Virunio Logo Virunio

Security & Trust

Your data stays
yours. Always.

Virunio connects to sensitive systems — your code, your tickets, your messages. We take that trust seriously. Security isn't a feature we added at the end; it's a constraint we design around from the beginning.

Security Principles

The commitments we hold to.

Data is never used for training

Your code, tickets, and messages are never used to train AI models — Virunio's or anyone else's. What goes in stays private.

Credentials are never stored

OAuth tokens and API keys are encrypted at rest using AES-256 and never logged. We use short-lived tokens where possible and rotate credentials automatically.

Actions are transparent

Every Flow command that touches an external tool is logged in your audit trail. You can see exactly what Virunio did, when, and why.

Minimal data retention

We only retain what we need to operate your session. Query context is cleared after execution. We don't build persistent user profiles from your activity.

Infrastructure

Built to enterprise standards.

Virunio runs on infrastructure designed for teams that take security seriously. We're working toward SOC 2 Type II compliance and built our data handling to support enterprise requirements from day one.

If your team requires a security review, custom data agreements, or specific compliance documentation before signing up, we're ready for that conversation.

Encryption in transit

TLS 1.3 enforced on all connections

Encryption at rest

AES-256 for all stored credentials

Authentication

OAuth 2.0 with PKCE — no passwords stored

Access control

Role-based permissions per workspace

Audit logging

All Flow actions logged with actor and timestamp

Compliance target

SOC 2 Type II (in progress)

Integration Security

Connected tools, controlled access.

Flow connects to your tools with the minimum permissions needed. We use official OAuth flows — we never ask for admin credentials or broad write access unless a specific action requires it.

GitHub

Read: repos, PRs, issues, commits
Write: PR comments, issue status (on command only)
No admin or org-level access required

Jira

Read: issues, sprints, projects
Write: create/update issues (on command only)
No admin or project settings access

Slack

Read: messages in connected channels
Write: post messages (on command only)
No access to private DMs or workspace admin

Responsible Disclosure

Found a vulnerability?

We take security reports seriously and respond quickly. If you've found a security vulnerability in Virunio, please disclose it responsibly.

We commit to acknowledging receipt within 24 hours and providing a resolution timeline within 72 hours of validation. We will not pursue legal action against researchers acting in good faith.

Report a Vulnerability

In scope

Authentication and authorization bypass
Data exposure or exfiltration
Injection vulnerabilities (SQL, XSS, command)
Insecure direct object references
Credential exposure or token leakage

Contact

Email: security@virunio.com

PGP key available on request.

Enterprise security questions?
Let's talk.

If your team requires a security review, custom DPA, or compliance documentation before signing up, reach out and we'll work through it together.

Contact Us View Enterprise pricing →