Compliance Certifications
At Varonis, the security of our products is always top of mind. Varonis works closely with third-party auditing firms to ensure our products meet strict industry standards and are audited and reviewed regularly. Varonis has achieved numerous certifications and successfully completed audits, including ISO 27001, 27017, 27018, and 27701, Service Organization Control (SOC®) 2 Type 2, and CSA's STAR Level 1 security assessment.
ISO/IEC 27001:2013
is the best-known standard that provides requirements for an information security management system (ISMS).
ISO/IEC 27017:2015
gives guidelines for information security controls applicable to the provision and use of cloud services.
ISO/IEC 27018:2019
establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
ISO/IEC 27701:2019
guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.
SOC 2 Type 2
Varonis' DatAdvantage Cloud achieved SOC 2 compliance. SOC 2 (System and Organization Controls) is a regularly refreshed report that focuses on non-financial reporting controls as they relate to security, availability, confidentiality, and privacy of a cloud service. Available upon request — ask your sales team for details.
SOC 3
Varonis' DatAdvantage Cloud achieved SOC compliance. SOC 3 (System and Organization Controls) is a regularly refreshed report that focuses on internal controls as they relate to security, availability, confidentiality, and privacy of a cloud service.
CSA STAR
SOC 2 Type 2
Varonis' cloud-hosted Data Security Platform achieved SOC 2 (System and Organization Controls) compliance. The SOC 2 report focuses on non-financial reporting controls as they relate to security, availability, confidentiality, and privacy of a cloud service. Available upon request — ask your sales team for details.
SOC 3
Varonis' cloud-hosted Data Security Platform achieved SOC compliance. SOC 3 (System and Organization Controls) focuses on internal controls as they relate to security, availability, confidentiality, and privacy of a cloud service.
Government Compliance
NIAP Common Criteria Certification
Testing and validation for Varonis was completed by Acumen Security, a National Institute of Standards and Technology (NIST) accredited and NIAP-approved commercial testing laboratory. Common Criteria Certification is valid for two years.
TX-RAMP
The Texas Risk and Authorization Management Program (TX-RAMP) is a program that provides a review of security measures taken by cloud products and services that transmit data to Texas state agencies. Varonis SaaS received its Provisional Certification via Third-Party Audit/Attestation Review from TX-RAMP.
Cyber Essentials
Our secure software development lifecycle includes:
A team of security architects within the R&D organization who specialize in software security.
Architecture design that adheres to National Institute of Standards and Technology (NIST) principles.
Identifying and tracking application security issues, threat mapping, and developing appropriate mitigations.
Application Security Verification Processes (ASVS) closely aligned with the OWASP framework with elements of the OWASP ASVS.
Each new feature goes through security architecture review which includes threat mapping, applicable controls are included in the feature design and development.