Data Security FAQ

• Microsoft 365 App Certification: Virto Kanban Board App

• Microsoft 365 App Certification: Virto Calendar App

1) Are Virto apps hosted on-premises, by VirtoSoftware, cloud-hosted, or other?

The engines of Virto applications are hosted in Microsoft Azure servers. The apps can be added to your SharePoint site pages or Microsoft Teams channels.

2) Can VirtoSoftware access my company's resources or data?

No. All data is always stored on your side, and we do not have access to it. Virto apps use delegated permissions or your end users’ permissions. End users can access only the data they are allowed to access in Microsoft 365.

3) Will VirtoSoftware store/host data?

VirtoSoftware does not store your data. The tool can only access the provided permissions when this user works within the Virto app. A private key is generated for this session, and nobody except this user reuses it for future data access. A new private key will be generated for a new session.

4) Do you scan your applications for security vulnerabilities? If so, can we have a copy of the most recent scan?

It is not applicable. Authentication is done by SSO (Single Sign-On) with a user’s Microsoft 365 account — a unique private key is generated for each new session. It is impossible to get any data from users outside your organization. The data is solely stored on your side. We do not store or copy it anywhere.

5) Do you do penetration testing of your applications?

No, we do not do penetration testing.

6) Is the data encrypted end-to-end?

Yes, the data is encrypted with HTTPS.

7) Will VirtoSoftware provide remote access for training, troubleshooting, or service maintenance? If so, what type of remote access will be utilized?

We provide remote access for troubleshooting, but it is not required for service maintenance. We always initiate it from our side. Remote access can be used for training (additional cost may apply). We usually utilize Microsoft Teams for remote connections.