Security

Designed around tenant-scoped evidence.

Application controls

Server-side authorization scopes every stateful resource to an organization. Sessions are random, hashed at rest, HTTP-only, SameSite, and revocable. Google and configured OIDC identity tokens are verified against issuer signing keys. SCIM and evidence API credentials are one-way hashed and revocable.

Data controls

Retained sources and OIDC client secrets use AES-256-GCM with organization-bound authenticated context. Published snapshots and decision history are immutable at the database layer. Backups are independently encrypted and verified before restore.

Infrastructure controls

The application runs non-root with a read-only container filesystem, dropped capabilities, loopback-only upstream, TLS reverse proxy, security headers, resource limits, health checks, and off-box backups.

Procurement evidence

The trust center links the DPA template and Portfolio service-level schedule. Varistra does not claim certifications it has not independently earned.

Report a vulnerability

Send reproducible details to the support address shown on your invoice. Do not access or modify other users' data, and allow reasonable time for remediation before disclosure.