Our mission is to protect people and places with privacy in mind. We do this by helping our customers operate smarter, safer buildings. With such a bold mission, we know that first and foremost we must earn our customers’ trust — trust in us as a company and in our products. To earn that trust, we center our business around five pillars:
SecurityHow we secure our products and the data they collect
Our commitment to security begins with these principles:
- Verkada’s “zero trust” approach for cloud-managed “Internet of Things” (IoT) devices fundamentally assumes that our systems should not trust any user, network or device without authentication and authorization. This approach mitigates the risks inherent in the expansive and interconnected nature of IoT devices, which could otherwise create entry points for potential cyberattacks.
- Verkada personnel can only access Verkada’s product infrastructure or code by authenticating via SAML single sign-on from Verkada’s identity provider.
- Verkada’s identity provider for product infrastructure is separate from Verkada’s corporate identity provider and requires multi-factor authentication, including hardware keys.
- Verkada support personnel who access customer data through Verkada’s support tools must first obtain time-bound consent from the relevant customer via the Support Permission System.
- Verkada applies least-privilege role-based access control for access to all product infrastructure, customer data, and Verkada devices. This means that we base the level of access needed on a user’s role and provide the lowest level of access possible. Roles that require high privilege access are granted on demand as needed, and only for a limited period of time, with a high degree of oversight.
- All communication with Verkada’s products and systems over public networks uses TLS 1.2 or greater with modern cipher suite configurations.
- We design Verkada’s products and interfaces to route any new types of data through a limited set of interfaces with hardened security. This approach reduces the number of entry points we need to secure against potential attacks and allows us to concentrate our security resources on each entry point.
- We isolate our product infrastructure from the rest of the company, down to a separate identity provider for Single Sign-On authentication.
- We build our device firmware with minimized operating systems and as few components as possible, to minimize potential points of attack.
- We use only secure channels on our devices, established by outbound network calls to a secure API gateway in Verkada’s Command platform, for any administrative commands.
- We develop all aspects of Verkada’s security program with an automation-first approach. This helps us maintain the effectiveness of Verkada’s security program as we scale and minimize gaps in how we implement our policies.
- Our “configuration-as-code” approach ensures that we consistently apply secure configuration patterns that are aligned with industry benchmarks for hardening.
- Our “policy-as-code” approach defines Verkada’s policies as rules for software to follow, increasing Verkada’s adherence to them.
- Patches for known vulnerabilities are automatically applied to infrastructure services at least every 2 weeks.
- Our compliance automation platform continuously monitors compliance with security and privacy standards.
- We conduct continuous security log monitoring and automated detection of potential security incidents.
- Verkada incorporates security throughout the software development life cycle using a layered, defense-in-depth approach to prevent vulnerabilities and mitigate the impacts of exploitation.
- Our software engineering teams partner with a member of Verkada’s security team to ensure security best practices are followed from product and feature conception to completion.
- We implement Verkada’s software with paved roads built with secure configurations and defaults to make the right decisions up front.
- We put guardrails in place to maintain security invariants to help prevent insecure choices from being made in the design and implementation stages.
- We also run an ongoing Bug Bounty Program, where we offer monetary rewards to external security researchers who spot and report potential security issues.
- We employ independent security consultants to perform Independent Security Assessments at least quarterly as part of our ongoing risk management and customer assurance.