Security
How we secure our products and the data they collect
Security
Our commitment to security begins with these principles:
Verkada’s “zero trust” approach for cloud-managed “Internet of Things” (IoT) devices fundamentally assumes that our systems should not trust any user, network or device without authentication and authorization. This approach mitigates the risks inherent in the expansive and interconnected nature of IoT devices, which could otherwise create entry points for potential cyberattacks.
Verkada personnel can only access Verkada’s product infrastructure or code by authenticating via SAML single sign-on from Verkada’s identity provider.
Verkada’s identity provider for product infrastructure is separate from Verkada’s corporate identity provider and requires multi-factor authentication, including hardware keys.
Verkada support personnel who access customer data through Verkada’s support tools must first obtain time-bound consent from the relevant customer via the Support Permission System.
Verkada applies least-privilege role-based access control for access to all product infrastructure, customer data, and Verkada devices. This means that we base the level of access needed on a user’s role and provide the lowest level of access possible. Roles that require high privilege access are granted on demand as needed, and only for a limited period of time, with a high degree of oversight.
All communication with Verkada’s products and systems over public networks uses TLS 1.2 or greater with modern cipher suite configurations.
We design Verkada’s products and interfaces to route any new types of data through a limited set of interfaces with hardened security. This approach reduces the number of entry points we need to secure against potential attacks and allows us to concentrate our security resources on each entry point.
We isolate our product infrastructure from the rest of the company, down to a separate identity provider for Single Sign-On authentication.
We build our device firmware with minimized operating systems and as few components as possible, to minimize potential points of attack.
We use only secure channels on our devices, established by outbound network calls to a secure API gateway in Verkada’s Command platform, for any administrative commands.
We develop all aspects of Verkada’s security program with an automation-first approach. This helps us maintain the effectiveness of Verkada’s security program as we scale and minimize gaps in how we implement our policies.
Our “configuration-as-code” approach ensures that we consistently apply secure configuration patterns that are aligned with industry benchmarks for hardening.
Our “policy-as-code” approach defines Verkada’s policies as rules for software to follow, increasing Verkada’s adherence to them.
Patches for known vulnerabilities are automatically applied to infrastructure services at least every 2 weeks.
Our compliance automation platform continuously monitors compliance with security and privacy standards.
We conduct continuous security log monitoring and automated detection of potential security incidents.
Verkada incorporates security throughout the software development life cycle using a layered, defense-in-depth approach to prevent vulnerabilities and mitigate the impacts of exploitation.
Our software engineering teams partner with a member of Verkada’s security team to ensure security best practices are followed from product and feature conception to completion.
We implement Verkada’s software with paved roads built with secure configurations and defaults to make the right decisions up front.
We put guardrails in place to maintain security invariants to help prevent insecure choices from being made in the design and implementation stages.
We also run an ongoing Bug Bounty Program, where we offer monetary rewards to external security researchers who spot and report potential security issues.
We employ independent security consultants to perform Independent Security Assessments at least quarterly as part of our ongoing risk management and customer assurance.
Availability
How we maintain the availability of our products and systems
We know that leading companies around the world expect our products and services to be available to them when they need them. That's why we commit to make our platform available 99.99% or more of the time during any calendar month – and we back up that commitment with our Service Level Standards. Customers can view Verkada’s Command platform system status, incident status and history live at status.verkada.com. On that page, customers can also subscribe to receive status updates.
Reliability
How we maintain the reliability of our products and systems
We know that our customers not only expect our products and services to be available to them when they need them – they also need to rely on our products and services even when the unexpected occurs. That is why we have built out redundant processes, standards, and recovery systems to restore services as quickly as possible.
Verkada Command is primarily hosted on Amazon Web Services (AWS) and leverages the reliability controls of AWS Data Centers. Verkada adheres to the design principles and best practices outlined in the Reliability Pillar of the AWS Well-Architected Framework.
Verkada cloud infrastructure may recover from infrastructure or service disruptions by dynamically acquiring computing resources to meet demand, and mitigate disruptions, such as misconfigurations or transient network issues. Configuration is managed by configuration-as-code and automation for change management.
Customer data is stored in Verkada’s cloud infrastructure that uses AWS S3 or Backblaze, which are designed to provide durability of at least 99.999999999%.
Verkada has and maintains business continuity and incident response plans to quickly address a business interruption or security incident and minimize the impact to customers. We test these plans at least annually to reveal and address any gaps, using both tabletop exercises and hands-on-keyboard tests.
Verkada performs regular backups of customer data and retains them in accordance with a predefined schedule in the Information Security Policy and continuously backs up camera video in the cloud when the camera cloud backups feature is enabled. This process creates necessary redundancy to minimize the risk of data loss and quickly recover files and data in the event of an outage, system error, or natural disaster.
Governance, Risk, Compliance (GRC)
How we manage compliance — and how our products can help our customers comply with compliance, too
With each new product, technology, or partnership comes new questions to answer and decisions to be made for security and privacy. A robust GRC framework helps to ensure Verkada can make those decisions while maintaining compliance, effectively managing risks, and establishing a strong governance structure that promotes sound decision-making and performance management.
Verkada’s Chief Information Security Officer oversees our security program, leads Verkada’s security team, and reports directly to our Chief Technology Officer (who reports to our CEO). Our CISO also presents quarterly updates to Verkada’s Board of Directors about the status and performance of our security program.
Verkada has a Security Governance Committee, which includes senior leadership, that manages Verkada’s security strategy and risk management, and monitors the performance of the security program.
Verkada’s security team conducts regular compliance audits, sharing information captured through continuous compliance monitoring.
Documentation for the following security standards are available here.
Verkada’s security practices align with a variety of standards that support customers’ security requirements.
Verkada conducts independent security assessments of Verkada Systems at least quarterly.
SOC 2
Verkada completes annual SOC 2 Type 2 examinations for the Security Trust Service Criteria.
ISO 27001:2022
Verkada’s Command Platform has received certification for ISO 27001:2022 (information security management systems).
ISO 27017:2015
Verkada’s Command Platform has received certification for ISO 27017:2015 (information security controls for cloud services).
ISO 27018:2019
Verkada’s Command Platform has received certification for ISO 27018:2019 (the protection of personally identifiable information (PII) in public clouds).
TX-RAMP
As of April 22, 2024, Verkada has TX-RAMP (Texas Risk and Authorization Management Program) Provisional Certification.
FedRAMP
The Verkada Command Platform for AWS GovCloud is now available. Verkada achieved FedRAMP Ready at the Moderate Impact Level on July 2nd, 2024. For more information on government-grade solutions see verkada.com/government.
To assess and identify areas for improvement in our systems, Verkada utilizes industry standard questionnaires, including:
CAIQ
The Consensus Assessments Initiative Questionnaire offers an industry-accepted way to document which security controls exist, providing security control transparency.
HECVAT
The Higher Education Community Vendor Assessment Toolkit is designed specifically for colleges and universities to confirm that data and cybersecurity policies are in place to protect sensitive institutional information.
ISO 27701:2019
Verkada has achieved ISO 27701:2019 certification, an internationally recognized standard for privacy information management.
Data Privacy Framework
Verkada is certified under the Data Privacy Framework for non-HR data. For more information, please see our certification on the DPF website.
Verkada and our customers operate within a variety of regulatory regimes. We have designed our products and our internal practices to address these regulatory obligations in a way that supports our customers’ compliance needs.
HIPAA: For customers in the healthcare industry who are “covered entities” under HIPAA, Verkada supports their compliance with their HIPAA obligations as a Business Associate.
GDPR: With respect to our customers’ personal data processed by Verkada products, Verkada acts as a data processor. We enter into the Standard Contractual Clauses with our customers by means of our Data Processing Addendum in order to establish an adequate basis for the transfer of personal data from the U.K./EU to the U.S.
U.S. State Privacy Laws: Verkada designs its privacy practices in order to meet the evolving standards established by comprehensive state-specific privacy laws promulgated in the U.S.
At Verkada, we continually strive to make our products comply with applicable laws and regulations around the world. Currently, Verkada’s products, including cameras and alarms, meet the compliance standards for sale in the US, Canada, the UK, the EU, Australia, and New Zealand. Additional certifications may also be available upon request.
Information regarding specific products and features is below.
Alarms Compliance & Availability
Read more about where Verkada’s alarm software, hardware products, wireless products, cellular products and emergency services dispatch are currently available.
People Analytics Compliance & Availability
Read more about where Verkada’s People Analytics functionality may not be currently available.
Hardware specifications
More information about the specific product specifications, including hardware certifications, for each camera or alarm may be found in the “Learn More” link in the product descriptions.