🛡️Security FAQ

At Veza, security is an integral aspect of the product, from the initial design to implementation, deployment, and daily operation. We embrace industry best practices including data-at-rest and inflight encryption, strict role-based access controls, and tenant isolation with zero external access.

• Veza is committed to maintaining the confidentiality, integrity, and availability of customer data.

• Veza is prepared to explain and demonstrate safeguards and compliance, and help meet customer security obligations.

• Technology, regulations, and business change quickly. Veza will always adapt and improve safeguards to ensure entrusted data is always protected.

This document includes information about Veza security practices, and answers some common questions customers ask. Please reach out to your account executive or [email protected] for additional details or evidence.

• FAQ

• Access controls

• Cloud, application, and network security

• Compliance reports and certifications

• Data encryption

• Metadata collection and retention

• Reports and data export

• Secure development practices

• Third-party vendor security

FAQ

Does Veza adhere to industry compliance standards and frameworks? What compliance attestations does Veza hold? Veza holds a current SOC 2 (System and Organization Controls) Type II Report and follows the ISO27001 standard for information security. See Compliance certifications for more information and downloads.

How is communication between Veza and customer systems protected, and is all data encrypted? Veza implements industry-standard techniques to secure data at rest and in transit. All network traffic uses SSL/TLS certificates (HTTPS). All customer data and backups use disk-level encryption.

Are user passwords encrypted in transit and during storage? Yes. Veza local user credentials are encrypted using the Argon2 cryptographic algorithm during transit and secured with AES-256 encryption at rest.

How are integration credentials secured? Integration credentials are encrypted using RSA-4096. All other credentials, such as for Jira webhooks, are encrypted using AES-256. All platform communications use TLS.

Does Veza regularly undergo penetration testing by an independent party? 3rd-party scans for network and application vulnerabilities are part of Veza's cloud, application, and network security practices. The results of these tests are available under NDA.

What metadata does Veza collect from connected systems? Veza gathers metadata such as resource names and user IDs to generate the authorization graph and map relationships between identities and resources. Veza also collects attributes, such as last activity date or bucket encryption state, for use in search and insights. Veza retains this information for the duration of a customer account. Customer data is deleted within 30 days of service termination.

Does Veza have a Business Continuity and Disaster Recovery (BCDR) plan? Yes. Veza's incident response strategy is reviewed and tested annually.

Our security team requires additional information — who can we contact? Reach out to your Veza account executive or the support team at [email protected] if you have a question that is not covered here. They will be happy to assist in providing any evidence to help meet your security obligations and requirements.

Access controls

To maintain the integrity and confidentiality of customer data, strict access controls and principles of least privilege are diligently applied across all production and development environments.

• Access to production and staging environments is limited to authorized Veza personnel only.

• Multi-Factor authentication (MFA) is required to access all production environments and business applications

• Dedicated VPN endpoint per cluster with granular access to each customer namespace

• The Veza platform monitors and verifies access granted to critical systems

Cloud, application, and network security

Veza is a 100% cloud-based solution, using native AWS security controls to provide a layer of infrastructure protection for every customer environment. Key controls include:

• Dedicated Kubernetes namespace for each customer

• Application Load Balancer (ALB) with Web Application Firewall (WAF) for all inbound traffic

• AWS Shield for protection against DDoS attacks

• Private subnet where Veza software (including control, management, and analytics) open only to incoming traffic through environment-specific WAF and ALB.

• VPN endpoint and bastion host for upgrades and maintenance only accessible by authorized Veza personnel using MFA

In addition to internal scanning and testing programs, Veza implements broad penetration tests by third-party security experts on an annual basis. Your Veza account executive can provide the penetration test report.

Compliance reports and certifications

Veza maintains SOC 2 Type II certification, demonstrating compliance in core trust service areas: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Additionally, Veza complies with the ISO 27001 standard for information security.

The SOC 2 Type 2 certification and report is available for all customers. Additional documents (such as Data Protection Policy, Data Security Exhibit, and summaries) are available on request.

Data encryption

Data is encrypted by default across the Veza platform, both at rest and in transit:

• Communication between the Veza Control Plane and the Veza Insights Plane is always encrypted using SSL/TLS 1.2+ and AES-256 encryption.

• Every Veza Insights Plane instance has a unique key pair. A public key encrypts all credentials uploaded by the customer in the Veza platform, ensuring that only the customer’s Veza Insights Plane can decrypt the credentials for that customer environment.

• Disk encryption is enabled by default on all EKS compute instances, all databases, and all messaging subsystems.

• Local user passwords are encrypted in transit and at rest.

Metadata collection and retention

Veza collects two kinds of information from customer systems: user identity information (such as first name, last name, and email) from identity providers, and resource metadata, enabling visibility and insight into privileged access.

Veza deletes all customer-related authorization metadata within 30 days of service termination, along with any reports.

Reports and data export

Veza users with the admin or operator role can generate reports in a range of formats, including PNG, CSV, and JSON. Veza administrators and operators can elect to publish Veza notifications to email addresses or other external systems.

Secure development practices

Veza adheres to industry standards and follows all best practices for secure software development, including:

• Annual 3rd-party penetration testing

• Code versioning and branching practices follow OWASP standards

• Strong guidelines for error handling, availability, and security during the system design phase

• For platform enhancements, Quality Assurance Engineering maintains a strong focus on automated unit testing, integration testing, and approved test plans.

• All code merged to the production environment is peer-reviewed

• Continuous security scanning as part of code developer flow

• Separation of duties for staff who develop code and staff who push code to production

• Design reviews conducted with engineering and product leadership during development and release cycles

Third-party vendor security

Veza minimizes third-party vendor risks by conducting security reviews on all vendors with any level of access to systems or data.