Information Security and Data Privacy


What are Veeva’s certifications and policies related to information security and data privacy?

Veeva maintains the SiteVault software in a validated state consistent with the life sciences regulatory requirements (including 21 CFR Part 11 and Annex 11). We perform the software validation and summarize our findings in a validation summary report, which customers can request.

We have designed a comprehensive security program based on ISO 27001 to ensure the confidentiality, integrity, and availability of SiteVault customer data. We regularly pass rigorous third-party compliance audits of our robust security, confidentiality, and availability controls and publish a Service Organization Controls 2 (SOC 2) Type II report.

We ensure our data processing commitments comply with the GDPR and other applicable data protection laws and give SiteVault customers an easy, electronic way to sign up to our Privacy & Security Processor addendum setting out those commitments.

U.S. SiteVault customers who are covered entities can use the software to process, maintain and store protected health information in accordance with Health Insurance Portability and Accountability Act (“HIPAA”). As part of our standard terms of service, we agree to the terms of our business associate addendum that accounts for the services we provide to our customers.

Finally, we use Amazon Web Services (“AWS”) as our primary cloud infrastructure provider. In addition to AWS’ robust compliance program, we have signed the appropriate agreements with AWS as required under the applicable laws. We use AWS infrastructure based on our customer’s location to store customer data: in the United States (West and East Coast), in Europe (Germany and Ireland), or in Japan.
For more information, read our privacy and customer data statements and the Veeva SiteVault Technical and Operational Security Whitepaper.

If you have questions or need additional assistance, contact us.