Veracode Achieves Certification for Service Organization Controls 2 (SOC-2)

Assessment demonstrates Veracode’s security commitment to highest security standards

BURLINGTON, MA — February 24, 2014 — Veracode, the application security company, today announced the company has successfully completed a Service Organization Controls (SOC-2) assessment for its cloud-based platform. The examination, conducted by independent accounting and auditing firm Ernst & Young (E&Y) evaluated the processes, procedures and controls for security, confidentiality and availability.

Independent auditor E&Y conducted an extensive and highly-detailed audit which determined that Veracode’s facilities, cloud-based solution, information security practices, operations, policies, and procedures met or surpassed the rigorous SOC-2 standards.

“Given the nature of our business and the clients we serve, the security of our customer data is of the upmost importance to Veracode,” said Bob Brennan, CEO, Veracode. “The SOC-2 assessment demonstrates the rigor by which we pursue security for ourselves and for our customers.”

The SOC-2 Type II report provides Veracode’s clients with an assurance that the company has effective operational controls to meet audit levels for data protection and availability. Specifically, the SOC-2 Type II report demonstrates Veracode’s commitment to the highest standards of operational excellence, security levels, system integrity and application data controls for its customers.

Veracode serves the world’s largest organizations including three of the top four banks and a third of the Fortune 100 companies. The assessment documentation will provide these and future customers with information regarding Veracode’s security practices and controls.

A SOC-2 examination is widely recognized, because it represents that a service organization has been through an evaluation of their control activities as they relate to the applicable Trust Services Principles and Criteria. A Type II report not only includes the service organization's system description, but also includes detailed testing of the design and operating effectiveness of the service organization's controls.