Data Security FAQ

1) Are Virto apps hosted on-premises, by VirtoSoftware, cloud-hosted, or other?

The engines of Virto applications are hosted in Microsoft Azure servers. The apps can be added to your SharePoint site pages or Microsoft Teams channels.

2) Will VirtoSoftware have any access to my company resources or data?

No. All the data is always stored on your side, and we don’t have access to it. Virto apps use delegated permissions or your end users’ permissions. End-users can get access only to the data they are allowed to get in Microsoft 365.

3) Will VirtoSoftware store/host data?

VirtoSoftware doesn’t store your data. The tool can only access the provided permissions when this user works within the Virto app. A private key is generated for this session, and nobody except this user reuses it for future data access: a new private key is generated for a new session.

4) Do you scan your applications for security vulnerabilities? If so, can we have a copy of the most recent scan?

It’s not applicable: the authentication is done by SSO (Single Sign-On) with a user’s Microsoft 365 account — a unique private key is generated for each new session. It’s impossible to get any data from users outside of your organization. The data is always stored on your side; we don’t store or copy it anywhere.

5) Do you do penetration testing of your applications?

No, we don’t do penetration testing.

6) Is the data encrypted end to end?

Yes, the data is encrypted with HTTPS.

7) Will VirtoSoftware provide remote access for training, troubleshooting, or service maintenance? And what type of remote access will be utilized?

We do provide remote access for troubleshooting, but it is not required for service maintenance — we always do this from our side. Remote access can be used for extra costs for training purposes. We usually use Microsoft Teams for remote connection.

Last updated