Veeva Security Program Overview

At Veeva, we pride ourselves on maintaining the trust of our customers, employees, and the community. Our solutions involve the storage and transmission of our customers’ proprietary information, personal information of medical professionals, personal information of patients and clinical trial participants, and other sensitive information (collectively, “Data”). We understand that our ability to maintain the confidentiality, integrity, and availability of this Data is critical to our success. This Overview describes our security program, our use of third-party service providers, and the privacy and security certifications that we’ve received.

Safeguards Practices

Organizational

Procedural

We maintain a documented information privacy, security and risk management program with clearly defined roles, responsibilities, policies, and procedures. Our program is founded on the following standards:

  • ISO 9001:2015 – Quality Management Systems
  • ISO/IEC 27001:2013 – Information Security Management
  • SOC2 Type II – System and Organization Controls
  • SEI Capability Maturity Model Integration (v1.3)
  • IT Infrastructure Library (ITIL) version 3
  • ICH Q9 – Quality Risk Management

We regularly review and modify our security program to reflect changing technology, regulations, laws, risk, industry and security practices and other business needs.

Security Organization and Management

We maintain a responsibility and accountability structure for security management designed to:

  • coordinate our information security arrangements;
  • describe point of contacts on information security issues;
  • monitor the effectiveness of security arrangements; and
  • maintain approved security standards.

We have appointed an information security officer to help business managers, users, IT staff and others to satisfy their information security responsibilities.

Personnel

Role and Responsibilities

We maintain clearly defined roles and responsibilities for all information processing activities, including the management and control of operational systems, administration and support of communication networks and the development of new systems. The roles and access rights of computer operators and system administrators are separated from those of network and systems development staff.

In addition, we maintain procedures to:

  • supervise information processing activity;
  • minimize the risk of improper activity or error; and
  • screen applicants for security-sensitive positions.

Training

We require role-based security and security awareness training. Subsequent security awareness training is required biennially for all active employees and contractors. Employees in certain roles (e.g., customer support representatives, developers, and hiring managers) receive further and more extensive data security training annually.

Identity and Access
Management

Access Policy

We assign access to systems, applications, and associated information in accordance with our documented access policies, which incorporate the principles of least privileged access. We enforce these privileges through automated means. Personnel are required to obtain authorization before they can gain systems access. We use secure techniques for command and control functions (e.g., TLS, SSH, SSL enabled FTP or VPN).

Privileges

Access mechanisms operate securely and in line with good security practice (e.g., no display of passwords, storage of passwords in encrypted form). Authorization procedures are formally defined and conform with commercially standard disciplines, including:

  • establishing heightened control over the issue of special access privileges; and
  • ensuring termination of authorizations that are no longer required.

Authentication

We use industry standard practices to identify and authenticate authorized users. We align our authentication methods with business risk (i.e., strong authentication is applied to ‘high-risk’ users). Passwords are managed according to industry standards.

The sign-on process supports individual accountability and enforces access disciplines which include:

  • suppressing information that could facilitate unauthorized use;
  • validating sign-on information only after it has all been entered;
  • disconnecting users after a defined number of unsuccessful sign-on attempts; and
  • requiring passwords be changed periodically.

Access Logs

We maintain access logs which are designed to provide sufficient information to enable the diagnosis of disruptive events and establish individual accountability. We conduct periodic reviews of the logs for signs of unauthorized access or changes.

Security Architecture

We have devised and applied a security architecture across our information resources. The architecture comprises a defined set of security mechanisms and supporting standards. The architecture:

  • supports information resources requiring different levels of protection;
  • enables the secure flow of information within and between technical environments;
  • provides authorized users with an efficient means of gaining access to information resources in different technical environments; and
  • enables access privileges for individual users to be revoked when users leave or change jobs.

We maintain an inventory of our critical information assets and the applications used to process them. We conduct information security risk assessments whenever there is a material change in our business or technology practices that may impact the privacy, confidentiality, security, integrity or availability of Data.

Physical and
Environmental

Physical Access

We ensure that our third party data center providers have adopted measures to protect against loss of or damage to the equipment and facilities that we use to host Data, including by:

  • restricting physical access to authorized personnel; and
  • ensuring the presence of security staff where appropriate.

Protection from Disruption

Our production environments leverage specialized equipment to:

  • protect against power outages/failures;
  • allow rapid recovery of assets in the event of an outage;
  • protect power, network infrastructure and critical systems from damage or compromise; and
  • protect buildings against natural disaster or deliberate attack.

Network
Communications and
Systems Management

Firewalls

We deploy industry standard firewall technologies. We have adopted procedures to manage the firewall rules (access control mechanism) and changes to the rules.

Informational resources used for production purposes are separated from those used for systems development or acceptance testing.

Antivirus/Antimalware Management

We deploy up to date software and related procedures for the purpose of detecting and preventing the proliferation of viruses and other forms of malicious code. These controls apply only to internal computing environments used in the development and delivery of our hosted applications.

Acceptable Usage Policy

  • Use of the Internet is governed by clear policies and standards that apply across the enterprise.
  • Network and host-based intrusion detection services are used to protect critical systems, including Internet connected systems.

Denial of Service

We ensure our data center infrastructure providers have adopted and deployed appropriate countermeasures for denial of service attacks.

Media Sanitation and Removal

We leverage industry standard processes and technologies to permanently delete Data when it is no longer needed or authorized.

Encryption

We use industry standard encrypted transport protocols, with a minimum Transport Layer Security (TLS) v1.2, for Data in transit across an untrusted network. We encrypt Data at rest using Advanced Encryption Standard (AES) 256 encryption or an equivalent algorithm.

Vulnerability and
Penetration Testing

We have application, database, network, and resource monitoring in place to identify any vulnerabilities and protect our applications. Our solutions undergo internal vulnerability testing prior to release. We have built our own internal penetration testing systems, and we conduct vulnerability assessments on our software using automated and manual methods, at least annually.

We engage third-party security specialists annually to perform vulnerability and penetration testing of our systems. Internet facing systems are regularly scanned for vulnerabilities.

Business Continuity
and Disaster Recovery

Our solutions are designed to avoid single points of failure to reduce the chance of business disruption. We maintain formally documented recovery processes that may be activated in the event of a significant business disruption for both our corporate IT infrastructure and the production infrastructure that processes our customer Data. We conduct testing, at least annually, to verify the validity of the recovery processes.

We also implement various disaster recovery measures to minimize Data loss in the event of a single data center disaster. We architect our solutions using redundant configurations to minimize service interruptions. We continually monitor our solutions for any sign of failure or pending failure, and we take preemptive action to attempt to minimize or prevent downtime.

Incident Response

Incidents are managed by a dedicated team in accordance with a formal incident response policy and process. Our personnel are trained to immediately report any security incident. We provide a public “trust” webpage that displays upcoming maintenance downtimes, data center incidents, and security communications.

Software Development
Lifecycle

We maintain industry standard software development lifecycle processes and controls governing the development of and changes to our software, including all updates, upgrades and patches. Our process includes secure software development practices and application security analysis and testing.

Suppliers

We use third party data centers, cloud-based services and other suppliers in our operations and to provide solutions to our customers. We require that these suppliers enter into downstream agreements with us, such as nondisclosure agreements, data processing agreements, business associate agreements and the like, as appropriate based on the type of services they provide and the type of information they have access to. We require that our suppliers complete data security questionnaires and we conduct risk assessments to assure the competency and appropriateness of their security program. We apply a risk-based approach to periodically review our suppliers’ security posture.

Our suppliers each maintain their own security programs. This overview does not describe the security program of any of our suppliers.

Certifications

ISO (International Organization for Standardization) 27001

At least once a year we are audited by an accredited third-party certification body for compliance with ISO (International Organization for Standardization) 27001 and ISO 27018 controls. These certifications cover various Veeva products and supporting infrastructure, as described in our certificate. ISO 27001 is a globally recognized security standard that provides a guideline of the policies and controls that an organization has in place to secure their data. The standard sets out internationally agreed upon requirements and best practices for the systematic approach to the development, deployment and management of a risk/threat-based information security management system. ISO 27018 is an international code of practice that focuses on privacy controls for cloud providers.

Service Organization Controls

We regularly undergo third-party compliance audits of our security, confidentiality, and availability controls for various Veeva products and supporting infrastructure. We publish our Service Organization Controls 2 (SOC 2) Type II report under the Security and Availability Trust Service Principles (TSPs). Our data center providers publish their own SOC2 reports.

HDS Certification

We maintain a Health Data Hosting (HDS) certificate as required for all entities hosting personal health data under French law by Act n°2002-303 dated 4 March 2002. This certification covers those Veeva products described in our certificate and is only applicable to health data produced in France in the context of the provision of healthcare, as defined by Article L.1111-8 of the French Public Health Code. Customers relying on this certificate must comply with the PGSSI-S (Global Information Security Policy for the Healthcare Sector) which sets out the security standards for eHealth services.