4 Infrastructure Security
4.1 Physical Security
4.1.1 Data Center
Customer data is stored in industry-leading ISO 27001 certified data centers around the world that issue SOC2
Type II reports. All facilities feature 24-hour manned physical security, mantraps, biometric access control, and
video surveillance. Veeva does not have direct access to servers, which are managed by the data center
providers’ or managed services’ personnel. All data centers are audited annually by an independent third party.
Veeva data centers are designed to protect customer data from hardware and environmental risks.
Infrastructure is maintained in a strictly controlled environment to ensure optimal performance and protection.
This includes the ability to withstand regional natural disasters. To ensure uninterrupted data access,
infrastructure components are powered by redundant electrical supplies (e.g. breakers), UPS modules, and
generators. Veeva and the data center operations personnel are continually monitoring system and network
performance to ensure maximum service availability.
4.1.2 Operational Access
Only data center personnel can physically access servers. Data center personnel therefore perform all hardware
maintenance. All operational activities, including facility access and replacing hardware components or removable
media, are monitored, tracked, and audited.
Within Veeva, only a small number of technical operations administrators can access production infrastructure and
perform system maintenance tasks. Veeva continually monitors access logs to verify all administrator activities.
Operating system level security is provided using continuous monitoring tools, such as host based intrusion detection
software, which instruments the kernel and monitors all network and process activity. This allows automated detection
of unauthorized access attempts, including any suspected network connections, file access or suspicious processes
that are launched.
4.1.3 Amazon Web Services (AWS) Security
Veeva has a shared responsibility with AWS based on the standard AWS Shared Responsibility model. Veeva is
primarily responsible for network management, AWS Console access, and AWS resources, and are secured
using a variety of tools, including cloud configuration monitoring software, that continuously monitors and
remediates any issues that arise. This allows Veeva to monitor how networks are configured within AWS – to
trigger immediate alerts in case of policy violations or suspicious network traffic, as well as track user behavior of
AWS accounts and associated access keys. Finally, these automated tools also inspect how AWS resources,
such as S3 for object storage, or EC2 for compute instances, are configured to ensure they follow best practices.
Access to Veeva’s internal corporate network is controlled through user accounts, which require eight-character
minimum length passwords with password complexity requirements, multifactor authentication for remote access,
and auto-expiration. SiteVault Free is housed on a separate production network in AWS which has stricter
controls, including continuous monitoring by the security team. Access to the production servers and operations
network is controlled through VPN access to a hardened jump host with two-factor authentication.
4.1.4 Asset Management
Veeva maintains an inventory of its critical information assets in an Enterprise asset inventory system and has
identified all applications that process sensitive data. Veeva also tracks IT assets assigned to employees and
ensures retrieval as part of the employee exit process.