Verkada Inc. Security Controls
LAST UPDATED: June 14, 2021
Verkada Inc. (“Verkada”) has taken and will maintain appropriate administrative, technical, physical and procedural security measures, for the protection of the Personal Data, including the measures set forth below. Verkada may update this list from time to time.
- Verkada’s Information Security Policy establishes a framework of internal standards.
- Verkada’s designated security team is responsible for the design, implementation and management of policies, standards, baselines, procedures, guidelines, and training programs for privacy and information security for personnel.
- Verkada authorizes access to information resources, including production systems and customer data, on the principle of least privilege and conducts annual access control reviews.
- Verkada requires two factor authentication and/or Single Sign-on, to access sensitive systems and applications.
- Personnel must accept policies addressing security, including Verkada’s Code of Conduct and Acceptable Use Policy, and must pass a background check prior to commencing employment.
- Verkada has established formal guidelines for employee passwords to govern the management and use of authentication mechanisms, and requires use of password managers, automatic screensaver locks, hard disk encryption, and other endpoint security measures.
- A version control system helps manage source code, documentation, release labeling, and other change management tasks. Access to the system must be approved by a system administrator.
- Verkada has in place business continuity and incident response plans to effectively respond to a business interruption or security incident to minimize impact to customers.
- Formal risk management processes specify risk tolerances and the process for evaluating risks based on identified threats and the specified tolerances. Verkada conducts a risk assessment at least annually.
- Verkada performs regular backups and retains them in accordance with a predefined schedule in the Backup Policy.
- Verkada ensures that all connections to its web application from its users are encrypted using certificated TLS configurations. Both website and application are reachable exclusively over HTTPS.
- Verkada stores customer data in databases that are encrypted at rest.
- Production environments run in an isolated Virtual Private Cloud network with only necessary services enabled.
- Verkada uses a load balancer to automatically distribute incoming application traffic across multiple instances and availability zones.
- Verkada uses configurations that ensure only approved networking ports and protocols are implemented.
Monitoring and Alerting
- Verkada tools monitor server CPU use, free storage space, message age and read I/O in Verkada’s databases, servers and messaging queues and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.
- Verkada employs enterprise-grade Role-Based Access Control (RBAC) and Single-Sign-On (SSO) authentication.
- Verkada deletes customer data within 30 days of the customer terminating its contract.
- Security team periodically evaluates controls and monitors employee devices, cloud environments, and networks for malicious activity.
- At least annually, Verkada conducts a third party vulnerability scan of the production environment.
- Verkada provides processes for external users and employees to report failures, incidents, and concerns.
- Verkada is working with an independent auditor to achieve AICPA SOC 2 Type II compliance.