June 14, 2021

Harri Sinnelä, Chief Information Security Officer

Security

High-Security VR for Enterprise: Meeting the Strictest Standards for Professional Use

In professional XR deployments, security is not a feature you add later. It is a prerequisite. From defense and aerospace to industrial design and research, organizations operate in environments where any unexpected data flow, undocumented component, or uncontrolled update can introduce unacceptable risk.

At Varjo, security is engineered into every layer of our technology and operations. In this post, Varjo’s Chief Information Security Officer Harri Sinnelä explains how security is embedded across the XR-4 Series; from hardware architecture and manufacturing to software behavior, governance, and compliance; and what it takes to meet the strictest standards required in high-assurance, real-world environments.

With the Highest Quality Comes the Highest Security

XR headset on top of a navigation panel 

 

When I joined Varjo, one thing became immediately clear: this company doesn’t treat security as a checkbox. It’s built into the DNA of what we do, not something just added later for compliance reasons or customer reassurance.

That focus comes from the reality of where Varjo operates. Our XR headsets are not designed for entertainment or casual use. They are deployed in aerospace, defense, maritime, industrial design, engineering, research, and other environments where the stakes are very real. In these settings, security is a prerequisite.

A single unexpected data path, an undocumented component, or an uncontrolled software update can be enough to derail accreditation processes or introduce unacceptable risk into operational systems. That is why we embed security across the entire lifecycle of our products; from manufacturing and hardware design to software behavior and governance.

Security that stands up to real-world operational demands

High-security deployments require more than strong encryption or policy statements. Organizations need confidence that devices behave predictably, that nothing transmits unexpectedly, and that suppliers and processes can withstand scrutiny.

That’s why security at Varjo is not confined to one layer of the stack. It is embedded across hardware, software, manufacturing, and the way we operate as a company.

This is also reflected in our governance. Varjo’s Information Security Management System is certified to ISO/IEC 27001:2022, the globally recognized standard for information security management. Maintaining this certification means that our security practices and controls are independently audited and continuously improved.

_W5A0083_hires

Secure by design: hardware built for professional environments

 

Security in XR starts with the headset itself. When we engineered the XR-4 Series, we did so with the assumption that our customers would need full control over data flows; because in many high-assurance environments, they must.

The XR-4 headsets do not store session data or environmental content. Processing takes place on the connected workstation, allowing organizations to apply their own security controls, monitoring, and governance practices without introducing additional risk inside the device.

Transparency is equally important. For security reviews and formal accreditation processes, Varjo can provide documentation such as Letters of Camera Usage and Letters of Volatility, outlining camera modules and memory components. These are often essential when integrating XR technology into restricted environments.

Secure manufacturing and supply chain integrity

In sensitive deployments, trust begins long before a headset is powered on. Supply chain integrity and manufacturing controls are foundational.

Varjo works with world-class manufacturing partners whose processes include strict quality and security controls. These measures help prevent counterfeit components and ensure electronics are sourced only from original manufacturers or approved distributors.

For the most security-sensitive deployments, XR-4 Secure Edition headsets are manufactured at our own secure manufacturing facility in Finland (a NATO member state), meeting Trade Agreements Act (TAA) requirements. This provides an additional level of assurance for customers operating under strict sourcing and compliance rules.

_W5A1215_hires

XR-4 Series: designed for the highest-assurance environments

Many of our customers operate in environments where connectivity is prohibited.

The XR-4 Series supports deployment without internet connectivity through an offline package, eliminating the need for online activation and enabling operation in restricted or air-gapped networks. Offline operation is included by default with XR-4 Secure Edition.

The XR-4 Secure Edition is specifically built for facilities with the strictest controls. Devices are always offline, manufactured in Finland, TAA compliant, and available without wireless components.

Secure software with customer control at the core

Hardware is only half of the picture. Secure XR deployments depend just as much on transparent and predictable software behavior.

Varjo Base, the software platform that manages Varjo headsets, is built around a simple principle: the customer stays in control.

Log files remain on the customer’s workstation. They are never transmitted automatically, and can be reviewed, deleted, or shared manually if needed for support. Automatic updates can be fully disabled, allowing organizations to decide when and how software changes are introduced, supporting internal testing, validation, and change management requirements.

Behind the scenes, Varjo Base follows a secure software development lifecycle. Every release undergoes automated vulnerability scanning, static code analysis, dependency checks, and manual code review before release.

Varjo Base has also received a Certificate to Field (CTF) from the United States Air Force, confirming it meets stringent operational and security requirements for use within U.S. Air Force Operational Test and Training Infrastructure.

Trusted by the most demanding organizations

Across my career in security, I’ve learned that real trust is earned through transparency, engineering discipline, and consistency over time.

Varjo’s security approach has earned the trust of organizations where failure is not an option. Our customers include Boeing, Lockheed Martin, the U.S. Department of Defense, the Finnish Air Force, and defense contractors and system integrators worldwide.

We work closely with end users and integrators to provide the technical disclosures, documentation, and configuration options required for security authorization in the most sensitive deployments.

Secure XR without compromise

High-security XR does not have to mean reduced capability. With Varjo, organizations can deploy VR and XR solutions that meet rigorous security requirements while still delivering world-leading visual fidelity and performance.

For teams operating in environments where assurance is paramount, XR-4 was built to meet those demands, not as an add-on, but by design.

For a full FAQ on Varjo's security measures, read more from our Help Center.

 

 

BROWSE MORE VARJO INSIDER POSTS

See latest updates from Varjo

Ready to redefine reality?

Talk to sales