Trust center · updated 2026-07-17

Controls a buyer can verify before data moves.

Security architecture

Every stateful query is scoped to an organization. Retained source objects use AES-256-GCM with organization-bound authenticated context. Sessions, API keys, and SCIM tokens are stored as one-way hashes. Published snapshots and decision events are immutable at the database layer.

Enterprise identity

Portfolio supports OIDC Authorization Code flow with PKCE, issuer discovery, signed identity-token validation, domain restriction, and encrypted client secrets. SCIM 2.0 endpoints support user discovery, provisioning, lookup, and deactivation. Owner deactivation is blocked.

Evidence and audit

API keys have explicit scopes. Evidence ingestion is idempotent by organization, source, and external identifier. Organization audit events and governed decision history can be exported for review.

Infrastructure

The production container runs non-root behind TLS with a read-only filesystem, dropped capabilities, health checks, resource limits, and encrypted off-box backup support. The public marketing build does not retain customer product evidence.

Procurement documents

Data processing addendum · Portfolio service level schedule · Privacy notice · Service terms

Assurance status

Varistra does not claim SOC 2, ISO 27001, HIPAA, or PCI certification unless an executed order explicitly supplies current evidence. Buyers should request the current architecture, subprocessor, backup-restore, and vulnerability-response packet during review.