Virtustructure takes security seriously. We invest in infrastructure protection, encryption, monitoring, and secure payment processing. Security is a shared responsibility between us and you.
Infrastructure Security
Virtustructure hosts customer environments on hardened infrastructure with network isolation, encrypted storage, and access controls. We use industry-standard practices to protect the underlying platform, including regular patching, intrusion detection, and infrastructure monitoring.
All data in transit between your browser, the Virtustructure platform, and our infrastructure is encrypted using TLS 1.2 or higher. Data at rest, including stored volumes and backups, is encrypted using AES-256.
Payment Security
Payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor. Your payment card details are transmitted directly to Stripe through their secure payment elements and never touch our servers.
We do not store, process, or have access to full card numbers, CVCs, or other sensitive cardholder data. We receive only limited billing information from Stripe, such as the last four digits of your card, card brand, and billing address, which we use for display and invoicing purposes.
Authentication And Access Control
We support secure authentication mechanisms and strongly encourage the use of multi-factor authentication on all accounts. Access to administrative systems and customer infrastructure is restricted to authorized personnel on a least-privilege basis.
API keys and access tokens are scoped to specific permissions and can be revoked at any time. We recommend rotating credentials regularly and using the most restrictive permissions possible for programmatic access.
Shared Responsibility
Security on Virtustructure follows a shared responsibility model. We are responsible for the security of the platform infrastructure, network boundaries, and core services. You are responsible for the security of your hosted workloads, application code, configurations, credentials, data, and exposed endpoints.
This includes managing access controls within your containers, securing API keys and secrets, patching application dependencies, configuring network and authentication settings, and monitoring your environments for unauthorized activity.
Incident Response
We maintain an incident response plan and dedicated processes for identifying, containing, and resolving security incidents that affect the platform. In the event of a confirmed security incident that impacts your data or environments, we will notify affected customers promptly and provide relevant details about the nature of the incident, the data involved, and remediation steps.
If you discover or suspect a security incident affecting your hosted environment, you should immediately rotate any potentially compromised credentials, review access logs, and contact us at security@virtustructure.com.
Vulnerability Disclosure
If you discover a security vulnerability in the Virtustructure platform, we ask that you report it responsibly by contacting security@virtustructure.com. Please include a description of the vulnerability, steps to reproduce it, and any relevant evidence.
We ask that you refrain from exploiting vulnerabilities, accessing other users' data, or publicly disclosing the issue until we have had a reasonable opportunity to investigate and remediate. We will acknowledge receipt of your report within 48 hours and keep you informed of our progress.
Compliance And Certifications
We are committed to meeting industry security standards and continuously improving our security posture. Our payment processing is handled through Stripe, which maintains PCI-DSS Level 1 compliance, SOC 2 Type II certification, and compliance with relevant financial regulations.
While we implement robust security controls, Virtustructure does not independently hold compliance certifications such as SOC 2 or HIPAA at this time. If your workloads are subject to specific regulatory requirements, you should evaluate whether the platform meets your compliance needs and implement additional controls as necessary.
Employee Security Practices
All Virtustructure team members undergo security awareness training. Access to production systems and customer data is limited to personnel who require it for their role, is protected by multi-factor authentication, and is logged for audit purposes.