Keeping your data safe
Every day, our users trust Vitrue with their data. This brings an important responsibility - and one that we take incredibly seriously.
Our software aims to reduce musculoskeletal pain for millions of people. But that's only possible if you understand what data we process, why we process it and how we keep it safe.
Vitrue VIDA is certified to government standards
The British Government set standards to make sure all organisations using personal data keep it safe and use it ethically. We make sure Vitrue meets these standards.
How we use data
Strong identity controls
Safe and secure partners
User input and insights
A culture of data security
A mission-driven approach
Yes. Data is classified into 4 key categories: Public data, Internal-only data, Confidential data, Restricted data. All data is treated as most restricted until and with least privilege principles applied. Identifiable, highly commercially sensitive or personal data are all treated as Confidential (meaning even internal access to the data requires authorization and clearance.) Employees are informed on how to classify and treat the data through internal documents and training. Accounts are restricted based on their level of access to the data categories.
Our data classification is GDPR compliant.
The data security team are responsible for frequent audits of user permissions across services used at Vitrue.
Customer data is stored in secure AWS RDS databases and processed on secure AWS servers in the U.K. by default.
Yes as part of onboarding and in annual training
Yes, we make our latest results available to all of our customers.
Yes. All development is carried out in development environments, totally separately to production. There is a staging environment that all changes are merged to, where the majority of integration testing occurs prior to any release to production. No direct changes can be carried out in the production environment and code review & testing takes place before any merge to production to ensure potential vulnerabilities are assessed before any release.
Multi tenant. Access to data is strictly controlled in the secure backend using the securely logged in user's account. Only users associated with a given company AND given adminstrator status by the company may access any data associated with the company but not themselves. End users will only be given access to data associated with that user. Secure logins and encrypted back end communication is used to ensure this segregation.
All data is transferred over https (TSL 1.2, RSA encryption).
At Rest: Advanced Encryption Standard (AES) with 256-bit keys (AES-256)
Yes we operate to GDPR standards.