Securing Data at Scale
At Drata, we believe trust is built and earned through everyday consistency and through ongoing transparency, accountability, and a relentless commitment to securing customer data.
Drata securely stores, transmits, and processes data for 7,500+ customers worldwide. Using hundreds of data integrations, it pulls and assesses millions of evidence artifacts to help customers ensure ongoing compliance with a number of standards, frameworks, and regulations. At Drata, we believe trust is built and earned through everyday consistency and through ongoing transparency, accountability, and a relentless commitment to securing customer data.
While we hold ourselves and others to the highest of standards, no solution—including Drata—is immune to all risks. Complex operations like data backfills, database schema changes, reliance on third-party integration providers, and cross-tenant updates can introduce challenges that require continuous diligence and shared responsibility.
To help mitigate these risks, Drata employs a number of engineering practices to help protect the confidentiality, integrity, and availability of customer data at rest and from being exposed to other customer tenants while servicing our customers in a multi-tenant platform offering.
At Drata, we proactively invest in robust, scalable, and repeatable application development safeguards, practices, and automation to minimize risk. We recognize that even the best designed architectures—and heavily reviewed and tested software—can still lead to unanticipated impacts when dealing with sensitive operations.
To help reduce the impact and likelihood of these incidents, Drata implements and effectively operates the following application development practices
Deploying and operating a single-tenant database architecture where each customer receives its own database partition where no data elements are comingled with other tenant data elements.
Thorough and comprehensive code reviews are systematically enforced and carried out by qualified, experienced, and well-trained developers. Reviews include examining code modifications that could lead to data spillage or exposure to other customers in a multi-tenant SaaS platform—especially in cross-tenant data operations.
Extensive quality assurance reviews are conducted by well seasoned quality assurance engineers to identify these potential outcomes.
Rigorous code linting and pattern checks are systematically enforced and included in continuous integration tests on all code changes to detect and block vulnerable code or sequences before code is ever committed.
Running data operations impacting multiple customer tenants in a limited way—targeting only a small number of tenants first before deploying broadly.
Thread-safe, resilient technology stacks and deployments are used for data migrations, backfills, and any similar operations across tenants, reducing the likelihood of data spillage or cross-tenant data exposure.
System architecture design includes stricter data isolation by design, especially for systems used by AI models, search indexes, or data stores.
Defensible operations around operations involving bulk data movement or schema-level updates, supported by conducting simulations and failure scenario testing.
Deploying and closely monitoring audit logging and detection mechanisms to identify instances of where data operations impacting multiple tenants are identified, caught, and remediated as near-real time as possible following a well defined and practiced incident response plan.
Retaining defensible backups of customer data to help ensure a recovery point objective to help restore customer data to a reasonable point in time.
Automated safeguards and runtime checks are used to validate tenant boundaries before executing any logic that might be applied across multiple tenants.
Robust and thoughtfully designed rollback plans for backfills or migrations to mitigate the impacts of unanticipated impacts of code changes to limit prolonged impact of data integrity issues.
These measures significantly increase the integrity of operations handling sensitive customer data at Drata, especially data operations that might be carried out across a number of customer tenants. Data security—including the confidentiality, integrity, availability, privacy, and protection of our customer’s data—is central to Drata’s commitment to building and maintaining the trust of our current and future customers. Drata continues to hold this responsibility as our highest priority, and the trust of our customers is our most valued asset.
To learn more about how Drata builds trust into every layer of its platform, contact us at drata.com or explore our Trust Center.
