Trust is everything to us, but you can’t have trust without security. That’s why we use independent experts to verify our security, privacy, and compliance controls. No company is impenetrable, and we're always aiming to be better. If you find any security issues with Drata, please report it.
Drata Security
Drata was founded to help build trust across the internet by allowing companies to publish and share their security posture—including us. We’ve achieved certification and attestations against stringent standards. And you’re welcome to take a look under the hood.
Security as a Core Value
At Drata, we’re here to help companies earn and keep the trust of their users, customers, partners, and prospects. We believe the best way to earn trust is by first proving that you deserve it. Here’s how we walk the walk when it comes to our own security program:
Application and Code
Identifies and prevents security flaws during CI/CD with code security scanning tools.
Prevents any chance of an accidental code merge with Credential Checking.
Trains on secure code development (OWASP Top 10 Secure Coding Practices, etc.).
Block the latest threats with our Web Application Firewall (WAF).
Mitigate attacks with robust Content Security Policy headers.
Peer review code changes before being merged to a protected main.
Run-time monitoring and detection for application exploits.
Infrastructure and Data
DDoS mitigation at both the application layer (CDN provider) and the network layer (cloud service provider).
Data is encrypted at rest and in transit using known strong protocols and ciphers.
Access to data is reviewed and authorized.
Authentication uses 2FA with phishing-resistant hardware.
Hosted on reputable cloud services provider, Amazon Web Services (AWS).
Peer reviews of infrastructure changes, Infrastructure as Code vulnerability security scans, Compliance as Code compliance scans, and quick recovery for failover with Infrastructure as Code.
Anomaly detection supported by GuardDuty as well as third-party security services from trusted vendors.
Cloud Security Posture Management deployed and informs on vulnerabilities and misconfigurations.
Vulnerability management process to mitigate vulnerabilities in a timely manner.
DNSSEC to help prevent domain spoofing.
Deployed security tooling to detect and protect.
Endpoint
Devices centrally managed with MDM with known hardened security configurations, such as firewalls, patching, and encryption.
Endpoints protected with endpoint detection and response capabilities to monitor for malicious activity and associated chain of events.
Filter malicious requests that could harm employees (or our company) with Advanced DNS Filtering on endpoints and endpoint network protections.
Subtitle Goes Here
We host a private bug bounty program on the HackerOne platform. Please contact security@drata.com if you would like to be invited to the program. For other urgent reports, please follow our responsible disclosure policy.
Drata is committed to complying with the highest standards, including:
An automation-led approach gives us 24/7 confidence in our security and compliance posture, while fostering a culture of trust.
We monitor 100+ security controls and work with auditors and security experts to ensure automated tests are accurate.
We use best-in-class services and tools to provide 24/7 automated detection and response capabilities.
Security checks are baked into our software development lifecycle and secure baselines are automatically enforced.
We're a remote-first, cloud-native company, and have designed our networks and access controls with Zero Trust principles.
We use the Web Authentication API (WebAuthn) multi-factor standard to protect authentication to sensitive systems.
We conduct red team testing both internally and with third parties to best identify security gaps.
We’re only as strong as our weakest link. See which authorized third-party vendors Drata partners with, and view their security posture in the Sub-Processors page of our Trust Center.
