The technical and organizational measures behind every VIVIROS deployment.

Security is governed by an Information Security Management System (ISMS) certified under ISO/IEC 27001:2022 and aligned with the NIST Cybersecurity Framework. The ISMS is owned by the Chief Technology Officer and overseen by an independent Risk Committee that meets quarterly. Policies are reviewed at least annually and after any material change.

• Pre-employment background checks for all personnel with production access.
• Mandatory annual security awareness training and simulated phishing exercises.
• Role-based access control (RBAC) with least-privilege defaults and quarterly review.
• Multi-factor authentication enforced on every internal system.
• Joiners–movers–leavers automation tied to the corporate identity provider.

The VIVIROS Platform runs on hardened, multi-tenant infrastructure deployed in ISO 27001-certified data centers across multiple regions. Network traffic is encrypted with TLS 1.3 and protected by managed Web Application Firewalls, volumetric DDoS scrubbing and rate-limiting. Internal segmentation isolates workloads by sensitivity, and production access is gated through a hardened bastion with full session recording.

All Customer data is encrypted at rest using AES-256 with keys managed through a hardware security module (HSM). Backups are immutable for thirty (30) days and tested quarterly. Personal Data is segregated by tenant, and forensic watermarks are applied to high-sensitivity exports. Data residency options are available for customers with regulatory or contractual obligations.

• Secure SDLC including threat modelling, peer review and SAST in CI.
• Software Bill of Materials (SBOM) tracked for every release.
• Annual third-party penetration testing with public summary on request.
• Bug bounty program operated through a managed platform.
• Continuous dependency scanning with maintained patching SLAs.

We operate a 24/7 incident response capability with documented playbooks and quarterly tabletop exercises. Customers are notified of confirmed incidents affecting their data within seventy-two (72) hours, with an interim status update within twenty-four (24) hours. Post-incident reports include root cause, impact, corrective actions and lessons learned.

Security researchers and customers can report potential vulnerabilities to [email protected]. Our PGP key (fingerprint F1D3 4C9B 88E2 1A06 7C7A · 5F3E 2B19 9D4C E810 0AC1) is available on request. We follow a coordinated disclosure policy aligned with ISO/IEC 29147.