Security at OVirtual

Security is built into every layer of OVirtual — from how we encrypt your secrets to how we authenticate every request. This page describes our practices and the controls available to you.

1. Data Encryption

• In transit: TLS 1.3 (TLS 1.2 minimum) on every connection. HSTS preload, automatic HTTPS redirects.
• At rest: AES-256-GCM authenticated encryption for application secrets, OAuth tokens, BYOK API keys, and SMTP credentials. Database volumes are encrypted with AWS KMS-managed keys (AES-256).
• Backups: encrypted, region-replicated, retained for 30 days, tested quarterly for restorability.

2. Authentication & Access

• Passwords hashed with Argon2id (high-memory parameters).
• Two-Factor Authentication via TOTP authenticator apps, email OTP, or recovery codes.
• Sessions are short-lived, fingerprinted, and instantly revocable from a "Sessions" page.
• Brute-force protection via exponential rate limiting and IP throttling.
• Optional SSO/SAML for Business plan customers.

3. Infrastructure

• Hosted on AWS (us-east-1, eu-west-1) and Cloudflare (global CDN + DDoS mitigation).
• Private VPCs with no public database access. All inter-service traffic is mTLS-authenticated.
• Automatic security patching, weekly OS updates, ephemeral compute instances.
• Strict Content Security Policy (CSP), X-Frame-Options, Referrer-Policy, and Permissions-Policy headers on every response.

4. Application Security

• Square webhook signatures verified on every payment event (HMAC-SHA-256).
• CSRF protection on all state-changing endpoints; SameSite=Lax cookies.
• Output encoding and parameterized queries — no string concatenation in SQL.
• Dependency scanning via GitHub Dependabot and Snyk; critical CVEs patched within 24 hours.
• Static analysis (SAST) and secret scanning on every pull request.

5. Compliance & Audits

• Architecture designed to be SOC 2 Type II compatible. Annual third-party audits in progress.
• GDPR-compliant data processing (see our GDPR page and Privacy Policy).
• CCPA compliance for California residents.
• DPAs available for Business customers — contact legal@ovirtual.com.

6. Penetration Testing

We commission independent penetration tests at least annually and after any material architectural change. Summary reports are available under NDA to Business customers on request.

7. Incident Response

We maintain a documented incident response plan with defined severity levels and on-call rotations. In the event of a confirmed data breach affecting your account, we will notify you within 72 hours, in compliance with GDPR Article 33 and applicable laws.

8. Self-Hosting Option

OVirtual is open source. If your security model requires full data sovereignty, you can self-host the entire platform on your own infrastructure. Documentation and Docker images are available on our GitHub.

9. Responsible Disclosure

We welcome reports from security researchers. If you discover a vulnerability, please email security@ovirtual.com with a description and reproduction steps. Our PGP key is available at /.well-known/security.txt.

We commit to:

• Acknowledging your report within 48 hours.
• Providing a timeline for remediation.
• Not pursuing legal action for good-faith research conducted within our scope.
• Crediting you publicly (with your permission) once the issue is resolved.

Eligible reports may qualify for a bounty — see our security.txt for details.

10. Status & Transparency

Live system status: status.ovirtual.com. Past incidents and post-mortems are public.

11. Contact

Security questions or reports: security@ovirtual.com.