Vareto conducts a variety of audits to ensure continuous compliance with industry standard best practices.
Vareto has obtained a SOC 2 Type 2 attestation report by an independent auditor. This objectively certifies our controls to ensure the continuous security of our customers' data.
The SOC 2 audit uses the Trust Services Criteria developed by the Assurance Services Executive Committee (ASEC) of the AICPA. They are used to evaluate the suitability of the design and operating effectiveness of Vareto's controls relevant to the security, availability, or processing integrity of information and systems, or the confidentiality or privacy of the information processed.
Vareto hosts all its software in Amazon Web Services (AWS) facilities in the USA. Amazon provides an extensive list of compliance and regulatory assurances, including SOC 13, and ISO 27001. See Amazon’s compliance and security documents for more detailed information.
All of Vareto servers are located within Vareto's own virtual private cloud (VPC), protected by restricted security groups allowing only the minimal required communication to and between the servers. Vareto conducts third-party network vulnerability scans at least annually.
Vareto conducts third-party network vulnerability scans at least annually.
Vareto continuously monitors 140+ security controls across the organization using Drata, a security and compliance automation platform.
Automated alerts and evidence collection allow Vareto to confidently prove its security and compliance posture any day of the year, while fostering a security-first mindset and culture of compliance across the organization.
All connections to Vareto are encrypted using SSL, and any attempt to connect over HTTP is redirected to HTTPS. All customer data is encrypted at rest and in transit.
System passwords are encrypted using AWS KMS with restricted access to specific production systems.
We use industry-standard data storage systems hosted at AWS.
Data access and authorizations are provided on a need-to-know basis, and based on the principle of least privilege. Access to the AWS production system is restricted to authorized personnel.
Vareto Customers may configure a data retention duration, and Customer data is purged from Vareto systems subsequent to contract termination.
Vareto's security policies are maintained, communicated, and approved by management to ensure everyone clearly knows their security responsibilities.
Vareto policies are audited annually as part of its SOC 2 certification.
The employee hiring process includes background checks.
Code development is done through a documented Secure Development Life Cycle process. Design of all new product functionality is reviewed by its security team. Vareto conducts mandatory code reviews for code changes and periodic in-depth security review of architecture and sensitive code. Vareto development and testing environments are separate from its production environment.
At least annually, engineers participate in secure code training covering OWASP Top 10 security flaws, common attack vectors, and Vareto security controls.
Vulnerability Disclosure Process – Vareto considers security to be a core function of our platform. Earning and keeping the trust of our customers is our top priority, so we hold ourselves to the highest security standards.
Web application architecture and implementation follow OWASP guidelines.
In addition to Vareto's internal testing program, Vareto conducts application penetration testing by a third-party at least annually.
Single sign-on (SSO) allows you to authenticate users without requiring them to enter login credentials for your Vareto instance.
Audit logging lets administrators see when users last logged in and what features they used.
All access to Vareto applications is logged and audited. Logs are kept for at least one year and Vareto maintains a formal incident response plan for major events.