those risks where deemed appropriate.
Where encryption is in use, strong cryptography with associated key management processes and procedures shall be implemented and documented. All encryption shall be performed in accordance with industry standards, including NIST SP 800-57.
When handling customer or confidential company data, we utilize strong ciphers and configurations in accordance with vendor recommendations and industry best practices including NIST when stored or transferred over a public network.
Virtuo Inc. shall determine the type and level of access granted to individual users based on the "principle of least privilege." This principle states that users are only granted the level of access absolutely required to perform their job functions, and is dictated by Virtuo Inc.'s business and security requirements. Permissions and access rights not expressly granted shall be, by default, prohibited.
We collect only the data that is necessary to deliver Virtuo’s services. Retention policies are regularly reviewed to ensure responsible storage of data.
Secure Development Practices
Significant code changes undergo peer review and automated security checks.
Vulnerability Management
We run recurring scans across our environments and remediate findings based on severity. Annual penetration tests are conducted by independent experts.
Dependency Monitoring
We continuously monitor third-party libraries for known vulnerabilities and apply patches promptly.
Environment Segmentation
Production, staging, and development environments are isolated to prevent cross-contamination and reduce risk.
Multi-Factor Authentication
All privileged access to production infrastructure shall use Multi-Factor Authentication MFA.
Viruto employees are granted access to applications based on their role, and automatically deprovisioned upon termination of their employment. Further access must be approved according to the policies set for each application.
Virtuo Inc.'s primary method of assigning and maintaining consistent access controls and access rights shall be through the implementation of Role-Based Access Control (RBAC). Wherever feasible, rights and restrictions shall be allocated to groups. Individual user accounts may be granted additional permissions as needed with approval from the system owner or authorized party.
All authentication is managed through Microsoft Entra ID, with role-based provisioning and de-provisioning workflows that ensure users have appropriate access based on their responsibilities.
Access events are logged and retained for audit and forensic purposes.
Security is a shared responsibility across our organization. We invest in ongoing education to keep our teams informed and vigilant:
Onboarding Training
Every new employee completes security awareness training as part of their onboarding.
Annual Refreshers
All staff participate in annual training covering data protection, phishing, and secure practices.
Phishing Simulations
Regular simulations help reinforce awareness and identify areas for improvement.
Developer Enablement
Software developers shall be provided with secure development training appropriate to their role at least annually. The following threats and vulnerabilities should be addressed as appropriate:
Prevention of authorization bypass attacks
Prevention of cross-site scripting attacks
Prevention of the use of insecure session IDs
Prevention of cross-site request forgery attacks
Prevention of injection attacks
Prevention of the use of vulnerable libraries
We’d love to hear from you.