Security at Viropay

At Viropay, we understand that security is paramount when it comes to SaaS management. As a startup, we've built our platform with security as a foundational principle, not an afterthought. We implement industry best practices to protect your data and provide transparency about our security measures.

Security Approach & Compliance

Security Standards

• Startup with Enterprise Security Mindset: While we're a growing company, we take security as seriously as enterprise organizations.

• Security-First Design: We've built our platform with security considerations integrated from day one.

• GDPR Compliance: Our platform is designed to support your organization's GDPR compliance requirements.

• Industry Best Practices: We follow security best practices inspired by frameworks like NIST and ISO 27001, adapting them to our scale.

Security Assessments

• Security Testing: We regularly test our systems using automated vulnerability scanning tools.

• Vulnerability Management: We use modern development practices to quickly address identified security issues.

• External Security Expertise: We engage with security professionals to review our most critical systems.

• Ongoing Risk Evaluation: We continuously evaluate security risks and prioritize mitigation efforts.

• Compliance Roadmap: We're working toward formal security certifications as we grow.

Data Security

Data Protection

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3.

• Encryption at Rest: Your data is encrypted at rest using AES-256 encryption.

• Data Minimization: Our browser extension collects only the minimum data necessary for SaaS management functionality.

• Data Isolation: Customer data is logically separated to prevent cross-tenant access.

Data Processing

• Limited Data Retention: We only retain data for as long as necessary to provide our services.

• Secure Data Deletion: When data is deleted, it's securely removed from our systems with verification protocols.

• Pseudonymization: User identification is pseudonymized by default to protect individual privacy.

• No Third-Party Data Sharing: We never sell your data or share it with unauthorized third parties.

Infrastructure Security

Cloud Security

• Modern Cloud Infrastructure: We host our platform on reputable cloud providers, leveraging their built-in security capabilities.

• European Data Hosting: Our primary data is hosted in the Netherlands, with backups in other EU locations.

• Security Alerting: Automated alerting for suspicious activities in our infrastructure.

• Layered Security Approach: We implement multiple security controls to protect our infrastructure.

Network Security

• Cloud-Native Firewall Protection: We utilize our cloud provider's firewall capabilities to protect our systems.

• DDoS Protection: Standard DDoS protection through our cloud infrastructure providers.

• Network Access Controls: Strict limitations on who can access our production environments.

• Secure Communications: All internal system communications are encrypted.

Application Security

Secure Development

• Security-Minded Development Process: Our development team integrates security considerations throughout the development cycle.

• Peer Code Reviews: All code changes undergo review with attention to security implications.

• Automated Security Tools: We utilize accessible security tools to scan our code for common vulnerabilities.

• Dependency Management: Regular monitoring and updating of third-party dependencies to address known vulnerabilities.

• Developer Security Training: Our development team stays informed about secure coding practices.

Authentication & Access

• Multi-Factor Authentication (MFA): Support for MFA to protect user accounts.

• Single Sign-On (SSO): Integration with your organization's identity provider using SAML or OIDC.

• Role-Based Access Control (RBAC): Granular permissions ensure users only access what they need.

• Session Management: Secure session handling with appropriate timeouts and controls.

• Principle of Least Privilege: All systems and personnel operate with minimal necessary access rights.

Operational Security

Incident Response

• Incident Response Process: Clear procedures for handling security incidents.

• All-Hands Security Response: Our team is trained to respond to security events collectively.

• Response Preparation: Team members understand their roles during security incidents.

• Customer Communication Plan: Transparent process for notifying customers about security incidents.

Business Continuity

• Business Continuity Planning: Practical approaches to maintain service in case of disruption.

• Regular Backups: Automated backups with verification processes.

• Resilient Architecture: Our design aims to minimize service disruptions.

• Recovery Testing: We periodically test our ability to recover from backups.

People & Process Security

Team Security

• Team Vetting: Our small team is carefully selected for trustworthiness and security awareness.

• Security Awareness: Regular discussions and updates about security best practices.

• Access Control: Limited access to production systems based on necessity.

• Secure Work Guidelines: Clear expectations for handling customer data and securing work environments.

Vendor Management

• Trusted Vendors: We prioritize working with established, reputable service providers.

• Security-Conscious Selection: Security capabilities are a key factor in vendor selection.

• Service Provider Reviews: We periodically review the security practices of critical vendors.

Browser Extension Security

Extension-Specific Security

• Limited Permissions: Our extension requests only the minimum permissions required.

• Scoped Data Collection: Only collects data from approved SaaS applications in our database.

• No Private Browsing Data: Never captures personal browsing history or activities.

• Regular Security Updates: The extension is frequently updated to address security concerns.

• Code Signing: Our extension packages are cryptographically signed to prevent tampering.

Transparency & Trust

Security Communication

• Security Documentation: Detailed security documentation available to customers.

• Vulnerability Disclosure Program: Clear process for reporting security vulnerabilities.

• Security Advisories: Timely notification about security updates and patches.

Customer Controls

• Security Configuration Options: Customize security settings to meet your organization's requirements.

• Security Logs & Monitoring: Access to relevant security logs and monitoring information.

• Data Export Capabilities: Easy export of your data when needed.

• Deletion Controls: Self-service options for data deletion.

Our Security Journey

As a startup, we recognize that security is an ongoing journey rather than a destination. While we may not yet have all the formal certifications of larger enterprises, we're committed to growing our security program alongside our business. We prioritize practical security measures that protect your data today while building toward more comprehensive security frameworks as we scale.

We welcome security questions from our customers and are committed to transparency about our security practices. We also value your security feedback, as it helps us improve.

For security discussions or to share security concerns, please contact us at info@viropay.com.

This document provides an overview of our current security practices as a growing startup. We continue to enhance our security capabilities as we scale. Last updated: March 6, 2025.