Security and Infrastructure

Data security is paramount for Veeva and our customers. Veeva protects customer data with world-class physical, network, application, and data-level security. In addition, Veeva invests in the most advanced and modern infrastructure available to provide an innovative, scalable, global, predictable, and secure environment.


Veeva maintains a comprehensive security program based on ISO 27001 to ensure the confidentiality, integrity, and availability of customer data. Veeva is committed to ensuring our services are available for operation and use at times set forth in service-level agreements, protected against unauthorized physical and logical access – including biometric entry authentication and 24/7/365 onsite monitoring – and that our system processing is complete, accurate, timely, and authorized.

Veeva regularly passes rigorous third-party compliance audits of our robust security, confidentiality, and availability controls. Veeva publishes a Service Organization Controls 2 (SOC 2) Type II report under the Security and Availability Trust Service Principles (TSPs). Veeva data centers and service providers also publish SSAE16 SOC1 Type II and SOC3 (SysTrust) reports. These reports confirm that Veeva delivers fully secure and reliable, high quality operating standards in its data center operations, including provisioning, management and monitoring of the hardware, network, and firewall. All of these reports are for limited distribution and shared under confidentiality agreement (CDA). Please direct all requests through your Veeva Account Executive or Customer Service Representative.
Veeva has achieved ISO (International Organization for Standardization) 27001 certification for our Information Security Management Systems (ISMS) and aligned with ISO 27018 for privacy controls, covering various Veeva products and supporting infrastructure as described in Veeva’s certificate. ISO 27001 is a globally recognized security standard that provides a guideline of the policies and controls that an organization has in place to secure their data. The standard sets out internationally agreed upon requirements and best practices for the systematic approach to the development, deployment and management of a risk/threat based information security management system. ISO 27018 is an international code of practice that focuses on privacy controls for cloud providers.
Skyhigh Networks performs objective and thorough evaluations of the enterprise-readiness of cloud service based on a detailed set of criteria developed in conjunction with the Cloud Security Alliance (CSA). Services designated as Skyhigh Enterprise-Ready are the services receiving the highest CloudTrust™ Ratings, which fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection.


Veeva leverages the most advanced cloud infrastructure to provide an innovative, scalable, global, predictable, and secure environment. After a comprehensive evaluation of public cloud vendors, Veeva determined Amazon Web Services (AWS) is the right primary cloud infrastructure provider to meet Veeva customers’ growing needs as we look to the future.

AWS is Privacy Shield certified and has entered into the EU Model Clauses and a Business Associate Agreement (HIPAA) with Veeva. See further AWS Certifications. To ensure conformance with local regulations, application data resides and is backed-up in key geographic regions — U.S. (West and East Coast), Europe (Germany and Ireland), and Japan.

Veeva’s Vault and CRM applications were moved to AWS in December 2017. Veeva Network migration will be completed in April 2018. Further detail on Veeva’s move to AWS is available here.