VirtusNova Security Practices

Wilken UG (haftungsbeschränkt), operating as VirtusNova (“VirtusNova”) maintains organizational and technical measures (“Security Practices”) to protect information you provide to us (“Customer Information”) from loss, misuse, and unauthorized access or disclosure. These measures take into account the sensitivity of the information VirtusNova collects, processes and stores; the current state of technology; the costs of implementation; and the nature, scope, context, and purposes of the data processing VirtusNova engages in.

Where used in this Security Practices document, “Services” means the services provided by VirtusNova as defined in the VirtusNova Enterprise Terms of Service or other applicable terms of service. Capitalized terms not defined in this document have the meanings given to them in the relevant terms of service applicable to your access to and use of the Services.

The Security Practices include:

1. Assigned Security Responsibility

VirtusNova has designated security responsibilities and qualified personnel responsible for overseeing the development, implementation, and maintenance of its Security Practices. Security responsibilities are assigned to qualified personnel who oversee, monitor and test security measures on an ongoing basis.

2. Personnel Practices

a. All of VirtusNova’s employees:

i. are bound by VirtusNova policies regarding the confidential treatment of Customer Information;

ii. receive security and privacy training during onboarding and on an ongoing basis at least annually thereafter, and supervision at a level and substance that is appropriate to their position;

iii. are required to read and sign information security and privacy policies covering the confidentiality, integrity, availability and resilience of the systems and services VirtusNova uses in the delivery of the Services.

b. VirtusNova maintains appropriate controls to restrict its employees’ access to the Customer Information that you and your Authorized Users make available via the Services, and to prevent access to Customer Information by anyone who should not have access to it.

c. VirtusNova conducts appropriate pre-employment screening commensurate with the sensitivity of a role, which may include criminal background checks for particularly sensitive positions, where permissible by law.

3. Compliance and Testing

VirtusNova implements security measures aligned with industry standards and leverages cloud infrastructure providers that maintain internationally recognized certifications and accreditations.

a. Cloud Infrastructure Provider Certifications: VirtusNova uses Google Cloud Platform and Firebase for its production infrastructure. Google Cloud Platform maintains internationally recognized certifications and accreditations, demonstrating compliance with rigorous international standards, including:

• ISO/IEC 27001: Framework for managing information security
• ISO/IEC 27701: Privacy controls for protecting personal information
• ISO/IEC 27017: Security guidelines for cloud services
• ISO/IEC 27018: Code of practice for protection of personally identifiable information (PII) in public clouds
• SOC 1, SOC 2, and SOC 3
• PCI DSS Level 1

For more information about Google Cloud Platform’s certifications and compliance, please visit the Google Cloud Security and Compliance website.

b. Payment Processing: When payments are processed via credit card, VirtusNova uses Stripe, Inc., a third-party vendor that is PCI DSS Level 1 compliant. At no point does VirtusNova store, transmit, or process your credit card information; VirtusNova simply stores anonymous tokens that identify the applicable processed transactions. For more information about Stripe’s security and compliance, please visit Stripe Security.

c. Security Testing: VirtusNova performs regular security assessments and vulnerability scans on its production systems and uses commercially reasonable efforts to remediate any findings that present a material risk to the Services environment. VirtusNova commits to regular security reviews and assessments of its technical and organizational measures.

4. Access Controls

VirtusNova has and will maintain appropriate access controls, including:

a. Policies and procedures that address onboarding, off-boarding, transition between roles, regular access reviews, limitations and usage control of administrator privileges, and inactivity timeouts;

b. Segregation of conflicting duties and areas of responsibility;

c. Maintaining current and accurate inventories of computer and user accounts;

d. Enforcing the principles of “least privilege” and “need to know”;

e. Reviewing user access rights on a regular basis to identify excessive privileges;

f. Enforcing a limit of invalid login attempts; and

g. Password requirements that include a defined minimum complexity, password changes after the first login, and subsequent changes at predetermined intervals with limits on reuse.

5. Multi-Factor Authentication

a. Access to the systems used by VirtusNova employees and contract personnel is controlled by multi-factor authentication. This means that all VirtusNova employees and contractors are required to provide an additional authentication credential in addition to the password credentials, in order to gain access to any system used in the provision of the Services.

b. VirtusNova uses Firebase Authentication for customer authentication, which provides secure authentication mechanisms including email/password and OAuth providers (such as Google Sign-In). While Firebase Authentication supports multi-factor authentication capabilities, VirtusNova’s current implementation focuses on providing secure password-based and OAuth-based authentication for customers.

6. Single Sign-On

a. VirtusNova has implemented single sign-on (SSO) capabilities to ensure greater and more centralized access control to the systems used by VirtusNova employees and contract personnel.

b. VirtusNova supports OAuth-based authentication (such as Google Sign-In) for customers. Enterprise SSO capabilities using SAML or other enterprise authentication protocols may be available upon request for Enterprise customers. Please contact VirtusNova to discuss Enterprise SSO requirements.

7. Data Encryption

a. All Customer Information is encrypted at rest and in transit. The Services support the latest secure cipher suites and protocols to encrypt all traffic in transit. VirtusNova currently supports only TLS 1.2 or above on its website and all pages that accept payment information. All API communications use HTTPS with TLS encryption.

b. Data stored in Firebase services (Firestore, Cloud Storage) is encrypted at rest by default using industry-standard encryption methods (AES-256). Firebase automatically encrypts all data at rest without requiring additional configuration. All data transmitted to and from VirtusNova’s Services is encrypted in transit using TLS encryption, which is enforced by Firebase and Google Cloud Platform services.

c. VirtusNova monitors the changing cryptographic landscape and makes commercially reasonable efforts to upgrade the Services to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. Firebase and Google Cloud Platform automatically update their cryptographic implementations in accordance with industry best practices.

8. Logging and Intrusion Detection

a. All systems used in the provision of the Services log information to secure log servers in order to enable security reviews and analysis. Firebase and Google Cloud Platform provide comprehensive logging capabilities for authentication events, database access, API calls, and system operations.

b. VirtusNova utilizes Firebase and Google Cloud Platform’s centralized logging and monitoring capabilities, which contain information pertaining to security, monitoring, availability, access, and other metrics about the Services. Firebase Authentication logs capture authentication events, and Firestore logs record database access patterns. VirtusNova reviews logs on a regular basis to identify and respond to security events.

c. VirtusNova monitors the Services for unauthorized intrusions and security incidents. Google Cloud Platform provides built-in security monitoring and alerting capabilities, including Cloud Security Command Center and Cloud Logging, which VirtusNova utilizes to monitor for suspicious activity and potential security threats.

9. Network Protection

VirtusNova leverages Google Cloud Platform’s network security infrastructure, which includes advanced firewall rules, DDoS protection, and network segmentation. Google Cloud Platform’s firewall rules are configured to restrict access to only necessary ports and protocols. Google Cloud Armor provides DDoS protection and web application firewall capabilities. Remote access to production systems and other sensitive network segments require connection through secure VPN with multi-factor authentication.

10. Host Management

VirtusNova utilizes Google Cloud Platform’s managed services (Firebase, Cloud Functions) which are maintained and secured by Google. For any self-managed infrastructure, VirtusNova performs security assessments and vulnerability scans and uses commercially reasonable efforts to remediate any findings that present a material risk to the Services environment. VirtusNova enforces security policies including screen lockouts and the usage of full disk encryption for company laptops and devices used to access production systems.

11. Disaster Recovery

a. When your use of the Services requires VirtusNova’s systems to store Customer Information, such Customer Information is stored redundantly at multiple locations in Google Cloud Platform data centers to ensure availability. Firebase services provide automatic redundancy and failover capabilities across multiple geographic regions. Google Cloud Platform’s infrastructure is designed for high availability and automatic failover.

b. Customer Information stored in Firebase Firestore benefits from Firebase’s automatic backup and point-in-time recovery capabilities. Firebase maintains automatic backups of Firestore data, and VirtusNova can restore data to a previous point in time if needed. VirtusNova’s source code is maintained in version control systems with redundancy. VirtusNova monitors backup systems and is alerted in the event of any failures.

12. Physical Security

VirtusNova currently uses Google Cloud Platform and Firebase for its production data centers to provide the Services. Google Cloud Platform was selected for its high standards of both physical and technological security, and has internationally recognized certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, and others. For more information about Google Cloud Platform’s certification and compliance, please visit the Google Cloud Security and Compliance website.

13. Security Policies and Procedures

VirtusNova implements and maintains security policies and procedures that align with the National Institute of Standards and Technology (NIST) cybersecurity framework. In particular, the Services are operated in accordance with the following policies and procedures:

a. Customer passwords are stored using a one-way salted hash. VirtusNova uses Firebase Authentication, which implements industry-standard password hashing algorithms (scrypt) and automatically handles password security best practices.

b. Customer authentication logs are captured by Firebase Authentication to safeguard customer data and to aid in the investigation of security incidents. Authentication events, including successful and failed login attempts, are logged.

c. Customer passwords are never logged or stored in plain text. Firebase Authentication handles password storage securely and VirtusNova does not have access to customer passwords.

d. VirtusNova personnel will not set a defined password for a user. Password reset functionality is handled securely through Firebase Authentication, which generates secure reset tokens and delivers them via email to the requesting user.

14. Product Design Security Practices

New features, functionality, and design changes go through a review process facilitated by VirtusNova’s development and security personnel. In addition, VirtusNova’s code is tested and manually peer-reviewed prior to being deployed to production. VirtusNova’s security personnel work closely with its product and engineering teams to resolve any additional security or privacy concerns that may arise during development. VirtusNova observes privacy by design principles, including conducting privacy impact assessments and reviews when implementing new product functionality and processes.

15. Incident Management & Response

VirtusNova maintains robust security incident management policies and procedures for incident response. VirtusNova notifies impacted customers without undue delay of any unauthorized disclosure of their Customer Information by VirtusNova or its agents of which VirtusNova becomes aware, to the extent permitted by law and in accordance with applicable data protection laws, including the GDPR.

16. Data Protection Officer

VirtusNova has designated a Data Protection Officer who oversees the privacy program and ensures compliance with applicable data protection laws, including the GDPR and German data protection law (BDSG). The Data Protection Officer can be contacted at info@virtusnova.marketing.