VirtoSoftware Security Overview

Public Version

Document Title: Security Overview
Classification: Public
Version: 2.6
Approval Date: November 17, 2025
Effective Date: November 17, 2025
Next Review Date: November 2026

Company Information:

VirtoSoftware UAB
Ozo g. 12A, Penta Technopolis
LT-08200 Vilnius, Lithuania

Email: support@virtosoftware.com
Phone: +1 (877) 892-7775
Website: www.virtosoftware.com

1. Introduction

VirtoSoftware is committed to providing secure, enterprise-grade applications for Microsoft 365 environments. This overview summarizes our security approach, certifications, and available documentation. For detailed information about our security architecture, policies, and procedures, please contact us to request our comprehensive security documentation package (available under NDA).

2. Our Security Approach

2.1 Your Data Stays Yours

In our standard SaaS model, VirtoSoftware has NO access to your data. All customer data created and managed by our applications is stored directly within your Microsoft 365 tenant (SharePoint Lists, Microsoft Dataverse, etc.). Our application backend, hosted on our Azure servers, processes business logic but does not persist your content data.

2.2 Two Deployment Options

We offer flexible deployment models to meet diverse security and compliance requirements:

1. Standard SaaS Model – Our multi-tenant application hosted on VirtoSoftware’s Azure infrastructure, with your data remaining in your M365 tenant
2. Enterprise Self-Deployment – Complete application deployment in your own Azure subscription with full source code access

For more information about deployment options, please contact our sales team.

3. Certifications & Independent Validation

3.1 Microsoft 365 App Certification

VirtoSoftware has successfully completed the Microsoft 365 App Certification for 10 unique applications (16 AppSource listings) across Microsoft Teams, SharePoint, and SaaS platforms. This independent audit by Microsoft validates our adherence to high standards for security, privacy, and compliance.

View All Certifications:

• Microsoft Learn – VirtoSoftware Certifications: https://learn.microsoft.com/en-us/search/?terms=virtosoftware
• Microsoft AppSource – Browse All Apps: https://appsource.microsoft.com/en-us/marketplace/apps?search=virtosoftware

3.2 NATO Penetration Testing (March 2024)

Our Virto Kanban Board application underwent rigorous independent penetration testing by NATO security experts. All identified vulnerabilities were rapidly remediated, demonstrating our commitment to the highest security standards for mission-critical environments.

Read the Full Case Study:
https://www.virtosoftware.com/use-cases/virtosoftware-tested-by-nato/

4. Key Security Practices

4.1 Authentication & Authorization

• Single Sign-On (SSO) via Microsoft 365 (Azure AD / Entra ID)
• OAuth 2.0 Delegated Permissions – Applications use user-level permissions only, meaning VirtoSoftware employees cannot access customer data without customer credentials. This Zero Access Architecture ensures applications can only access data that the authenticated user can access, providing an additional layer of security compared to traditional SaaS models.
• Multi-Factor Authentication (MFA) enforced for all administrative access

4.2 Data Protection

• TLS 1.2+ encryption for all data in transit
• No customer data storage on VirtoSoftware servers in standard SaaS model
• GDPR compliant with Data Processing Agreement (DPA) available

4.3 Development Security

• Secure Development Lifecycle (SDLC) with mandatory code reviews
• Microsoft Visual Studio and Azure DevOps development environment
• Regular vulnerability scanning and dependency updates
• Strictly limited administrative access with MFA enforcement

4.4 Platform Security

Built on Microsoft Azure infrastructure with:

• SOC 2 Type II certification
• ISO 27001 compliance
• GDPR, HIPAA compliance
• Global threat intelligence and protection

5. Security Documentation

We maintain comprehensive security documentation to support your security and compliance requirements. Our documentation covers all aspects of information security, from development practices to incident response procedures.

Available Publicly:

• This Security Overview – High-level summary of security practices and certifications
• Privacy Policy – Data collection, processing, and privacy practices
  https://www.virtosoftware.com/privacy-policy/
• Terms of Service – Legal terms and conditions for using VirtoSoftware applications

Available Under NDA:

For enterprise customers and security reviews, we provide detailed security documentation under Non-Disclosure Agreement (NDA):

• Security Whitepaper – Comprehensive technical security architecture, controls, and best practices
• Data Processing Agreement (DPA) – GDPR-compliant data processing terms, roles, and responsibilities
• Information Security Policy – Enterprise security framework, risk management, and compliance standards
• Access Control Policy – User authentication, authorization, and access management procedures
• Change Management Policy – Production deployment controls, approval workflows, and rollback procedures
• Incident Response Policy – Security incident detection, response, and notification procedures
• Secure Development Lifecycle (SDLC) Policy – Secure coding standards, testing, and deployment practices

To request our comprehensive security documentation package, please contact:
Email: support@virtosoftware.com
Subject: Security Documentation Request

6. Compliance & Standards

VirtoSoftware security policies and practices are aligned with industry-leading frameworks and standards:

• GDPR (General Data Protection Regulation) – Full compliance with EU data protection requirements
• NIST Cybersecurity Framework – Risk-based approach to managing cybersecurity
• OWASP Top 10 – Mitigation of common web application security risks
• Microsoft 365 App Certification – Independent validation of security, privacy, and compliance

Our infrastructure provider, Microsoft Azure, maintains additional certifications including SOC 2 Type II, ISO 27001, HIPAA, and FedRAMP.

7. Contact Us

For security inquiries or to request our comprehensive security documentation package:

Email: support@virtosoftware.com
Phone: +1 (877) 892-7775

Address:
VirtoSoftware UAB
Penta Technopolis, Ozo g. 12A
Vilnius, Lithuania 08200

Version History

Version	Date	Author	Changes
1.0	October 15, 2024	VirtoSoftware	Initial release
2.0	September 17, 2025	VirtoSoftware	Updated certifications, added NATO testing, enhanced security practices
2.5	September 17, 2025	VirtoSoftware	Clarified data storage model, updated application count
2.6	November 17, 2025	VirtoSoftware	Simplified for public audience, removed internal details, enhanced OAuth 2.0 explanation, added comprehensive document list with descriptions, updated effective date

VirtoSoftware UAB is a Lithuania-based software development company specializing in enterprise productivity applications for Microsoft 365 and SharePoint environments.

Document Classification: Public
Copyright: ©2006-2025 VirtoSoftware, Inc. All rights reserved.