Your data is yours to protect
We're handling billing data, customer records, and operational infrastructure for real businesses. We take that seriously — encryption, access controls, auditing, and a rapid response program.
How we protect your data
Encryption in Transit
All connections to the Virobit platform are encrypted with TLS 1.3. We reject connections using outdated protocols (TLS 1.0, 1.1) and use HSTS to prevent protocol downgrade attacks.
Encryption at Rest
All customer data stored on Virobit infrastructure is encrypted at rest using AES-256. Database backups are encrypted separately and rotated on a 30-day cycle.
Role-Based Access
Granular, per-user permissions control who can view, edit, or export data. All administrative access to production systems requires MFA and is logged to an append-only audit trail.
Uptime Monitoring
Infrastructure is monitored 24/7. We maintain redundant services across multiple AWS availability zones and publish live status at status.virobit.com.
SOC 2 Type II
We are pursuing SOC 2 Type II certification. In the interim, our security controls are aligned with the SOC 2 Trust Services Criteria. Prospective enterprise customers may request our security documentation.
Vulnerability Disclosure
We maintain a responsible disclosure program. If you discover a security vulnerability, email security@virobit.com and we'll respond within 24 hours.
Deploy on our cloud
or on your own hardware
Virobit Security AI runs in both cloud-hosted and fully on-site self-hosted configurations — replacing Genetec, Lenel, Milestone, and legacy PSIM stacks.
☁ Cloud-Hosted
- Zero server procurement or maintenance
- Automatic security updates and patches
- High-availability hosting with redundant AWS availability zones
- AES-256 encryption at rest · TLS 1.3 in transit
- SOC 2 aligned controls · MFA enforced
- Best for teams without dedicated security IT staff
🖥 On-Site Self-Hosted
- Complete data sovereignty — nothing leaves your network
- Air-gapped deployment available for high-security environments
- Runs on your VMware, Hyper-V, or bare-metal hardware
- You control retention, access logs, and audit trails
- Designed for government, defense, and enterprise compliance mandates
- Full feature parity with the cloud-hosted plan
// responsible_disclosure()
If you discover a security vulnerability in Virobit, please email security@virobit.com with a description of the issue and steps to reproduce it. Do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate. We acknowledge all reports within 24 hours and provide a resolution timeline within 5 business days. We do not take legal action against researchers who act in good faith.
Infrastructure and Hosting
Virobit is hosted on Amazon Web Services (AWS) in US-East and US-West regions, providing geographic redundancy. We use AWS services including RDS (PostgreSQL), S3, CloudFront, and EC2 — all operated under AWS's shared responsibility model.
Our infrastructure uses:
- VPC isolation with strict security group rules
- Private subnets for all database and application tiers
- WAF (Web Application Firewall) on all public endpoints
- DDoS protection via AWS Shield Standard
- Automated daily snapshots with 30-day retention
Authentication and Access Control
Customer accounts are protected by:
- Bcrypt password hashing with a minimum cost factor of 12
- Optional two-factor authentication (TOTP) for all accounts
- Session tokens with 8-hour expiration and automatic rotation
- IP-based rate limiting on login endpoints
- SSO/SAML available on Enterprise plans (Okta, Azure AD, Google Workspace)
Virobit employee access to customer data requires separate authentication through our internal identity provider, requires MFA, and is logged with full audit trail. Only a small number of authorized engineers can access production systems, and all access is time-limited and reviewed quarterly.
Data Isolation
Every Virobit customer account operates in a logically isolated environment. Customer data is segregated at the database level using tenant-scoped identifiers — no customer's data is ever accessible to another customer's account.
Virobit does not use customer data for any purpose other than delivering the contracted service to that specific customer.
Third-Party Subprocessors
We use a limited set of vetted third-party services to operate the platform:
- AWS — cloud infrastructure and storage (SOC 2, ISO 27001)
- Stripe — payment processing (PCI DSS Level 1) — we never store card numbers
- Postmark — transactional email delivery
- Datadog — infrastructure monitoring and log aggregation
We review our subprocessors annually and will notify customers of material changes with at least 30 days' notice.
Incident Response
In the event of a security incident that affects customer data, we will:
- Contain and investigate the incident within 4 hours of detection
- Notify affected customers within 72 hours of confirming a breach
- Provide a written incident report within 14 days, including root cause and remediation steps
- Notify applicable regulators as required by applicable law
We maintain a documented incident response plan that is tested annually via tabletop exercises.
Employee Security
All Virobit employees with access to customer data undergo:
- Background checks prior to employment
- Security awareness training at onboarding and annually thereafter
- Signed confidentiality agreements
- Principle of least privilege — employees only access what their role requires
- Access revocation within 1 business day of any role change or departure
Contact
For security questions, vulnerability reports, or enterprise security documentation requests, contact our security team at security@virobit.com.
For general inquiries: hello@virobit.com · Virobit LLC, Dallas, TX