Security at Viropay
At Viropay, we understand that security is paramount when it comes to SaaS management. As a startup, we've built our platform with security as a foundational principle, not an afterthought. We implement industry best practices to protect your data and provide transparency about our security measures.
Security Approach & Compliance
Security Standards
Startup with Enterprise Security Mindset: While we're a growing company, we take security as seriously as enterprise organizations.
Security-First Design: We've built our platform with security considerations integrated from day one.
GDPR Compliance: Our platform is designed to support your organization's GDPR compliance requirements.
Industry Best Practices: We follow security best practices inspired by frameworks like ISO 27001, adapting them to our scale.
Compliance Roadmap: We're working toward formal security certifications as we grow.
Data Security
Data Protection
Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3.
Encryption at Rest: Your data is encrypted at rest using AES-256 encryption.
Data Minimization: Our browser extension collects only the minimum data necessary for SaaS management functionality.
Data Isolation: Customer data is logically separated to prevent cross-tenant access.
Data Processing
Limited Data Retention: We only retain data for as long as necessary to provide our services.
Secure Data Deletion: When data is deleted, it's securely removed from our systems with verification protocols.
No Third-Party Data Sharing: We never sell your data or share it with unauthorized third parties.
Infrastructure Security
Cloud Security
Modern Cloud Infrastructure: We host our platform on reputable cloud providers, leveraging their built-in security capabilities.
European Data Hosting: Our primary data is hosted in the Netherlands.
Security Alerting: Automated alerting for suspicious activities in our infrastructure.
Layered Security Approach: We implement multiple security controls to protect our infrastructure.
Network Security
Cloud-Native Firewall Protection: We utilize our cloud provider's firewall capabilities to protect our systems.
DDoS Protection: Standard DDoS protection through our cloud infrastructure providers.
Network Access Controls: Strict limitations on who can access our production environments.
Secure Communications: All internal system communications are encrypted.
Application Security
Secure Development
Security-Minded Development Process: Our development team integrates security considerations throughout the development cycle.
Peer Code Reviews: All code changes undergo review with attention to security implications.
Dependency Management: Regular monitoring and updating of third-party dependencies to address known vulnerabilities.
Developer Security Training: Our development team stays informed about secure coding practices.
Authentication & Access
Single Sign-On (SSO): Integration with your organization's identity provider using SAML or OIDC.
Session Management: Secure session handling with appropriate timeouts and controls.
Principle of Least Privilege: All systems and personnel operate with minimal necessary access rights.
People & Process Security
Team Security
Team Vetting: Our small team is carefully selected for trustworthiness and security awareness.
Security Awareness: Regular discussions and updates about security best practices.
Access Control: Limited access to production systems based on necessity.
Secure Work Guidelines: Clear expectations for handling customer data and securing work environments.
Vendor Management
Trusted Vendors: We prioritize working with established, reputable service providers.
Security-Conscious Selection: Security capabilities are a key factor in vendor selection.
Service Provider Reviews: We periodically review the security practices of critical vendors.
Browser Extension Security
Extension-Specific Security
Limited Permissions: Our extension requests only the minimum permissions required.
Scoped Data Collection: Only collects data from approved SaaS applications in our database.
No Private Browsing Data: Never captures personal browsing history or activities.
Regular Security Updates: The extension is frequently updated to address security concerns.
Code Signing: Our extension packages are cryptographically signed to prevent tampering.
Transparency & Trust
Customer Controls
Security Configuration Options: Customize security settings to meet your organization's requirements.
Data Export Capabilities: Easy export of your data when needed.
Deletion Controls: Self-service options for data deletion.
Our Security Journey
As a startup, we recognize that security is an ongoing journey rather than a destination. While we may not yet have all the formal certifications of larger enterprises, we're committed to growing our security program alongside our business. We prioritize practical security measures that protect your data today while building toward more comprehensive security frameworks as we scale.
We welcome security questions from our customers and are committed to transparency about our security practices. We also value your security feedback, as it helps us improve.
For security discussions or to share security concerns, please contact us at info@viropay.com.
This document provides an overview of our current security practices as a growing startup. We continue to enhance our security capabilities as we scale. Last updated: 12/08/2025.