Book a Free Call
Legal

Compliance & Security

Last updated: May 4, 2026

Virtual On The Go takes compliance and security seriously. Below is a summary of our practices. For specifics tailored to your engagement (BAAs, custom DPAs, SOC2 reports, etc.), email security@virtualonthego.com.

HIPAA (Healthcare clients)

For healthcare clients, we sign Business Associate Agreements (BAAs) and follow HIPAA-aligned procedures for handling Protected Health Information (PHI):

  • Trained staff with documented PHI handling procedures.
  • Encrypted endpoints and secure VPN access for all healthcare engagements.
  • Access logging and quarterly access reviews.
  • Designated Privacy Officer reachable for client questions.
  • Incident response plan with breach notification procedures.

GDPR / UK GDPR (EU & UK clients)

For clients with EU or UK data subjects, we offer:

  • Data Processing Addendums (DPAs) with Standard Contractual Clauses.
  • Documented lawful bases for processing.
  • Data subject rights handling (access, deletion, portability).
  • Sub-processor disclosure on request.

CCPA / CPRA (California)

California residents have specific rights regarding their personal information. We honor access, deletion, and opt-out requests. See our Privacy Policy for details.

Security practices

  • Infrastructure: Enterprise-grade office infrastructure in Pakistan with secure networks, backup power, and physical access controls.
  • Endpoints: Managed devices with full-disk encryption, anti-malware, automatic patching, and remote-wipe capability.
  • Access: Role-based access controls, least-privilege principle, SSO where supported, mandatory MFA on critical systems.
  • Credentials: Client credentials stored in enterprise password managers; never on individual devices in plaintext.
  • Network: All client work conducted over encrypted VPN; no public Wi-Fi for client work.
  • Logging: Audit logs retained for at least 12 months for security review.
  • Training: All staff complete security training at onboarding and annually.

Background checks

All VAs undergo identity verification and background screening prior to client placement. For clients with elevated requirements (legal, financial, healthcare), we offer enhanced screening on request.

Confidentiality

NDAs are standard. Conflict-of-interest checks are run before any law-firm match. Specific confidentiality requirements are documented in your service agreement.

Incident response

We maintain a documented incident response plan. In the event of a security incident affecting your data, we will: (a) contain and investigate; (b) notify affected clients within 72 hours of confirmation; (c) provide remediation steps; (d) deliver a post-incident report.

Sub-processors

We use a small set of trusted sub-processors (cloud infrastructure, email, scheduling, CRM). A current list is available on request under NDA. We notify clients of material changes.

Audits & certifications

We're working toward SOC2 Type II. In the meantime, we welcome client-led security reviews and questionnaires (SIG, CAIQ, custom) for engagements that require them.

Contact

Security or compliance questions? Email security@virtualonthego.com.