At Virtuous, security and reliability of customer data is our highest priority. We take security seriously and our team is dedicated to making sure all necessary safeguards are in place to ensure your data is safe and available whenever you need it.
The Virtuous platform runs entirely on Microsoft’s Azure cloud platform. We leverage the latest in Microsoft’s cloud and security best practices. Relying on the Microsoft Cloud for hosting and disaster recovery via the Azure platform means that Virtuous does not host or maintain any hardware or software internally that might affect application uptime, security, etc. Application infrastructure and uptime are completely handled by Microsoft Azure Cloud.
Each Virtuous customer has their own Azure SQL Server instance. This allows us to ensure high-levels of performance based on customer needs and record count while also leveraging the up-time and reliability of Microsoft’s cloud. It also keeps your data in a more protected silo for security purposes. Because all data is fully housed on Azure, Virtuous relies on Microsoft’s SOC compliance, data security processes and uptime.
For more information visit:
All customer data is backed up at the transactional level for up to 48-hours, after that period daily snapshots of the data are available for roll back to any point in time. For our enterprise customers, SQL data is also available for off-site backup on request.
In addition to traditional data backups the Virtuous platform on Azure inherits Microsoft’s cloud disaster recovery plan.
To lean more about Azure’s disaster recovery features, see the link below for a broad overview:
As part of our normal processes, Virtuous maintains appropriate administrative, physical, and technical safeguards for the protection of the security, confidentiality, and integrity of contact data. This process includes: 1) employing Microsoft recommended best practices for security and updating third party components comprising the Virtuous platform, 2) monitoring and evaluating security systems at regular intervals, and 3) monitoring any system access attempts that might represent a threat to your data.
Virtuous utilizes the Azure Threat Detection mechanisms to ensure customer data is safe. The Virtuous team is notified of potential threats in real-time. Threats are evaluated and immediately addressed as they come in.
As part of its security process, Virtuous employs an independent Penetration Test Certified consultant to do external Penetration Testing on the Virtuous platform to validate our internal penetration testing procedures. Pen test results can be made available on request.
Virtuous completed a comprehensive HIPAA risk assessment of both the Virtuous platform and the support technology used during the data conversion and migration process. This analysis was completed on March 1, 2021 by Troncore Security.
In addition to server logging provided by Azure, each customer has access to audit logs which track changes contact and gift data. These changes are logged per user with a datetime stamp. Security logs are handled by Virtuous and will not be shared with clients unless they need to know of an issue. This includes last login dates of users, etc.
Our Virtuous CRM product delegates all Credit Card and ACH processing to our Virtuous Giving product which is covered by our PCI scanning and auditing process. Currently we utilize WePay as our Payment Gateway which tokenizes and encrypts all customer information on our behalf. Our PCI scope is extremely limited, but we still take security of card data very seriously. Virtuous never stores payment or banking information for any contacts (e.g. credit card data, checking account information).
For our limited PCI scope on web forms we are mandated to complete a PCI SAQ-A and PCI Scanning with oversight from our PCI vendors to ensure card data is never compromised. We also leverage Trusted Site (Mcafee) to complete PCI Quarterly scans.