Security and Infrastructure
Data security is paramount for Veeva and our customers. Veeva protects customer data with world-class physical, network, application, and data-level security. In addition, Veeva invests in the most advanced and modern infrastructure available to provide an innovative, scalable, global, predictable, and secure environment.
Veeva maintains a comprehensive security program based on ISO 27001 to ensure the confidentiality, integrity, and availability of customer data. Veeva is committed to ensuring our services are available for operation and use at times set forth in service-level agreements, protected against unauthorized physical and logical access – including biometric entry authentication and 24/7/365 onsite monitoring – and that our system processing is complete, accurate, timely, and authorized.
SERVICE ORGANIZATION CONTROLSVeeva regularly passes rigorous third-party compliance audits of our robust security, confidentiality, and availability controls. Veeva publishes a Service Organization Controls 2 (SOC 2) Type II report under the Security and Availability Trust Service Principles (TSPs). Veeva data centers and service providers also publish SSAE16 SOC1 Type II and SOC3 (SysTrust) reports. These reports confirm that Veeva delivers fully secure and reliable, high quality operating standards in its data center operations, including provisioning, management and monitoring of the hardware, network, and firewall. All of these reports are for limited distribution and shared under confidentiality agreement (CDA). Please direct all requests through your Veeva Account Executive or Customer Service Representative.
ISO (INTERNATIONAL ORGANIZATION FOR STANDARDIZATION) 27001Veeva has achieved ISO (International Organization for Standardization) 27001 certification for our Information Security Management Systems (ISMS) and aligned with ISO 27018 for privacy controls, covering various Veeva products and supporting infrastructure as described in Veeva’s certificate. ISO 27001 is a globally recognized security standard that provides a guideline of the policies and controls that an organization has in place to secure their data. The standard sets out internationally agreed upon requirements and best practices for the systematic approach to the development, deployment and management of a risk/threat based information security management system. ISO 27018 is an international code of practice that focuses on privacy controls for cloud providers.
SKYHIGH NETWORKSSkyhigh Networks performs objective and thorough evaluations of the enterprise-readiness of cloud service based on a detailed set of criteria developed in conjunction with the Cloud Security Alliance (CSA). Services designated as Skyhigh Enterprise-Ready are the services receiving the highest CloudTrust™ Ratings, which fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection.
Veeva CRM Engage Meeting and Zoom security
In Veeva CRM Engage Meeting, Zoom technology is a core part of the application. Veeva selected Zoom as its video conferencing partner for Engage because Zoom provides enterprise-grade security, a core focus on product integrity and stability, and industry-leading ease of use.
Additionally, the integration between Zoom and Veeva CRM through Zoom’s SDK means Veeva and our customers can control how Zoom works for end users. Veeva uses several Zoom features to ensure Engage meetings are secure and confidential:
- AE256-GCM encryption to protect data in transit
- Mandatory passwords for all Engage meetings
- Ability to share specific windows instead of the entire desktop
- File sharing is disabled
- Session recording is disabled, and both hosts and attendees may disable video at any time
- Ejected participants are automatically blacklisted
- Only the meeting host is able to present.
Veeva leverages the most advanced cloud infrastructure to provide an innovative, scalable, global, predictable, and secure environment.
Veeva CRM is hosted on Salesforce’s platform. For more information about Salesforce’s security program see here. Salesforce is Privacy Shield certified and has entered into the EU Model Clauses and a Business Associate Agreement (HIPAA) with Veeva. To ensure conformance with local regulations, application data resides and is backed-up in key geographic regions as described in this Salesforce.com help page.
Veeva uses Amazon Web Services (AWS) as its primary cloud infrastructure provider to meet Veeva customers’ growing needs.
AWS is Privacy Shield certified and has entered into the EU Model Clauses and a Business Associate Agreement (HIPAA) with Veeva. See further AWS Certifications. To ensure conformance with local regulations, application data resides and is backed-up in key geographic regions — U.S. (West and East Coast), Europe (Germany and Ireland), and Japan.