Encryption in transit
TLS 1.2+ everywhere. Edge termination at Cloudflare; mTLS between internal services. HSTS preload eligible.
tls 1.2+ · hsts · mtls internal
Trust Center
Our own security posture —
on the record.
Compliance attestations, security practices, sub-processors, data handling, incident response. Updated as audits complete and certifications land — never aspirational.
What's in place today
Achieved attestations + posture.
Only attestations we have actually achieved are shown here. Aspirational certifications are listed separately below — we don't put a "coming soon" badge alongside one that has been earned.
- GDPR · UK GDPR DPA available on request Reviewed Q1 2026
- CCPA · CPRA Opt-out registry · /privacy Reviewed Q1 2026
- Data residency EU and US regions; others on request EU · US
- Sub-processor registry Publicly enumerated · 30-day notice on additions Published · /trust
On the roadmap
aspirational · not yet earned- SOC 2 Type II Audit window 2026
- ISO 27001:2022 Targeted 2027
- ISO/IEC 42001 (AI mgmt) Targeted 2027
- HIPAA-eligible processing BAA pipeline 2026
These appear separately by design. The category convention (Wiz, CrowdStrike, Tenable) is to show only achieved certifications with precision dates — roadmap items get their own section so a CISO knows what's earned vs. what's pending.
Security practices
What we do internally.
Encryption at rest
AES-256 for all customer data and findings. Key management isolated from the data plane; rotation schedule documented.
aes-256 · kms-isolated · rotation policy
Authentication + access
JWT TTL 15 minutes by default. Refresh tokens rotate. SSO via Okta / Entra / Google OIDC. SCIM provisioning.
jwt 15m · scim · sso
Audit log
Every privileged action — actor, target, reason, timestamp. Stream to your SIEM (Splunk · Datadog · S3) or query via API.
siem stream · api · 1yr retention
Tenant isolation
Row-level isolation in storage; queue-level isolation in processing. Hard separation — never a UI scoping convention.
row-level · queue-isolated · key-segregated
Vulnerability management
We use our own platform on ourselves. Internal findings follow the same Validated · Validating · Theoretical · Suppressed governance.
dogfooded · same governance
Data handling
Where customer data lives, how long, who can leave with it.
Data residency
EU and US regions available. Other regions on request for enterprise customers.
eu · us · regional on request
Sub-processors
Publicly enumerated. Customer notified 30 days before any new sub-processor goes live.
see table below · 30d notice
Data retention
Findings retained for the contract term plus 30 days; deleted on request. Aggregated, anonymized metrics retained for product improvement.
contract + 30d · deletion on request
Data portability
All your findings, assets, and evidence exportable as JSON, CSV, or PDF on demand. API access included.
json · csv · pdf · api
Sub-processors
Vendors that touch customer data.
Enumerated below. Customers receive 30 days notice before any new sub-processor is engaged.
| Vendor | Purpose | Region | DPA |
|---|---|---|---|
| Cloudflare | Edge hosting · CDN · DDoS protection | Global | Standard |
| Resend | Transactional email delivery | US | Standard |
Updated 2026-05-23 Request the full list
Incident response
Posture, in plain English.
- Notify Affected customers notified within 24 hours of incident confirmation.
- Runbook Documented response plan with escalation paths and external counsel on retainer.
- Tabletop Internal IR tabletops on a quarterly cadence; lessons logged.
- Post-mortem Public post-mortem for any incident with customer-facing impact.
Contact
Found something? Tell us.
- security@virtuethreatx.comVulnerability disclosures · security questions
- /.well-known/security.txtRFC 9116 contact + reporting key
- DPA · SIG · SIG-LiteAvailable on request — request the questionnaire pack