CUSTOMER GO-LIVE CHECKLIST
This questionnaire is required to be completed by every Virgil customer prior to moving to production. Please allow 1 business day for the Virgil Security team to review your checklist responses and allow at least 7 days for your team to correct potential errors flagged by the Virgil team.
E-mail Address You Used to Create Your Virgil Security Account:
Server/Web App
We make sure that our app/web page cannot be modified by an unauthorized person. I understand that malicious code injected can leak encrypted data.
Yes
No
If we use a web app, we protect it from Cross-Site Scripting (XSS) attacks, especially the pages that use Virgil’s encrypt function. We understand that a successful XSS attack can access clear user data.
Yes
No
Does not apply
We understand the risk of malicious code can be added through third party modules (npm, python pip and so on). Malicious code can hijack our users’ web form data, even if the code comes from a dependency several steps away from our direct dependencies. We make sure that our referenced modules (and their modules, recursively) are passed the security audit and have a fixed version to prevent any unplanned updates.
I understand
Please contact me with more information
Mobile Platforms
Do you use Virgil’s iOS SDK?
Yes
No
iOS
We disabled the auto backup functionality in our app or otherwise we understood the security implications (i.e. data can be accessed / decrypted with the AppleID password).
Yes
No
We block unintended backup from happening when we are storing secrets in the keychain (i.e. we use kSecAttrAccessibleWhenUnlockedThisDeviceOnly instead of kSecAttrAccessibleWhenUnlocked).
Yes
No
Does not apply
We don't allow our app run on a rooted / jailbroken device or if we do, we warn the user about the security implications of this modification.
True
False
We did not disable SSL certificate validity checking in our app.
True
False
We understand the security implications of the TouchID-enabled keychain in case of data extraction from a stolen mobile phone.
I understand
Please contact me with more information
We read through and apply Apple's best security practices: https://developer.apple.com/library/content/documentation/Security/Conceptual/SecureCodingGuide/Introduction.html
Yes
No
Have you modified the Virgil SDKs?
Yes
No
Where do you store your users’ private keys?
Virgil-provided keystore
KeyChain
Other
Do you store them outside of your user devices?
Yes
No
Where and how do you protect them?
Back
Next
Do you use Virgil’s Android SDK?
Yes
No
We have turned off the auto backup functionality of the mobile platform in our app, or otherwise we understood the security implications.
Yes
No
We don't allow our app run on a rooted device or if we do so, we warn the user about the security implications of this modification.
True
False
We did not disable SSL certificate validity checking in our app.
True
False
We read and apply Google's security best practices: https://developer.android.com/training/best-security.html.
Yes
No
Have you modified the Virgil SDKs?
Yes
No
Where do you store your users’ private keys?
Virgil-provided keystore
KeyChain
Other
Do you store them outside of your user devices?
Yes
No
Back
Next
Where and how do you protect them?
Back
Next
Data Recovery
We understand that Virgil doesn't offer data recovery, because Virgil doesn't have access to a recoverable copy of users’ private keys.
I understand
Please contact me with more information
We implemented data recovery:
Using HSM or SSM
Using a peer-recovery (users recover each others’ shared data)
Using a shadow/audit key that we store ourselves
Other
Virgil Cards
Do you use Virgil Cards?
Yes
No
Do you verify the creation of Virgil cards (i.e. you validate them before publishing)?
Yes
No
We don’t expose Virgil’s server APIs for non-admin users.
No, we don't
Other
Back
Next
General
I understand that in case of not using Virgil’s PFS SDK, key revocation requires revolving the encryption key, otherwise the revoked user may have taken a copy of the key and can continue to decrypt confidential data.
Yes
Please contact me with more information
Do you use password-based auth?
Yes
No
What’s your minimum password requirement?
Back
Next
Do you use Virgil’s sign & verify features to verify the integrity of messages?
Yes
No
Even though data is end-to-end encrypted, we understand that HIPAA/FERPA/GDPR/etc have other requirements that aren’t related to data security (organizational, operational, backups, audit, etc).
Yes
Please contact me with more information
Do you store the same data both encrypted and decrypted (i.e. parts of an encrypted data to be used for indexes in search)?
Yes, we do.
No, we do not.
Do you store encrypted boolean data in a way that only true has a value and false does not?
Yes, we do.
No, we do not.
We make sure that our app/web page that decrypts data, does not leak decrypted information, and only disclose it ONLY to the end user (e.g. through an AJAX post request).
Yes, we do.
No, we do not.
DevOps
Downloaded sample apps containing admin keys were destructed / removed from Downloads folder.
Yes
No
Do you keep separate Virgil tokens between your server code and client apps?
Yes
No
Do you use your Virgil app’s private key in your mobile apps?
Yes
No
We did not send the Virgil app key through insecure communication channel (such as email, SMS, chat, etc) or published in a public repository. If we did, we regenerated the key since and used a secure channel to distribute them.
True
False
Every Virgil app key was regenerated before going live and will never be used on development machines.
True
False
We’re using the latest Virgil SDKs and we have a procedure in place to roll out an update within a maximum of 14 days following a critical Virgil release.
True
False
We're on a production, guaranteed SLA account with a contract in place.
True
False
Virgil account admins have complex, secure passwords (at least 12 long with at least 2 numbers and 2 non-alphanumeric characters).
True
False
Virgil app keys have complex, secure passwords (at least 12 long with at least 2 numbers and 2 non-alphanumeric characters).
True
False
Submit Application
Should be Empty: