Security
Designed around tenant-scoped evidence.
Application controls
Server-side authorization scopes every stateful resource to an organization. Sessions are random, hashed at rest, HTTP-only, SameSite, and revocable. Google and configured OIDC identity tokens are verified against issuer signing keys. SCIM and evidence API credentials are one-way hashed and revocable.
Data controls
Retained sources and OIDC client secrets use AES-256-GCM with organization-bound authenticated context. Published snapshots and decision history are immutable at the database layer. Backups are independently encrypted and verified before restore.
Infrastructure controls
The application runs non-root with a read-only container filesystem, dropped capabilities, loopback-only upstream, TLS reverse proxy, security headers, resource limits, health checks, and off-box backups.
Procurement evidence
The trust center links the DPA template and Portfolio service-level schedule. Varistra does not claim certifications it has not independently earned.
Report a vulnerability
Send reproducible details to the support address shown on your invoice. Do not access or modify other users' data, and allow reasonable time for remediation before disclosure.