Security Practices

• Documented security policies reviewed at least annually and approved by leadership.
• Background checks, signed confidentiality agreements, and acceptable-use policies for every team member.
• Mandatory annual security and privacy training, plus secure coding training for engineers.
• Named security and data protection contact available to customers.

• Single sign-on (SSO) with enforced multi-factor authentication (MFA) on all corporate and production systems.
• Role-based access control (RBAC) and least-privilege principles across cloud, code, and ticketing systems.
• Quarterly access reviews and same-day deprovisioning upon role change or offboarding.
• Hardware-backed credentials for engineers with production access.

• Company-managed endpoints with full-disk encryption, screen lock, EDR/anti-malware, and automatic patching.
• Mobile device management (MDM) for remote wipe and policy enforcement.
• Restricted USB and external-storage usage on sensitive projects.

• Production workloads run on reputable cloud providers (AWS, Azure, GCP) in customer-approved regions (EU or US).
• Network segmentation, private subnets, security groups, and infrastructure-as-code reviewed via pull request.
• Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent) by default.
• Centralized secrets management — no secrets in code, tickets, or chat.

• Mandatory peer code review on every change; protected main branches.
• Automated static analysis (SAST), dependency scanning (SCA), secret scanning, and container image scanning in CI.
• Threat modeling for high-risk features and architecture reviews for new services.
• Pre-release dynamic testing (DAST) and, for production releases, third-party penetration tests on request.

• Centralized logging, audit trails, and alerting on anomalous authentication and infrastructure events.
• Documented incident response plan with severity levels, runbooks, and on-call rotation.
• Customer notification within contractual SLAs (typically within 72 hours of confirmed personal-data breach).
• Post-incident reviews with corrective actions tracked to closure.

• Automated, encrypted backups with periodic restore tests.
• Multi-region deployment patterns available for production workloads requiring high availability.
• Documented business continuity and disaster recovery plans exercised at least annually.

We process personal data only as instructed by our customers and in line with our Privacy Policy and Data Processing Addendum. We use vetted sub-processors under written DPAs and apply Standard Contractual Clauses for international transfers.

Sub-processors and critical vendors are reviewed for security and privacy posture before onboarding and re-evaluated annually. We maintain an internal vendor inventory and risk register.

If you believe you have found a security vulnerability in our website or a service we operate, please email hello@vireonlabs.com with the subject line "Security Disclosure". We commit to acknowledging valid reports within 2 business days and to working with you in good faith on remediation.