VirtoSoftware Security Overview

Public Version

Document Title: Security Overview
Classification: Public
Version: 3.0
Approval Date: February 9, 2026
Effective Date: February 9, 2026
Next Review Date: February 2027

Company Information:

VirtoSoftware UAB
Ozo g. 12A, Penta Technopolis
LT-08200 Vilnius, Lithuania

Email: support@virtosoftware.com
Phone: +1 (877) 892-7775
Website: www.virtosoftware.com

1. Introduction

VirtoSoftware is committed to providing secure, enterprise-grade applications for Microsoft 365 environments. This overview summarizes our security approach, certifications, and available documentation. For detailed information about our security architecture, policies, and procedures, please contact us to request our comprehensive security documentation package comprising 7 detailed policy documents (available under NDA).

1.1 About VirtoSoftware

VirtoSoftware UAB, founded in 2008, is a Lithuania-based software company specializing in enterprise productivity applications for Microsoft 365 and SharePoint environments. With over 17 years of experience, we serve 15,000+ organizations worldwide, including NATO, NASA, Baker McKenzie, Warner Bros, Disney, Sony, US Treasury, and Texas Instruments. Our team of dedicated developers maintains 10 Microsoft 365 certified applications across SharePoint, Teams, and SaaS platforms.

NATO NCAGE Code: 0273R

2. Our Security Approach

2.1 Your Data Stays Yours (Zero-Access Architecture)

In our standard SaaS model, VirtoSoftware has NO access to your data. All customer data created and managed by our applications is stored directly within your Microsoft 365 tenant (SharePoint Lists, Microsoft Dataverse, etc.). Our application backend, hosted on our Azure servers, processes business logic in RAM only — customer content data is never written to disk and is automatically cleared when the session ends.

Data Access Comparison

	VirtoSoftware (Zero-Access)	Typical SaaS Competitor
Customer data stored on vendor servers	NO — data stays in your M365 tenant	YES — data copied to vendor databases
Vendor employees can access your data	NO — OAuth 2.0 user-delegated only	YES — application-level permissions
Data processing	In RAM only, never persisted	Stored on disk, backed up by vendor
Data residency controlled by	Customer (M365 tenant region)	Vendor (vendor’s data center)
Access revocation	Instant via Azure AD admin center	Vendor-dependent deletion process
Breach of vendor exposes your data	NO — no customer data on our servers	YES — all customer data at risk

2.2 Two Deployment Options

We offer flexible deployment models to meet diverse security and compliance requirements:

Standard SaaS Model — Our multi-tenant application hosted on VirtoSoftware’s Azure infrastructure, with your data remaining in your M365 tenant.
Enterprise Self-Deployment — Complete application deployment in your own Azure subscription with full source code access (available under NDA).

For more information, visit virtosoftware.com/deploy-virto-apps-in-m365 or contact our sales team at sales@virtosoftware.com.

3. Certifications & Independent Validation

3.1 Microsoft 365 App Certification

VirtoSoftware has successfully completed the Microsoft 365 App Certification for 10 unique applications (16 AppSource listings) across Microsoft Teams, SharePoint, and SaaS platforms. This independent third-party audit conducted by Microsoft validates our adherence to rigorous standards for security, privacy, and compliance — equivalent to an annual security assessment by one of the world’s leading technology companies.

About the program: The Microsoft 365 App Certification program evaluates application security, data handling, and compliance practices through independent audit. Details at: learn.microsoft.com/en-us/microsoft-365-app-certification/overview

View certifications:

Microsoft Learn — VirtoSoftware Kanban Certification: learn.microsoft.com/en-us/microsoft-365-app-certification/teams/virtosoftware-virto-kanban
Microsoft AppSource — All VirtoSoftware Apps: appsource.microsoft.com/en-us/marketplace/apps?search=virtosoftware

3.2 NATO Penetration Testing (March 2024)

Our Virto Kanban Board on-premises application underwent rigorous independent penetration testing by NATO security experts. The testing identified vulnerability CVE-2024-34400, which was remediated within 7 business days, demonstrating our commitment to the highest security standards for mission-critical environments.

Read the full case study: virtosoftware.com/use-cases/virtosoftware-tested-by-nato/

3.3 NATO NCAGE Registration

VirtoSoftware is registered in the NATO Codification System with NCAGE Code 0273R, enabling participation in defense and government procurement processes.

4. Key Security Practices

4.1 Authentication & Authorization

Single Sign-On (SSO) via Microsoft 365 (Azure AD / Entra ID)
OAuth 2.0 Delegated Permissions — Applications use user-level permissions only, meaning VirtoSoftware employees cannot access customer data without customer credentials. This Zero-Access Architecture ensures applications can only access data that the authenticated user can access, providing an additional layer of security compared to traditional SaaS models.
Multi-Factor Authentication (MFA) enforced for all VirtoSoftware employee administrative access; customer MFA policies inherited from customer’s Azure AD configuration.

4.2 Data Protection

TLS 1.3 encryption for all data in transit
No customer data storage on VirtoSoftware servers in standard SaaS model
GDPR compliant with Data Processing Agreement (DPA) available on request

4.3 Development Security

Secure Development Lifecycle (SDLC) with mandatory code reviews by senior developers
Microsoft Visual Studio and Azure DevOps development environment
Automated dependency scanning (npm audit, Dependabot) and regular vulnerability updates
Strictly limited administrative access with MFA enforcement

4.4 Platform Security

Built on Microsoft Azure infrastructure, which independently maintains:

SOC 2 Type II certification
ISO 27001 compliance
GDPR, HIPAA, and FedRAMP compliance
Global threat intelligence and protection

VirtoSoftware inherits these infrastructure-level controls and implements additional application-level security measures documented in our Security Whitepaper.

Full details: microsoft.com/en-us/trust-center

5. Security Documentation

We maintain comprehensive security documentation to support your security and compliance requirements. Our documentation covers all aspects of information security, from development practices to incident response procedures.

5.1 Available Publicly

This Security Overview — High-level summary of security practices and certifications
Privacy Policy — Data collection, processing, and privacy practices (virtosoftware.com/privacy-policy/)
Terms of Service — Legal terms and conditions for using VirtoSoftware applications

5.2 Available on Request (No NDA Required)

Data Processing Agreement (DPA) — GDPR-compliant data processing terms, roles, and responsibilities

5.3 Available Under NDA

For enterprise customers and security reviews, we provide detailed security documentation under Non-Disclosure Agreement (NDA):

Security Whitepaper — Comprehensive technical security architecture, controls, and best practices
Information Security Policy — Enterprise security framework, risk management, and compliance standards
Access Control Policy — User authentication, authorization, and access management procedures
Change Management Policy — Production deployment controls, approval workflows, and rollback procedures
Incident Response Policy — Security incident detection, response, and notification procedures
Secure Development Lifecycle (SDLC) Policy — Secure coding standards, testing, and deployment practices

To request our comprehensive security documentation package, please contact:

Email: support@virtosoftware.com | Subject: Security Documentation Request

6. Compliance & Standards

VirtoSoftware security policies and practices are aligned with industry-leading frameworks and standards:

GDPR (General Data Protection Regulation) — Full compliance with EU data protection requirements
NIST Cybersecurity Framework 2.0 — Risk-based approach to managing cybersecurity
OWASP Top 10 — Mitigation of common web application security risks
Microsoft 365 App Certification — Independent validation of security, privacy, and compliance

Our infrastructure provider, Microsoft Azure, maintains additional certifications including SOC 2 Type II, ISO 27001, HIPAA, and FedRAMP.

7. Vulnerability Reporting & Responsible Disclosure

VirtoSoftware welcomes reports from security researchers and customers who discover potential vulnerabilities in our applications or infrastructure.

Report to: support@virtosoftware.com with subject “Security Vulnerability Report”
Initial acknowledgement: within 2 business days
Assessment and response: within 7 business days
Safe harbor: We will not pursue legal action against researchers who report vulnerabilities in good faith and follow responsible disclosure practices.

8. Contact Us

For security inquiries or to request our comprehensive security documentation package:

Email:	support@virtosoftware.com
Phone:	+1 (877) 892-7775
Sales:	sales@virtosoftware.com
DPO:	dpo@virtosoftware.com
Address:	VirtoSoftware UAB, Penta Technopolis, Ozo g. 12A, Vilnius, Lithuania 08200
Trust Center:	docs.virtosoftware.com/trust-and-security-center/

Version History

Version	Date	Author	Changes
1.0	October 15, 2024	VirtoSoftware	Initial release
2.0	September 10, 2025	VirtoSoftware	Updated certifications, added NATO testing, enhanced security practices
2.5	September 17, 2025	VirtoSoftware	Clarified data storage model, updated application count
2.6	November 17, 2025	VirtoSoftware	Simplified for public audience, enhanced OAuth 2.0 explanation, added document list
3.0	February 9, 2026	VirtoSoftware	Added Data Access Comparison table, company overview, NCAGE code, responsible disclosure section; clarified Azure certification attribution; moved DPA to public access; specified NATO testing scope to on-premises Kanban Board

Document Classification: Public

Was this article helpful to you?