Trust center · updated 2026-07-17
Controls a buyer can verify before data moves.
Security architecture
Every stateful query is scoped to an organization. Retained source objects use AES-256-GCM with organization-bound authenticated context. Sessions, API keys, and SCIM tokens are stored as one-way hashes. Published snapshots and decision events are immutable at the database layer.
Enterprise identity
Portfolio supports OIDC Authorization Code flow with PKCE, issuer discovery, signed identity-token validation, domain restriction, and encrypted client secrets. SCIM 2.0 endpoints support user discovery, provisioning, lookup, and deactivation. Owner deactivation is blocked.
Evidence and audit
API keys have explicit scopes. Evidence ingestion is idempotent by organization, source, and external identifier. Organization audit events and governed decision history can be exported for review.
Infrastructure
The production container runs non-root behind TLS with a read-only filesystem, dropped capabilities, health checks, resource limits, and encrypted off-box backup support. The public marketing build does not retain customer product evidence.
Procurement documents
Data processing addendum · Portfolio service level schedule · Privacy notice · Service terms
Assurance status
Varistra does not claim SOC 2, ISO 27001, HIPAA, or PCI certification unless an executed order explicitly supplies current evidence. Buyers should request the current architecture, subprocessor, backup-restore, and vulnerability-response packet during review.