Veeva Security Program Overview
At Veeva, we pride ourselves on maintaining the trust of our customers, employees, and the community. Our solutions involve the storage and transmission of our customers’ proprietary information, personal information of medical professionals, personal information of patients and clinical trial participants, and other sensitive information (collectively, “Data”). We understand that our ability to maintain the confidentiality, integrity, and availability of this Data is critical to our success. This Overview describes our security program, our use of third-party service providers, and the privacy and security certifications that we’ve received.
We maintain a documented information privacy, security and risk management program with clearly defined roles, responsibilities, policies, and procedures. Our program is founded on the following standards:
We regularly review and modify our security program to reflect changing technology, regulations, laws, risk, industry and security practices and other business needs.
Security Organization and Management
We maintain a responsibility and accountability structure for security management designed to:
We have appointed an information security officer to help business managers, users, IT staff and others to satisfy their information security responsibilities.
Role and Responsibilities
We maintain clearly defined roles and responsibilities for all information processing activities, including the management and control of operational systems, administration and support of communication networks and the development of new systems. The roles and access rights of computer operators and system administrators are separated from those of network and systems development staff.
In addition, we maintain procedures to:
We require role-based security and security awareness training. Subsequent security awareness training is required biennially for all active employees and contractors. Employees in certain roles (e.g., customer support representatives, developers, and hiring managers) receive further and more extensive data security training annually.
Identity and Access
We assign access to systems, applications, and associated information in accordance with our documented access policies, which incorporate the principles of least privileged access. We enforce these privileges through automated means. Personnel are required to obtain authorization before they can gain systems access. We use secure techniques for command and control functions (e.g., TLS, SSH, SSL enabled FTP or VPN).
Access mechanisms operate securely and in line with good security practice (e.g., no display of passwords, storage of passwords in encrypted form). Authorization procedures are formally defined and conform with commercially standard disciplines, including:
We use industry standard practices to identify and authenticate authorized users. We align our authentication methods with business risk (i.e., strong authentication is applied to ‘high-risk’ users). Passwords are managed according to industry standards.
The sign-on process supports individual accountability and enforces access disciplines which include:
We maintain access logs which are designed to provide sufficient information to enable the diagnosis of disruptive events and establish individual accountability. We conduct periodic reviews of the logs for signs of unauthorized access or changes.
We have devised and applied a security architecture across our information resources. The architecture comprises a defined set of security mechanisms and supporting standards. The architecture:
We maintain an inventory of our critical information assets and the applications used to process them. We conduct information security risk assessments whenever there is a material change in our business or technology practices that may impact the privacy, confidentiality, security, integrity or availability of Data.
We ensure that our third party data center providers have adopted measures to protect against loss of or damage to the equipment and facilities that we use to host Data, including by:
Protection from Disruption
Our production environments leverage specialized equipment to:
We deploy industry standard firewall technologies. We have adopted procedures to manage the firewall rules (access control mechanism) and changes to the rules.
Informational resources used for production purposes are separated from those used for systems development or acceptance testing.
We deploy up to date software and related procedures for the purpose of detecting and preventing the proliferation of viruses and other forms of malicious code. These controls apply only to internal computing environments used in the development and delivery of our hosted applications.
Acceptable Usage Policy
Denial of Service
We ensure our data center infrastructure providers have adopted and deployed appropriate countermeasures for denial of service attacks.
Media Sanitation and Removal
We leverage industry standard processes and technologies to permanently delete Data when it is no longer needed or authorized.
We use industry standard encrypted transport protocols, with a minimum Transport Layer Security (TLS) v1.2, for Data in transit across an untrusted network. We encrypt Data at rest using Advanced Encryption Standard (AES) 256 encryption or an equivalent algorithm.
We have application, database, network, and resource monitoring in place to identify any vulnerabilities and protect our applications. Our solutions undergo internal vulnerability testing prior to release. We have built our own internal penetration testing systems, and we conduct vulnerability assessments on our software using automated and manual methods, at least annually.
We engage third-party security specialists annually to perform vulnerability and penetration testing of our systems. Internet facing systems are regularly scanned for vulnerabilities.
Our solutions are designed to avoid single points of failure to reduce the chance of business disruption. We maintain formally documented recovery processes that may be activated in the event of a significant business disruption for both our corporate IT infrastructure and the production infrastructure that processes our customer Data. We conduct testing, at least annually, to verify the validity of the recovery processes.
We also implement various disaster recovery measures to minimize Data loss in the event of a single data center disaster. We architect our solutions using redundant configurations to minimize service interruptions. We continually monitor our solutions for any sign of failure or pending failure, and we take preemptive action to attempt to minimize or prevent downtime.
Incidents are managed by a dedicated team in accordance with a formal incident response policy and process. Our personnel are trained to immediately report any security incident. We provide a public “trust” webpage that displays upcoming maintenance downtimes, data center incidents, and security communications.
We maintain industry standard software development lifecycle processes and controls governing the development of and changes to our software, including all updates, upgrades and patches. Our process includes secure software development practices and application security analysis and testing.
We use third party data centers, cloud-based services and other suppliers in our operations and to provide solutions to our customers. We require that these suppliers enter into downstream agreements with us, such as nondisclosure agreements, data processing agreements, business associate agreements and the like, as appropriate based on the type of services they provide and the type of information they have access to. We require that our suppliers complete data security questionnaires and we conduct risk assessments to assure the competency and appropriateness of their security program. We apply a risk-based approach to periodically review our suppliers’ security posture.
Our suppliers each maintain their own security programs. This overview does not describe the security program of any of our suppliers.
ISO (International Organization for Standardization) 27001At least once a year we are audited by an accredited third-party certification body for compliance with ISO (International Organization for Standardization) 27001 and ISO 27018 controls. These certifications cover various Veeva products and supporting infrastructure, as described in our certificate. ISO 27001 is a globally recognized security standard that provides a guideline of the policies and controls that an organization has in place to secure their data. The standard sets out internationally agreed upon requirements and best practices for the systematic approach to the development, deployment and management of a risk/threat-based information security management system. ISO 27018 is an international code of practice that focuses on privacy controls for cloud providers.
Service Organization ControlsWe regularly undergo third-party compliance audits of our security, confidentiality, and availability controls for various Veeva products and supporting infrastructure. We publish our Service Organization Controls 2 (SOC 2) Type II report under the Security and Availability Trust Service Principles (TSPs). Our data center providers publish their own SOC2 reports.