Skip to main content

Vergo's data security and access controls

How Vergo controls access to production systems, databases, and customer data — including network segmentation, encryption, firewall management, and access revocation policies.

Vergo maintains strict, documented controls over who can access its systems and customer data. Access is granted on a need-to-know basis and governed by formal policies covering provisioning, modification, and revocation.

System and application access

  • Unique credentials required: access to Vergo's systems and applications requires a unique username and password combination, or authorization via SSH key. Shared credentials are not permitted.

  • Production access is restricted: access to production applications, databases, and the production network is limited to a defined set of authorized personnel with a clear business justification.

  • Encryption keys are tightly controlled: only employees with a direct operational need are granted access to encryption keys.

  • Access reviews: access rights across Vergo systems are formally reviewed every six months to ensure they remain aligned with each person's role, with any unnecessary access promptly removed.

  • Access is revoked promptly upon termination: system access for departing employees is revoked within one business day of departure, with no exceptions.

Network security

  • Network segmentation: customer data environments are isolated through network segmentation, preventing unauthorized lateral movement across systems.

  • Firewall management: firewall configurations are reviewed and updated on a regular basis, with all changes tracked through to completion.

  • Encrypted remote access: remote access to Vergo's production systems is encrypted and restricted to authorized employees only.

  • Hardening standards: Vergo's network and systems are configured according to documented hardening standards, reviewed annually.

Customer data separation

Each customer's data is logically separated from every other customer's using a unique account identifier that is enforced at the API layer - every request and database query is scoped to the correct account, preventing cross-account data access.

Patch management

Patches and updates are evaluated and risk-rated based on their potential business impact, then prioritized and applied on a defined schedule, with critical patches addressed on an expedited basis. Patch deployment is scheduled during off-peak hours to minimize disruption to customers.

System hardening

Vergo hardens its systems and infrastructure against industry-recognized guidelines, including the CIS (Center for Internet Security) Benchmarks, and reviews these standards annually.

Monitoring and log management

Vergo employs advanced log management and monitoring tools to detect events that could impact the security or operational integrity of the platform. Formal vulnerability management and system monitoring policies are in place and reviewed on a regular cadence.

Annual control assessments

Vergo conducts annual self-assessments of its security controls to verify their effectiveness, with corrective actions taken as needed to meet established service level agreements.

Did this answer your question?