Virsera’s Statement on Security

Introduction

We use Virsera every day to keep our team organized, connected, and focused on results. Ensuring our platform remains secure is vital to protecting our own data, and protecting your information is our highest priority.

Our security strategy covers all aspects of our business, including:

o    Virsera corporate security policies

o    Physical and environmental security

o    Operational security processes

o    Scalability & reliability of our system architecture

o    Data model access control in Virsera

o    Systems development and maintenance

o    Service development and maintenance

Virsera Corporate Security Policies & Procedures

Every Virsera employee signs a Data Access Policy that binds them to the terms of our data confidentiality policies, available at Virsera.com/terms and Virsera.com/privacy. Access rights are based on employee’s job function and role.

Security in our Software Development Lifecycle

Virsera uses a revision control system. Changes to Virsera’s code base go through a suite of automated tests and are reviewed and go through a round of manual review. When code changes pass the automated testing system, the changes are first pushed to a staging server wherein Virsera employees are able to test changes before an eventual push to production servers and our customer base. We also add a specific security review for particularly sensitive changes and features. Virsera engineers also have the ability to “cherry pick” critical updates and push them immediately to production servers.

In addition to a list where all access control changes are published, we have a suite of automated unit tests that check that access control rules are written correctly and enforced as expected.

Virsera Architecture & Scalability

Scalability/Reliability of Architecture

Virsera uses Azure (Web Services, Active Directory, SQL, BLOB) to manage user data. We currently host data in secure, audited data centers via Azure RDS in the United States.  Azure meets a broad set of international and industry-specific compliance standards, such as SSAE-16, ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2, as well as country-specific standards including Australia IRAP, UK G-Cloud, and Singapore MTCS.  Also conforms to the uniform international code of practice for cloud privacy, ISO/IEC 27018, which governs the processing of personal information by cloud service providers.

The database is replicated synchronously so that we can quickly recover from a database failure. As an extra precaution, we take regular snapshots of the database and securely move them to a separate data center so that we can restore them elsewhere as needed, even in the event of a regional Amazon failure.

Encrypted Transactions

Web connections to the Virsera service are via TLS 1.0 and above. We support forward secrecy and AES-GCM, and prohibit insecure connections using SSL 3.0 and below or RC4.

Data Center Security

Azure

Microsoft Azure employs a robust physical security program with multiple certifications, including an SSAE 16 certification. For more information on Microsoft Azure’s physical security processes, please visit https://azure.microsoft.com/en-us/support/trust-center/security

Product Features – SpurGo

SpurGo Application Platform

  • SpurGo uses Microsoft Azure Directory when federating with corporate customer directory services to facilitate seamless login
  • SpurGo uses separate Azure BLOB storage containers for each corporate account that contains the proof files
  • SpurGo uses Azure SQL Server for user and challenge information

 

User Authentication

  • For user authentication SpurGo relies on the Microsoft Azure Active Directory federation capabilities, providing Single Sign On experience for the employees of companies that use AAD for internal authentication and authorization.
  • When federating with SpurGo, ONLY the following information will be accessed from the directory and stored into the SpurGo database:
    • First name
    • Surname
    • Email address
  • SpurGo will not access or store users passwords or any other user-related information from the directory.
  • Even if the information about a user (First name, Surname, Email address) is stored into the database, the access of the user to the SpurGo application is controlled only by the validity of his/her Azure Active Directory account. If the account of the user is revoked he/she will no longer be able to access the SpurGo application. Therefore, the only possibility to authenticate into SpurGo application as a member of an Organization is through the Azure Active Directory authentication process of that Organization.

 

Data Storage

SpurGo uses two types of data storage:

  • a relational SQL Database for SpurGo users and challenges information
  • an Azure BLOB for the storage of the files sent as proofs
  • A separate Azure BLOB container is created for each organizational unit

 

Database Information Access Policies

The data access policies for the information stored into the SpurGo Database are enforced by the SpurGo application at the application level. SpurGo defines four access roles:

  • SpurGo Administrator – is authorized to access the information about the users from all the Organizations. The access is limited to the following data:
    • First name
    • Surname
    • Email address
    • Organization Name
    • User roles in SpurGo Application
  • Organization Administrator – is authorized to access the exact same data as the SpurGo Administrator, restricted to the Organization that authenticates the user
  • Manager – is authorized to access the following information, restricted to the Organization that authenticates the user:
    • First name
    • Surname
    • Email address
    • Public challenges information from the Organization (except proofs submitted)
    • Public tasks information from the Organization (except proofs submitted)
    • Own challenges – public or private (including proofs submitted)
    • Own tasks – public or private (including proofs submitted)
  • Player – is authorized to access the following information, restricted to the Organization that authenticates the user
    • First name, Surname and Email addresses of participants to the same challenges or public challenges
    • Public challenges information from the Organization (except proofs submitted)
    • Challenges in which the user has been invited (except proofs submitted)
    • Challenges in which the user has the role of task approver (including proofs submitted)

 

Proofs Access Policies

In order to prove the completion of a specific task, the players have the possibility to upload into the system a file under any format requested by the manager (image, video, document etc.).

 

All these files are stored into an Azure Blob Storage, each Organization having a dedicated container. The access to these resources is secured through the Shared Access Signatures approach:

  • unauthenticated users – cannot access the content of the blob (no valid shared signature provided)
  • authenticated users – the access to the resources is controlled through the application logic according to the roles described in section 3.1

 

All the stored files that have been approved or rejected by the Challenge Manager are deleted automatically after 30 days from their submission request or according customer requested threshold.

 

Privacy

Privacy Policy

Virsera’s privacy policy, which describes how we handle data input into Virsera, can be found at Virsera.com/privacy.

Safe Harbor compliance

Virsera complies with the EU-U.S. and Swiss-U.S. Safe Harbor (“Safe Harbor”) frameworks and principles.

Availability

We are committed to making Virsera consistently available to you and your teams. Our systems have built-in redundancy to withstand failures and are constantly monitored to keep your work uninterrupted.

Want to report a security concern?

Email us at info@Virsera.com.