Security at Drata
Trust is everything to us, but you can’t have trust without security. That’s why we use independent experts to verify our security, privacy, and compliance controls.
No company is impenetrable, and we're always aiming to be better. If you find any security issues with Drata, please report it.
See Our Security Posture
Drata was founded to help build trust across the internet by enabling companies to publish and share their security posture—and that includes us too. We’ve achieved certification and attestations against stringent standards. And you’re welcome to take a look under the hood.
Application and Code
- Identifies and prevents security flaws during CI/CD with code security scanning tools.
- Prevents any chance of an accidental code merge with Credential Checking.
- Trains on secure code development (OWASP Top 10 Secure Coding Practices, etc.).
- Block the latest threats with our Web Application Firewall (WAF).
- Mitigate attacks with robust Content Security Policy headers.
- Peer review code changes before being merged to a protected main.
- Run-time monitoring and detection for application exploits.
Infrastructure and Data
- DDoS mitigation at both the application layer (CDN provider) and the network layer (cloud service provider).
- Data is encrypted at rest and in transit using known strong protocols and ciphers.
- Access to data is reviewed and authorized.
- Authentication uses 2FA with phishing-resistant hardware.
- Hosted on reputable cloud services providers, Amazon Web Services (AWS) and Google Cloud Platform (GCP).
- Peer reviews of infrastructure changes, Infrastructure as Code vulnerability security scans, Compliance as Code compliance scans, and quick recovery for failover with Infrastructure as Code.
- Anomaly detection supported by GuardDuty, Google Security Center, as well as third-party security services from trusted vendors.
- Cloud Security Posture Management deployed and informs on vulnerabilities and misconfigurations.
- Vulnerability management process to mitigate vulnerabilities in a timely manner.
- DNSSEC to help prevent domain spoofing.
- Deployed security tooling to detect and protect.
Endpoint
- Devices centrally managed with MDM with known hardened security configurations, such as firewalls, patching, and encryption.
- Endpoints protected with endpoint detection and response capabilities to monitor for malicious activity and associated chain of events.
- Filter malicious requests that could harm employees (or our company) with Advanced DNS Filtering on endpoints and endpoint network protections.
Security as a Core Value
At Drata, we’re here to help companies earn and keep the trust of their users, customers, partners, and prospects. We believe the best way to earn trust is by first proving that you deserve it. Here’s how we walk the walk when it comes to our own security program:
Vulnerability Disclosure Program
We host a private bug bounty program on the Bugcrowd platform. For questions about the program or invitation inquiries, please contact the Bugcrowd Support team. For other urgent reports, please follow our responsible disclosure policy.
Continuous Compliance
Detection & Response
DevSecOps Forward
Zero Trust
Phishing Resistance MFA
Red Team Testing
Win with Trust
We understand how important trust is to earning and keeping customers. That’s why we are committed to complying with the highest standards.
Trusted Sub-Processors
We’re only as strong as our weakest link. See which authorized third-party vendors Drata partners with, and view their security posture in the Sub-Processors page of our Trust Center.