{"id":9498,"date":"2015-07-30T22:06:44","date_gmt":"2015-07-30T20:06:44","guid":{"rendered":"http:\/\/wwwwww.veeva.com\/eu\/?page_id=9498"},"modified":"2026-02-03T19:42:30","modified_gmt":"2026-02-03T18:42:30","slug":"trust","status":"publish","type":"page","link":"https:\/\/www.veeva.com\/eu\/trust\/","title":{"rendered":"³Ô¹Ï±¬ÁÏ Security Program Overview"},"content":{"rendered":"<style>\n  table tr.header {\n\tcolor: #fff;\n\tbackground-color: #ff9835;\n  }<\/p>\n<p>  .veeva-2024 .content-block__content .h3, .veeva-2024 .content-block__content h3,\n  .veeva-2024 .content-block__content .h6, .veeva-2024 .content-block__content h6 {\n\tfont-weight: 500;\n\tfont-size: 20px;\n\ttext-transform: unset;\n\tcolor: #444;\n\tmargin-top: 10px;\n  }<\/p>\n<\/style>\n<p>\t\t<strong>Updated: January 29th, 2026<\/strong><\/p>\n<p style=\"margin-bottom:25px;margin-top:20px;\"> At ³Ô¹Ï±¬ÁÏ, we pride ourselves on maintaining the trust of our customers, employees, and the community. Our<br \/>\n\t\tsolutions involve the storage and transmission of our customers\u2019 proprietary information, personal information<br \/>\n\t\tof medical professionals, personal information of patients and clinical trial participants, and other sensitive<br \/>\n\t\tinformation (collectively, <strong>\u201cData\u201d<\/strong>). We understand that our ability to maintain the<br \/>\n\t\tconfidentiality, integrity, and availability of this Data is critical to our success. This Overview describes<br \/>\n\t\tour security program, our use of third-party service providers, and the privacy and security certifications that<br \/>\n\t\twe\u2019ve received. <\/p>\n<table class=\"table table-bordered\">\n<thead>\n<tr class=\"header\">\n<th> Safeguards <\/th>\n<th> Practices <\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"20%\">\n<h3>Organizational<\/h3>\n<\/td>\n<td>\n<h3>Procedural<\/h3>\n<p>\n\t\t\t\tWe maintain a documented information privacy, security and risk management program with clearly defined<br \/>\n\t\t\t\troles, responsibilities, policies, and procedures. Our program is founded on the following standards:\n\t\t\t  <\/p>\n<ul>\n<li> ISO 9001:2015 \u2013 Quality Management Systems <\/li>\n<li> ISO\/IEC 27001:2022 \u2013 Information Security Management <\/li>\n<li> SOC2 Type II \u2013 System and Organization Controls <\/li>\n<li> SEI Capability Maturity Model Integration <\/li>\n<li> IT Infrastructure Library (ITIL) <\/li>\n<li> ICH Q9 \u2013 Quality Risk Management<\/li>\n<\/ul>\n<p>\n\t\t\t\tWe regularly review and modify our security program to reflect changing technology, regulations, laws,<br \/>\n\t\t\t\trisk, industry and security practices and other business needs.\n\t\t\t  <\/p>\n<h3>Security Organization and Management<\/h3>\n<p>\n\t\t\t\tWe maintain a responsibility and accountability structure for security management designed to:\n\t\t\t  <\/p>\n<ul>\n<li> coordinate our information security arrangements;<\/li>\n<li> describe point of contacts on information security issues;<\/li>\n<li> test the effectiveness of security arrangements; and <\/li>\n<li> maintain approved security standards.<\/li>\n<\/ul>\n<p>\n\t\t\t\tWe have appointed an information security officer to help business managers, users, IT staff and others<br \/>\n\t\t\t\tto satisfy their information security responsibilities.\n\t\t\t  <\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<h3>Personnel<\/h3>\n<\/td>\n<td>\n<h3>Role and Responsibilities<\/h3>\n<p>\n\t\t\t\tWe maintain clearly defined roles and responsibilities for all information processing activities,<br \/>\n\t\t\t\tincluding the management and control of operational systems, administration and support of communication<br \/>\n\t\t\t\tnetworks and the development of new systems. The roles and access rights of computer operators and<br \/>\n\t\t\t\tsystem administrators are separated from those of network and systems development staff.\n\t\t\t  <\/p>\n<p>\n\t\t\t\tIn addition, we maintain procedures to:\n\t\t\t  <\/p>\n<ul>\n<li> supervise information processing activity;<\/li>\n<li> minimize the risk of improper activity or error; and<\/li>\n<li> screen applicants for security-sensitive positions.<\/li>\n<\/ul>\n<h3>Training<\/h3>\n<p>\n\t\t\t\tWe require role-based security and security awareness training. Subsequent security awareness training is required annually for all active employees and contractors. Employees in certain roles (e.g., customer support representatives, developers, and hiring managers) receive further and more extensive data security training annually.\n\t\t\t  <\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<h3>Identity and Access<br \/> Management<\/h3>\n<\/td>\n<td>\n<h3> Access Policy<\/h3>\n<p>\n\t\t\t\tWe assign access to systems, applications, and associated information in accordance with our documented access policies, which incorporate the principles of least privileged access. We enforce these privileges through automated means. Personnel are required to obtain authorization before they can gain system access. We use secure techniques for command and control functions (e.g., TLS, SSH, VPN).\n\t\t\t  <\/p>\n<h3>Privileges <\/h3>\n<p>\n\t\t\t\tAccess mechanisms operate securely and are in line with good security practices (e.g., no display of passwords, storage of passwords in encrypted form). Authorization procedures are formally defined and conform with commercially standard disciplines, including:\n\t\t\t  <\/p>\n<ul>\n<li> establishing heightened control over the issue of special access privileges; and <\/li>\n<li> ensuring termination of authorizations that are no longer required.<\/li>\n<\/ul>\n<h3>Authentication<\/h3>\n<p>\n\t\t\t\tWe use industry standard practices to identify and authenticate authorized users. We align our<br \/>\n\t\t\t\tauthentication methods with business risk (i.e., strong authentication is applied to \u2018high-risk\u2019 users).<br \/>\n\t\t\t\tPasswords are managed according to industry standards.\n\t\t\t  <\/p>\n<p>\n\t\t\t\tThe sign-on process supports individual accountability and enforces access disciplines which include:\n\t\t\t  <\/p>\n<ul>\n<li> suppressing information that could facilitate unauthorized use;<\/li>\n<li> validating sign-on information only after it has all been entered; <\/li>\n<li> disconnecting users after a defined number of unsuccessful sign-on attempts; and<\/li>\n<li> requiring passwords be changed periodically.<\/li>\n<\/ul>\n<h3>Access Logs<\/h3>\n<p>\n\t\t\t\tWe maintain infrastructure and access logs which are designed to provide sufficient information to enable the diagnosis of disruptive events and establish individual accountability. We use monitoring tools to analyze selected log data for anomalous activity such as unauthorized access or changes and to alert us to such anomalous activity.\n\t\t\t  <\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<h3>Security Architecture<\/h3>\n<\/td>\n<td>\n<p>\n\t\t\t\tWe have devised and applied a security architecture across our information resources. The architecture<br \/>\n\t\t\t\tcomprises a defined set of security mechanisms and supporting standards. The architecture:\n\t\t\t  <\/p>\n<ul>\n<li> supports information resources requiring different levels of protection;<\/li>\n<li> enables the secure flow of information within and between technical environments;<\/li>\n<li> provides authorized users with an efficient means of gaining access to information resources in<br \/>\n\t\t\t\t  different technical environments; and<\/li>\n<li> enables access privileges for individual users to be revoked when users leave or change jobs.<\/li>\n<\/ul>\n<p>\n\t\t\t\tWe maintain an inventory of our critical information assets and the applications used to process them. We conduct information security risk assessments whenever there is a material change in our business or technology practices that may impact the security, privacy, confidentiality, integrity, or availability of Data.\n\t\t\t  <\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<h3>Physical and<br \/> Environmental <\/h3>\n<\/td>\n<td>\n<h3>Physical Access<\/h3>\n<p>\n\t\t\t\tWe ensure that our third-party data center providers have adopted measures to protect against loss of or<br \/>\n\t\t\t\tdamage to the equipment and facilities that we use to host Data, including by:\n\t\t\t  <\/p>\n<ul>\n<li> restricting physical access to authorized personnel; and<\/li>\n<li> ensuring the presence of security staff where appropriate.<\/li>\n<\/ul>\n<h3>Protection from Disruption<\/h3>\n<p>\n\t\t\t\tOur production environments leverage specialized equipment to:\n\t\t\t  <\/p>\n<ul>\n<li> protect against power outages\/failures;<\/li>\n<li> allow rapid recovery of assets in the event of an outage; <\/li>\n<li> protect power, network infrastructure and critical systems from damage or compromise; and<\/li>\n<li> protect buildings against natural disaster or deliberate attack.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<h3>Network<br \/> Communications and<br \/> Systems Management<\/h3>\n<\/td>\n<td>\n<h3>Firewalls<\/h3>\n<p>\n\t\t\t\tWe deploy industry standard firewall technologies. We have adopted procedures to manage the firewall<br \/>\n\t\t\t\trules (access control mechanism) and changes to the rules.\n\t\t\t  <\/p>\n<p>\n\t\t\t\tInformational resources used for production purposes are separated from those used for systems<br \/>\n\t\t\t\tdevelopment or acceptance testing.\n\t\t\t  <\/p>\n<h3>Antivirus\/Antimalware Management<\/h3>\n<p>\n\t\t\t\tWe deploy up to date software and related procedures for the purpose of detecting and preventing the proliferation of viruses and other forms of malicious code. These controls apply only to internal computing environments used in the development and delivery of our hosted applications.  Network and host-based intrusion detection services are used to protect critical systems, including Internet connected systems.\n\t\t\t  <\/p>\n<h3>Acceptable Usage Policy<\/h3>\n<ul>\n<li> Use of the Internet is governed by clear policies and standards that apply across the enterprise.\n\t\t\t\t<\/li>\n<\/ul>\n<h3>Denial of Service<\/h3>\n<p>\n\t\t\t\tWe ensure our data center infrastructure providers have adopted and deployed appropriate countermeasures for denial-of-service attacks.\n\t\t\t  <\/p>\n<h3>Media Sanitation and Removal<\/h3>\n<p>\n\t\t\t\tWe leverage industry standard processes and technologies to permanently delete Data when it is no longer<br \/>\n\t\t\t\tneeded or authorized.\n\t\t\t  <\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<h3>Encryption <\/h3>\n<\/td>\n<td>\n<p>\n\t\t\t\tWe use industry standard encrypted transport protocols, with a minimum Transport Layer Security (TLS) v1.2, for Data in transit across an untrusted network. We encrypt Data at rest using Advanced Encryption Standard (AES) 256 encryption or an equivalent algorithm.\n\t\t\t  <\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<h3> Vulnerability and<br \/> Penetration Testing <\/h3>\n<\/td>\n<td>\n<p>\n\t\t\t\tWe have application, database, network, and resource monitoring in place to identify any vulnerabilities<br \/>\n\t\t\t\tand protect our applications. Our solutions undergo internal vulnerability testing prior to release. We<br \/>\n\t\t\t\thave built our own internal penetration testing systems, and we conduct vulnerability assessments on our<br \/>\n\t\t\t\tsoftware using automated and manual methods, at least annually.\n\t\t\t  <\/p>\n<p>\n\t\t\t\tWe engage third-party security specialists annually to perform vulnerability and penetration testing of<br \/>\n\t\t\t\tour systems. Internet facing systems are regularly scanned for vulnerabilities.\n\t\t\t  <\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<h3> Business Continuity<br \/> and Disaster Recovery <\/h3>\n<\/td>\n<td>\n<p>\n\t\t\t\tOur solutions are designed to avoid single points of failure to reduce the chance of business<br \/>\n\t\t\t\tdisruption. We maintain formally documented recovery processes that may be activated in the event of a<br \/>\n\t\t\t\tsignificant business disruption for both our corporate IT infrastructure and the production<br \/>\n\t\t\t\tinfrastructure that processes our customer Data. We conduct testing, at least annually, to verify the<br \/>\n\t\t\t\tvalidity of the recovery processes.\n\t\t\t  <\/p>\n<p>\n\t\t\t\tWe also implement various disaster recovery measures to minimize Data loss in the event of a single data<br \/>\n\t\t\t\tcenter disaster. We architect our solutions using redundant configurations to minimize service<br \/>\n\t\t\t\tinterruptions. We continually monitor our solutions for any sign of failure or pending failure, and we<br \/>\n\t\t\t\ttake preemptive action to attempt to minimize or prevent downtime.\n\t\t\t  <\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<h3> Incident Response <\/h3>\n<\/td>\n<td>\n<p>\n\t\t\t\tIncidents are managed by a dedicated team in accordance with a formal incident response policy and process. Our personnel are trained to immediately report any security incident. We provide a public \u201c<a href=\"https:\/\/trust.veeva.com\/\" target=\"_blank\" rel=\"noopener\">trust<\/a>\u201d webpage that displays upcoming maintenance downtimes, data center incidents, and security communications.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<h3>Software Development<br \/> Lifecycle <\/h3>\n<\/td>\n<td>\n<p>\n\t\t\t\tWe maintain industry standard software development lifecycle processes and controls governing the<br \/>\n\t\t\t\tdevelopment of and changes to our software, including all updates, upgrades and patches. Our process<br \/>\n\t\t\t\tincludes secure software development practices and application security analysis and testing.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<h3>Suppliers <\/h3>\n<\/td>\n<td>\n<p>\n\t\t\t\tWe use third party data centers, cloud-based services and other suppliers in our operations and to<br \/>\n\t\t\t\tprovide solutions to our customers. We require that these suppliers enter into downstream agreements<br \/>\n\t\t\t\twith us, such as nondisclosure agreements, data processing agreements, business associate agreements and<br \/>\n\t\t\t\tthe like, as appropriate based on the type of services they provide and the type of information they<br \/>\n\t\t\t\thave access to. We require that our suppliers complete data security questionnaires, and we conduct risk<br \/>\n\t\t\t\tassessments to assure the competency and appropriateness of their security program. We apply a<br \/>\n\t\t\t\trisk-based approach to periodically review our suppliers\u2019 security posture.\n\t\t\t  <\/p>\n<p>\n\t\t\t\tOur suppliers each maintain their own security programs. This overview does not describe the security<br \/>\n\t\t\t\tprogram of any of our suppliers.\n\t\t\t  <\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<h3>Certifications <\/h3>\n<p>\t\t\t  <img decoding=\"async\" style=\"border-radius:0\" src=\"\/wp-content\/uploads\/2015\/04\/ISO-27001.png\" width=\"80%\" \/>\n\t\t\t<\/td>\n<td>\n<h3>ISO (International Organization for Standardization) 27001 <\/h3>\n<p>\t\t\t  At least once a year we are audited by an accredited third-party certification body for compliance with ISO (International Organization for Standardization) 27001 and ISO 27018 controls. These certifications cover various ³Ô¹Ï±¬ÁÏ products and supporting infrastructure, as described in our certificate. ISO 27001 is a globally recognized security standard that provides a guideline of the policies and controls that an organization has in place to secure their data. The standard sets out internationally agreed upon requirements and best practices for the systematic approach to the development, deployment and management of a risk\/threat-based information security management system. ISO 27018 is an international code of practice that focuses on privacy controls for cloud providers.\n\t\t\t<\/td>\n<\/tr>\n<tr>\n<td>\n\t\t\t  <img decoding=\"async\" src=\"\/wp-content\/themes\/veeva2015\/assets\/img\/global\/trust-listicon-1.png\" width=\"70%\" \/>\n\t\t\t<\/td>\n<td>\n<h3>Service Organization Controls<\/h3>\n<p>\t\t\t  We regularly undergo third-party compliance audits of our security, confidentiality, and availability<br \/>\n\t\t\t  controls for various ³Ô¹Ï±¬ÁÏ products and supporting infrastructure. We publish our Service Organization<br \/>\n\t\t\t  Controls 2 (SOC 2) Type II report under the Security and Availability Trust Service Principles (TSPs). Our data center providers publish their own SOC 2 reports.\n\t\t\t<\/td>\n<\/tr>\n<tr>\n<td>\n\t\t\t  <img decoding=\"async\" style=\"border-radius:0\" src=\"https:\/\/www.veeva.com\/wp-content\/uploads\/2026\/01\/health-data-hosting-certification.png\" width=\"80%\">\n\t\t\t<\/td>\n<td>\n<p>\n\t\t\t\tWe maintain a Health Data Hosting (HDS) certificate as required for all entities hosting personal health data under French law by Act n\u00b02002-303 dated 4 March 2002. This certification covers those ³Ô¹Ï±¬ÁÏ products described in our certificate and is only applicable to health data produced in France in the context of the provision of healthcare, as defined by Article L.1111-8 of the French Public Health Code. Customers relying on this certificate must comply with the PGSSI-S (Global Information Security Policy for the Healthcare Sector) which sets out the security standards for eHealth services.\n\t\t\t  <\/p>\n<p>\n\t\t\t\tInformation on ³Ô¹Ï±¬ÁÏ\u2019s compliance with HDS Requirement No.31 is available <a href=\"https:\/\/www.veeva.com\/privacy\/hds-compliance\/\" target=\"_blank\" rel=\"noopener\">here<\/a>.\n\t\t\t  <\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n\t\t\t\t  <img decoding=\"async\" style=\"border-radius:0\" src=\"https:\/\/www.veeva.com\/wp-content\/uploads\/2026\/01\/schellman_iso9001_iso9001_seal_blue_CMYK_300dpi_jpg-1.webp\" width=\"90%\">\n\t\t\t  <\/td>\n<td>\n<h3>ISO (International Organization for Standardization) 9001<\/h3>\n<p>We maintain certification to ISO 9001 for its Quality Management System. This certification covers those ³Ô¹Ï±¬ÁÏ products described in our certificate. ISO 9001 ensures consistent quality in our products and services through a framework built on customer focus, risk-based decision making, and continuous improvement. It mandates a systematic process approach that aligns leadership and operations with the needs of all interested parties.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n\t\t\t\t\t<img decoding=\"async\" style=\"border-radius:0;margin-bottom:50px\" src=\"\/wp-content\/uploads\/2026\/01\/international-pharmaceutical-supply-chain-consortium.png\" alt=\"international-pharmaceutical-supply-chain-consortium\" width=\"100%\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" style=\"border-radius:0;margin-bottom:50px\" src=\"\/wp-content\/uploads\/2026\/01\/usdm-life-sciences.png\" alt=\"usdm-life-sciences\" width=\"100%\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" style=\"border-radius:0\" src=\"\/wp-content\/uploads\/2026\/01\/Diligent_Pharma.jpg\" alt=\"Diligent_Pharma\" width=\"100%\">\n\t\t\t\t<\/td>\n<td>\n<h3>Independent GxP Attestations<\/h3>\n<p>We have sanctioned third-party GxP audit specialists in life science compliance, to provide independent audit reports of ³Ô¹Ï±¬ÁÏ QMS and MSA controls. These GxP focused attestations can provide customers with extensive insight into ³Ô¹Ï±¬ÁÏ\u2019s processes and compliance from an independent third-party perspective. Independent GxP audit reports can be purchased from:<\/p>\n<p><strong>Rx-360 &#8211; <\/strong> <a href=\"https:\/\/rx-360.org\/licenseanauditreport\/\" target=\"_blank\" rel=\"noopener\">https:\/\/rx-360.org\/licenseanauditreport\/<\/a><\/p>\n<p><strong>USDM &#8211; <\/strong> contact <a href=\"mailto:enorthigton@usdm.com\"> enorthigton@usdm.com<\/a><\/p>\n<p><strong>Diligent Pharma &#8211; <\/strong> Access the report at <a href=\"https:\/\/www.diligentpharma.com\/veeva-vqa-report\/\" target=\"_blank\" rel=\"noopener\"> https:\/\/www.diligentpharma.com\/veeva-vqa-report\/<\/a><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Data security is paramount for ³Ô¹Ï±¬ÁÏ and our customers. ³Ô¹Ï±¬ÁÏ protects customer data with world-class physical, network, application, and data-level security.<\/p>\n","protected":false},"author":42,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"open","template":"templates\/veeva-2024.grey-bar.php","meta":{"footnotes":""},"coauthors":[],"class_list":["post-9498","page","type-page","status-publish","hentry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.veeva.com\/eu\/wp-json\/wp\/v2\/pages\/9498"}],"collection":[{"href":"https:\/\/www.veeva.com\/eu\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.veeva.com\/eu\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.veeva.com\/eu\/wp-json\/wp\/v2\/users\/42"}],"replies":[{"embeddable":true,"href":"https:\/\/www.veeva.com\/eu\/wp-json\/wp\/v2\/comments?post=9498"}],"version-history":[{"count":27,"href":"https:\/\/www.veeva.com\/eu\/wp-json\/wp\/v2\/pages\/9498\/revisions"}],"predecessor-version":[{"id":93736,"href":"https:\/\/www.veeva.com\/eu\/wp-json\/wp\/v2\/pages\/9498\/revisions\/93736"}],"wp:attachment":[{"href":"https:\/\/www.veeva.com\/eu\/wp-json\/wp\/v2\/media?parent=9498"}],"wp:term":[{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.veeva.com\/eu\/wp-json\/wp\/v2\/coauthors?post=9498"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}