At Virtosoftware, we understand that the security of your data is of utmost importance, which is why we use state-of-the-art security measures to keep your information safe. Our data storage and security framework fully corresponds with Microsoft’s data protection standards: check the Microsoft 365 App Certification for Virto Calendar.
Virto Calendar App Security Summary
1. Hosting & Architecture
- Azure hosting: Our application engine runs exclusively in VirtoSoftware’s Microsoft Azure subscription with no components deployed on premises servers
- Multi-tenant by default: The service is registered as a multi-tenant app in Microsoft Entra ID, following Microsoft’s guidance for least-privilege, conditional-access-aware SaaS solutions
2. Data Flow & Storage
- Delegated access only: The app calls Microsoft Graph solely with delegated tokens that inherit the signed-in user’s rights; we never use application-level permissions
- Ephemeral in-memory processing: Calendar payloads are processed in encrypted RAM and discarded at session end; no customer content is written to any Virto-controlled persistence layer
- Token lifecycle: Tokens live in transient server memory and expire per Microsoft Graph standards; no long-term cache is persisted, aligning with OWASP session-management guidance
3. Compliance & Certifications
- Microsoft 365 App Certification: Virto Calendar has passed Microsoft’s independent security & compliance review, evidenced in the Microsoft 365 Partner Center listing
- Aligned to Microsoft Teams service-level security: Our solution inherits Microsoft 365 defense-in-depth controls and can operate under customer Conditional-Access policies
4. Optional “Private-Cloud” Deployment
For organizations with strict security requirements, we offer a custom build that you host in your own Azure subscription. This model provides full administrative control and keeps all telemetry within your environment. Implementation follows Microsoft’s SPFx/Teams app deployment checklist and can be delivered as an SPPKG or ARM template.
5. Alignment with Industry Best Practices
- Zero-Trust (“never trust, always verify”): Architecture aligns with NIST SP 800-207 and Entra Conditional-Access enforcement
- Least-privilege OAuth scopes: Only per-user delegated scopes are requested; no broad application roles
- Encrypted transport & storage: TLS 1.2+ in transit; no at-rest customer data on Virto side
- Secure session handling: Tokens and calendar objects live exclusively in server RAM; cleared on sign-out, echoing OWASP secure-coding checklists
- Scalable in-memory cache hygiene: Azure-native memory-management recommendations followed to prevent eviction leaks
For more information, please check the Security FAQ.