🛡️Security FAQ

At Veza, security is an integral aspect of the product, from the initial design to implementation, deployment, and daily operation. We embrace industry best practices including data-at-rest and inflight encryption, strict role-based access controls, and tenant isolation with zero external access.

• Veza is committed to maintaining the confidentiality, integrity, and availability of customer data.

• Veza is prepared to explain and demonstrate safeguards and compliance, and help meet customer security obligations.

• Technology, regulations, and business change quickly. Veza will always adapt and improve safeguards to ensure entrusted data is always protected.

This document includes information about Veza security practices, and answers some common questions customers ask. Please reach out to your account executive or support@veza.com for additional details or evidence.

• FAQ

• Access controls

• Cloud, application, and network security

• Compliance reports and certifications

• Data encryption

• Metadata collection and retention

• Reports and data export

• Secure development practices

• Third-party vendor security

FAQ

Does Veza adhere to industry compliance standards and frameworks? What compliance attestations does Veza hold? Veza holds a current SOC 2 (System and Organization Controls) Type II Report, and follows the ISO27001 standard for information security. See Compliance certifications for more information and downloads.

How is communication between Veza and customer systems protected, and is all data encrypted? Veza implements industry standard techniques to secure data at rest and in transit. All network traffic uses SSL/TLS certificates (HTTPS). All customer data and backups use disk-level encryption.

Are user passwords encrypted in transit and during storage? Yes. Credentials are encrypted in transit, and encrypted and hashed at rest with AES-256 encryption. Integration credentials are protected with RSA-4096 encryption. All other credentials (such as Jira webhooks) use AES-256. All communication takes place over TLS.

Does Veza regularly undergo penetration testing by an independent party? 3rd-party scans for network and application vulnerabilities are part of Veza's cloud, application, and network security practices. The results of these tests are available under NDA.

What metadata does Veza collect from connected systems? Veza gathers metadata such as resource names and user ids to generate the authorization graph and map relationships between identities and resources. Veza also collects attributes, such as last activity date or bucket encryption state, for use in search and insights. Veza retains this information for the duration of a customer account. Customer data is deleted within 30 days of service termination.

Does Veza have a Business Continuity and Disaster Recovery (BCDR) plan? Yes. Veza's incident response strategy is reviewed and tested annually.

Our security team requires additional information — who can we contact? Reach out to your Veza account executive or the support team at support@veza.com if you have a question that is not covered here. They will be happy to assist in providing any evidence to help meet your own security obligations and requirements.

Access controls

To maintain the integrity and confidentiality of customer data data, strict access controls and principles of least privilege are diligently applied across all production and development environments.

• Access to production and staging environments is limited to authorized Veza personnel only.

• Multi-Factor authentication (MFA) is required to access all production environments and business applications

• Dedicated VPN endpoint per cluster with granular access to each customer namespace

• The Veza platform monitors and verifies access granted to critical systems

Cloud, application, and network security

Veza is a 100% cloud-based solution, using native AWS security controls to provide a layer of infrastructure protection for every customer environment. Key controls include:

• Dedicated Kubernetes namespace for each customer

• Application Load Balancer with Web Application Firewall (WAF) for all inbound traffic

• AWS Shield for protection against DDoS attacks

• Private subnet where Veza software (including control, management, and analytics) open only to incoming traffic through environment-specific Web Application Firewall and Load Balancing

• VPN endpoint and bastion host for upgrades and maintenance only accessible by authorized Veza personnel using MFA

In addition to internal scanning and testing programs, Veza implements broad penetration tests by third-party security experts. Your Veza account executive can provide the penetration test report.

Compliance reports and certifications

Veza maintains SOC 2 Type II certification, demonstrating compliance in core trust service areas: Security, Availability, Processing Integrity, Confidentiality and Privacy. Additionally, Veza complies with the ISO 27001 standard for information security.

The SOC 2 Type 2 certification and report is available for all customers. Additional documents (such as Data Protection Policy, Data Security Exhibit, and summaries) are available on request.

Data encryption

Data is encrypted by default across the Veza platform, both at rest and in transit:

• Communication between the Veza Control Plane and the Veza Insights Plane is always encrypted using SSL/TLS 1.2+ and AES-256 bit encryption

• Every Veza Insights Plane instance has a unique key pair. A public key encrypts all credentials uploaded by the customer in the Veza platform, ensuring that only the customer’s Veza Insights Plane can decrypt the credentials for that customer environment

• Disk encryption is enabled by default on all EKS compute instances, all databases, and all messaging subsystems

• Passwords are encrypted in transit, and encrypted and hashed at rest with AES-256 encryption.

Metadata collection and retention

Veza collects two kinds of information from customer systems integrated with the service: user identity information (such as first name, last name, and email) from identity providers, and metadata about data resources, with the goal of providing complete visibility and control into who has access to what.

Veza collects user IDs from your identity provider as part of standard analysis. Provisioning access to the Veza platform is a separate process: users will log in by using a SAML integration with your corporate identity provider (Single Sign On).

Veza stores authorization metadata from source systems queried to produce reports, along with Authorization Graph snapshots. Veza deletes all customer-related authorization metadata within 30 days of service termination, along with any reports.

Reports and data export

Veza users with the admin or operator role can generate reports in a range of formats, including PNG, CSV, and JSON. Veza administrators and operators can elect to publish Veza notifications to email addresses or other external systems.

Secure development practices

The Veza team adheres to industry standards and follows all best practices for secure software development, including:

• Code versioning and branching practices follow OWASP standards

• Separation of duties between staff who develop code and staff who push code to production

• Strong guidelines for error handling, availability, and security during the system design phase

• Design reviews conducted with engineering and product leadership during product development and release cycles

• For platform enhancements, Quality Assurance Engineering maintains a strong focus on automated unit testing, integration testing, and approved test plans.

• All code merged to the production environment is peer reviewed

Third-party vendor security

Veza minimizes third-party vendor risks by conducting security reviews on all vendors with any level of access to systems or data.