Security Overview

Last updated: 8 August 2025

We at Vistaly believe that security is a critical part of our platform. On this page, we include some best practices for how you can most securely use Vistaly. We also outline what we're doing to keep your data safe. Feel free to reach out with any questions to support@vistaly.com.

Best Practices

When using Vistaly, there are things you can do within our platform to improve security:

• Authentication
  • Login via SSO.
  • Utilize two-factor authentication.
  • Logout of your account after accessing Vistaly on a public computer.
• Authorization
  • When inviting a user into Vistaly, make sure to grant the least permissions needed.
• Share Links
  • Set a password when creating share links.
  • Make sure to delete share links after they're no longer needed.

Access & Identity Control

Vistaly supports single sign-on (SSO) via Google and Microsoft. Additionally, it supports self-registration with two-factor authentication (2FA / MFA) via time-based one-time passwords (TOTP). Multi-factor authentication can be enforced by organizational administrators to ensure all team members maintain secure access. To enhance security, Vistaly requires passwords to include a combination of digits, lowercase and uppercase letters, as well as symbols. By utilizing these controls, it decreases the likelihood of a user's account being compromised.

API Security: All API access is authenticated via secure tokens with proper authorization controls. Role-based access control (RBAC) ensures users only access resources appropriate to their assigned roles within the organization.

Cloud Security

All of Vistaly's services are in the cloud. This allows the Vistaly team to iterate quickly on features while ensuring enterprise-level security.

Infrastructure Protection: Our cloud infrastructure includes DDoS protection and Web Application Firewall (WAF) to defend against malicious attacks and unauthorized access attempts. We maintain strict separation between production and non-production environments to ensure data integrity and security. All data centers provide 24/7 physical security monitoring and access controls.

Vistaly is SOC 2 Type 2 compliant. SOC 2 Type 2 is an independent, third-party attestation that evaluates how well a service organization implements controls to safeguard customer data and ensure privacy. This compliance demonstrates that Vistaly's systems and processes meet rigorous standards for security, availability, and confidentiality over time—not just at a single point. Our SOC 2 Type 2 report provides assurance to our customers that we are committed to maintaining a high level of trust and operational excellence when handling your data. If you would like to request a copy of our SOC 2 Type 2 report, please contact support@vistaly.com.

All core services run on Amazon Web Services (AWS) within U.S. based regions. AWS is an industry leader in security best practices. They are SOC 1, 2, and 3 compliant. They additionally have ISO certifications for ISO/IEC 27001:2013, 27017:2015, 27018:2019, 27701:2019, 22301:2019, 9001:2015, and CSA STAR CCM v3.0.1. You can find additional information here.

Vistaly aims for 99.9% uptime or higher for its services. You can view Vistaly's current status along with system updates at status.vistaly.com.

Data Isolation & Organizational Security

Vistaly implements comprehensive data isolation to ensure complete separation between customer organizations:

• Each customer organization's data is strictly separated and protected with dedicated access boundaries.
• Role-based access control (RBAC) ensures users only access data within their assigned organization.
• All API endpoints enforce organizational boundaries, preventing any cross-organization data access.
• Comprehensive audit logs track all data access for security monitoring and compliance.

Your team's data is never visible to other Vistaly customers. We implement defense-in-depth strategies with multiple security layers to ensure your organization's data remains completely private and isolated.

Data Protection

AI Processing: When AI features are used within Vistaly, all processing occurs in isolated environments with strict data boundaries. Your data is never used to train AI models or shared with other customers. For detailed information about our AI data usage policies, please see our Privacy Policy.

All Vistaly data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2+ protocols. Data is backed up and encrypted following a daily, weekly, and monthly 7 year retention policy.

From within Vistaly, we version customer's data so that they can view historical data and revert to an earlier version if needed.

Vistaly does not handle any payment information. All payments are processed by Stripe, a PCI Service Provider Level I. You can read more information here.

Internal Security Measures

All Vistaly employees must agree to management approved policies. These policies include, but are not limited to:

• All machines that can access company code and/or cloud services must be password protected and have their hard drive(s) encrypted.
• Multi-factor authentication must be enabled for online accounts that can access company data.
• Passwords cannot be written down and must not be reused from other accounts.
• Background checks are conducted for all employees with access to production systems.
• Access to customer data is restricted on a least-privilege basis and requires approval.
• All employees are bound by confidentiality agreements to protect customer data and intellectual property.
• Quarterly access reviews are conducted to ensure appropriate access levels and remove unnecessary permissions.
• All employee access is immediately revoked upon termination or role change.
• Regular security training is mandatory for all employees.

Employee Data Access: Vistaly employees do not have access to customer data by default. Any support-related access requires explicit customer permission and is logged for audit purposes. Access is granted temporarily and automatically revoked after the support request is resolved.

Vistaly uses Git (a version control system) to manage all code for the Vistaly platform. All code is reviewed by at least two engineers before it is merged into the main branch. Additionally, automated unit tests, and code quality checks must pass. In order to promote code to production, a suite of integration tests, and end to end tests must also pass.

Vistaly utilizes Dependabot to monitor vulnerabilities in project dependencies and keep them up to date. For more information visit here.

Security Monitoring

Vistaly maintains comprehensive security monitoring capabilities to detect and respond to potential threats:

• Real-time monitoring and alerting systems track security events and anomalies across our infrastructure.
• Regular vulnerability scanning of systems and applications to identify potential security weaknesses.
• External penetration testing conducted by third-party security experts to validate our security posture.
• Automated security analysis and threat detection to ensure rapid response to potential incidents.

Incident Response

Vistaly maintains a comprehensive incident response plan to address potential security events:

• 24/7 monitoring of security events and anomalies through automated systems.
• Defined escalation procedures with response time commitments based on severity.
• Regular incident response drills to ensure team readiness.
• Customer notification within 72 hours of confirmed data breaches, as required by regulations.
• Post-incident reviews to improve security measures and prevent recurrence.

Compliance & Auditing

In addition to our SOC 2 Type 2 compliance, Vistaly maintains:

• Annual third-party security assessments and biennial penetration testing.
• Continuous compliance monitoring for regulatory requirements.
• Comprehensive audit logs retained for a minimum of 12 months.
• Regular internal security audits and risk assessments.
• Documented security policies aligned with industry best practices (ISO 27001, NIST).

Customers can request our latest compliance certificates by contacting support@vistaly.com.

Security Governance

Vistaly maintains a comprehensive security governance framework to ensure consistent security practices and oversight:

• Designated Data Protection Officer (DPO) responsible for privacy compliance and data protection matters.
• Regular security policy reviews conducted to ensure policies remain current with regulatory requirements and industry best practices.
• Formal incident response team with defined roles and responsibilities for security event management.
• Executive oversight and approval required for critical security decisions and policy changes.

For data protection inquiries, contact our DPO at dpo@vistaly.com.

Vendor Management

Vistaly maintains rigorous vendor management practices to ensure third-party providers meet our security standards:

• Risk assessments are conducted before sharing data with any third-party provider.
• Annual reviews of critical service providers to ensure continued compliance and security.
• All sub-processors are vetted for GDPR compliance and data protection capabilities.
• Regular monitoring of vendor security posture and incident notifications.

A complete list of our sub-processors and their compliance status is available at Sub-Processors.

Vulnerability Reports

While utilizing Vistaly, if you encounter a vulnerability, please send an email to security@vistaly.com with details of your finding. The Vistaly team will promptly respond to all reports.