Security at Validere

Validere is committed to the security and privacy of your data. Our approach to building security into product development and operations ensures the safety of our customer data. This includes robust governance, layered defences, secure development practices, strict data handling, security education, and continuous monitoring.

ISO 27001 & 27018

Validere has maintained ISO 27001 compliance certification since 2022 and has added 27018 cloud privacy compliance in 2024.

Privacy

Validere complies with GDPR and US & Canada Privacy regulations. We continually audit our operations to validate our ongoing compliance.

Coming - SOC

Validere has engaged an auditor to certify SOC 1 & 2 compliance. Validere expects SOC 1 & 2 Type I compliance certification by the end of Q1 2025 and SOC 1 & 2 Type II compliance by the end of the year 2025. An auditor engagement letter is available upon request.

At Validere, our Security and Privacy teams play a crucial role in establishing robust policies and controls. They diligently monitor compliance with these controls and demonstrate our commitment to security and compliance to third-party auditors and testers.

Principles

• At Validere, we adhere to the principle of “least privilege” when it comes to access. This means that access is strictly limited to those with a legitimate business need, ensuring a high level of security.
• Security controls should be implemented and layered according to the principle of “defense-in-depth.”
• Security controls should be applied consistently across all areas of the enterprise.
• The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increased audibility, and decreased friction.

Data encryption

Data at rest

All data is encrypted at rest with AES-256. Encryption is performed using our cloud service providers' native services, and keys are managed using Amazon Web Service (AWS)’s KMS service.

Data in transit

All communications are encrypted using HTTPS with TLS 1.2 and SFTP with AES-256 or higher encryption. Server TLS keys and certificates are managed via our cloud providers' services and rotate every 90 days.

Data center security

Validere hosts customer data in Amazon Web Services (AWS). Validere uses a multi-region setup for its infrastructure, and services are configured with elastic storage and scaling to support availability. The principal region for hosting in AWS is US-West-2 (Oregon), and US-East-2 (Ohio) for the failover region.

Data availability

Customer Data and Validere systems are backed up nightly, and data is replicated to geographically distributed data centers in the United States. Backup status is continuously monitored, and full restoration processes are tested quarterly.

Data ownership

It’s your data. All contributions and derived data from processing are owned by the customer.

Software development

Secure by design

Validere follows a secure software development life cycle (SSDLC) process that ensures security practices are incorporated at the beginning of the process. 

Code analysis & testing

Security standards (OWASP, NIST, CIS, etc.), quality checks, and coding practices are evaluated and enforced through static and dynamic scans and tests. 

Vulnerability management

Penetration testing

Validere’s security team performs and engages 3rd parties to conduct penetration testing of applications and cloud environments to identify deficiencies in the platform that may affect critical assets.

Vulnerability scanning

Validere uses third-party security tools to continuously scan our applications, systems, and infrastructure for security risks and vulnerabilities.

Access control

Validere provides a role/attribute-based access control (R/ABAC) system to enable customization of permissions to roles to ensure least privilege access principles are applied to users of your account.

Authentication

Validere supports two-step verification for accounts, also called two-factor authentication (2FA). Integration with enterprise Single-Sign-on Identity providers ( MS Entra ID, Okta, Ping, etc.) is also supported for SAML or OIDC protocols.

Monitoring

Validere monitors the platform 24x7 and partners with a Manage Detect and Response (MDR) security service provider to analyze and aid in response to security incidents.

Separate environments

Validere maintains segregated testing, development, and production environments. All customer data is retained in the production environment. 

Disaster recovery

Validere maintains a 24-hour RPO and 12-hour RTO disaster recovery.

Uptime

Validere maintains an uptime SLA of 99.9%.

Notifications

Validere security will notify a customer of a breach or suspected breach within 4 business days of identification. 

Security awareness

Dedicated team

Validere has a dedicated security team and expert partners to enforce secure practices and respond to security incidents quickly and efficiently.

Policies

Validere maintains a set of security policies that are updated periodically to meet the demands of an evolving security environment. Policies are communicated to all staff and available for review upon request.

Training

All Validere staff are required to complete security awareness and privacy training annually. All are required to participate in monthly micro-learning sessions to keep abreast of security topics and events. Validere’s security team provides continuous education on emerging security threats and communicates updates with staff regularly.

Employee checks

Background checks

Validere performs background checks for potential candidates before hiring. Any contractors or suppliers are required to submit and attest to background checks for their staff with access to Validere systems or data.

New-hire reviews

All new hires are required to sign and acknowledge Validere’s policies and confidentiality agreements upon joining the team.

Endpoint protection

All corporate devices are centrally managed and are equipped with mobile device management software and anti-malware protection. Endpoint security alerts are monitored with 24/7/365 coverage. Validere uses MDM software to enforce secure configuration of endpoints, such as disk encryption, screen lock configuration, and software updates.

Secure remote access

Validere secures remote access to internal resources, cloud control planes, and data planes using Cloudflare ZeroTrust, a modern VPN, CASB, and SASE solution. We also use malware-blocking  DNS and access gateways to protect staff and their endpoints while accessing the internet.

Identity & access management

Validere uses Single-Sign-On and Cloudflare CASB/SASE solutions to manage access to resources and applications. We enforce the use of phishing-resistant authentication factors. Staff are granted access to applications and data based on their role and business needs. Access is de-provisioned upon termination and re-evaluated upon role change. Further access must be approved according to policies set for each application, and access must be reviewed quarterly.

Collaboration & communication tools

Validere uses hosted and centrally managed Google Workspaces, Twilio Sendgrid, Slack, MS Teams, and Zoom with hardened configurations to ensure a secure baseline for encryption, anti-malware/spam, and data-loss prevention (DLP). All communication is encrypted with TLS. Email uses DMARC, SPF, and DKIM to help verify sender's identity.