Certifications | Veracode

Certifications and Security at Every Level

Veracode delivers an application security service that is end to end, built for scale, and works to systematically reduce application security risks. But Veracode recognizes that customers need assurance that its services are delivered securely and assurance that customer binaries, bytecode and analysis results remain confidential.

Veracode was founded by world-class security experts who have been addressing sophisticated enterprise security challenges for nearly two decades. We have leveraged our experience with securing customer networks, applications and data to design, implement, maintain and audit security at every layer of our cloud-based services. This page outlines the mechanisms and procedures we have taken to deliver our secured cloud-based services, and describes the certifications that attest to our security.

Multi-layered protection 

All Veracode customers benefit from:

  • Data encryption in transit - Data is encrypted using TLS in transit
  • Data encryption at rest - Data is encrypted on servers using AES-256.
  • Strong authentication controls - Enforced complexity requirements, Two-factor authentication, IP address restrictions and forced resets, as well as optional Single Sign On support
  • Role-based access controls - End user viewing, access & uploading permissions.
  • Administrative auditing - manage users, groups, and access permissions, and audit user activity
  • Protection of your privacy - We take your privacy very seriously. More.

See below for more details about Veracode's certifications and the technology controls that support them.

Veracode provides SOC3, SOC2, and Safe Harbor certifications for the security and privacy of its services.


Service Organization Controls (SOC) 3 

Veracode is committed to protecting the security and confidentiality of our customers' information as if it were our own. To that end, we are pleased to announce that Veracode has achieved SOC 3 certification - an audit by an outside, independent auditor to ensure we have appropriate internal controls in place for security and confidentiality of our environment.

The SOC 3 certification, formerly known as SysTrust, is a rigorous process developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) to provide independent assurance that an organization's systems are reliable. Ernst & Young evaluated Veracode's operational practices and controls and awarded Veracode with an unqualified certification regarding Veracode's conformity with the following SysTrust principles:

  • Security The system is protected against unauthorized access (both physical and logical);
  • Availability The system is available for operation and use as committed or agreed; and
  • Confidentiality Information designated as confidential is protected as committed or agreed.

The examination provides additional validation to Veracode clients that the Veracode Code Assurance Platform and software as a service model is secure.

Click on the SysTrust seal below to access the Veracode SysTrust report; Download the report.


SOC 2 Type II

We are very pleased to announce Veracode has received a SOC 2 attestation report, ensuring we have appropriate internal controls in place for security, availability and confidentially of our environment.

A SOC 2 report is widely recognized to meet the assurance and reporting needs because it represents a service organization has been through an examination and evaluation of their control activities as they relate to applicable Trust Services Principles and Criteria defined by the AICPA.

Veracode’s SOC 2 Type II Report includes Veracode’s system description and provides an assurance that controls implemented by Veracode were suitably designed to meet or exceed the prescribed criteria for applicable trust principles, including detailed testing of the design and operating effectiveness of controls for:

  • Security The system is protected against unauthorized access (both physical and logical);
  • Availability The system is available for operation and use as committed or agreed; and
  • Confidentiality Information designated as confidential is protected as committed or agreed.

Service Organization Controls (SOC) reports are designed to help organizations that operate information systems and provide information system services to other entities build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant.

The SOC 2 report is for limited distribution and shared under non-disclosure agreement (NDA). Please direct all requests through your Veracode Account Executive, Account Manager or Customer Service Representative.


Privacy Shield

Veracode has certified that it adheres to the Privacy Shield Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Privacy Shield program, please visit https://www.privacyshield.gov. To view Veracode’s current self-certification, please visit https://www.privacyshield.gov/list.


U.S.-Swiss Safe Harbor

Veracode has certified its compliance with the Safe Harbor frameworks designed to satisfy the "adequacy" requirement under the Swiss Federal Data Protection Act; effective January 30, 2013.  To view Veracode’s certification, please visit https://safeharbor.export.gov/companyinfo.aspx?loc=swiss&id=33067

Personal Information collected via this Web site is stored on servers in the USA, and these servers are subject to Veracode security policies and procedures.



Veracode is currently in process for FedRAMP compliance.

The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves an estimated 30-40% of government costs, as well as both time and staff required to conduct redundant agency security assessments. FedRAMP is the result of close collaboration with cybersecurity and cloud experts from the General Services Administration (GSA), National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Department of Defense (DOD), National Security Agency (NSA), Office of Management and Budget (OMB), the Federal Chief Information Officer (CIO) Council and its working groups, as well as private industry.


Security at Every Level 

Comprehensive security at every level 
Veracode commits extensive resources to the design, implementation, monitoring and maintenance of our security infrastructure. This includes:

  • Systrust SOC-2 and SOC 3 certified. Audit by an outside, independent auditor to ensure we have appropriate internal controls in place for security and confidentiality of our environment.
  • Highly scalable and redundant online infrastructures
  • Constant monitoring of production systems
  • Ongoing threat assessments
  • Rapid deployment of industry-standard security technologies
  • Veracode performs dynamic and static scans on any code changes we make to our software.


Protection at the application level

  • Your Applications uploaded to the Veracode Platform are private to your Account
  • Uploaded Applications are purged from the Veracode Platform once the analysis is complete.
  • Scan results are treated just as securely as your uploads, you own them and control them. Results are deleted via destruction of the private key once the application profile is deleted by a customer from their account.


Protection at the network level

  • Servers reside behind sophisticated firewall that selectively grants access to network resources
  • External penetration testing performed for system security and validation
  • Multiple internet backbone connections provide routing redundancy and high-performance connectivity
  • Intrusion Detection System (IDS) continuously monitors network traffic


Protection at the facilities level

  • Servers hosted in redundant facilities, which are automatically backed up to a geographically-separated site
  • Data centers implement ongoing audits, 24/7/365 monitoring and surveillance, on-site security staff, mantraps and strict access controls
  • Power systems feature multiple power feeds, UPS devices and backup generators ensure continuous operation


Application Security without Source Code

  • The primary inhibitor to organizations being able to identify software vulnerabilities is the availability of source code.
  • Veracode’s patented static binary analysis enables enterprises to conduct application security audits through an easy to use platform, as part of an organization’s formal software release, compliance or acceptance process, without the need for source code or other intellectual property.