Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis announces strategic partnership with Microsoft to acclerate the secure adoption of Copilot.

Learn more

Trust & Security

Earning and keeping your trust is everything to us.

Our approach to security

We understand that a good security program requires ongoing efforts, constant evaluation, and updates to improve infrastructure and cloud offerings. We regularly conduct internal and external assessments and perpetually update and improve our policies so that existing controls comply with what we believe are the highest security, privacy, and compliance standards.

Image_Whitepaper_Security_202212_FNLImage_Whitepaper_Security_202212_FNL

Compliance Certifications

At Varonis, the security of our products is always top of mind. Varonis works closely with third-party auditing firms to ensure our products meet strict industry standards and are audited and reviewed regularly. Varonis has achieved numerous certifications and successfully completed audits, including ISO 27001, 27017, 27018, and 27701, Service Organization Control (SOC®) 2 Type 2, and CSA's STAR Level 1 security assessment.

ISO-27001-Logo

ISO/IEC 27001:2022

is the best-known standard that provides requirements for an information security management system (ISMS).

View certificate
ISO 27017 certified logo

ISO/IEC 27017:2015

gives guidelines for information security controls applicable to the provision and use of cloud services.

View certificate
ISO 27018 Certified logo

ISO/IEC 27018:2019

establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.

View certificate
ISO 27701 logo

ISO/IEC 27701:2019

guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

View certificate
AICPA | SOC

SOC 2 Type 2

Varonis' DatAdvantage Cloud achieved SOC 2 compliance. SOC 2 (System and Organization Controls) is a regularly refreshed report that focuses on non-financial reporting controls as they relate to security, availability, confidentiality, and privacy of a cloud service. Available upon request ask your sales team for details.

Learn more - Varonis DAC
AICPA | SOC

SOC 3

Varonis' DatAdvantage Cloud achieved SOC compliance. SOC 3 (System and Organization Controls) is a regularly refreshed report that focuses on internal controls as they relate to security, availability, confidentiality, and privacy of a cloud service.

View report - Varonis DAC
STAR-Level-1-badge

CSA STAR

confirms that Varonis successfully completed CSA's STAR Level 1 self assessment for the Varonis SaaS Data Security Platform and Varonis DatAdvantage Cloud, Varonis' cloud-hosted solutions.
Learn more
AICPA | SOC

SOC 2 Type 2

Varonis' cloud-hosted Data Security Platform achieved SOC 2 (System and Organization Controls) compliance. The SOC 2 report focuses on non-financial reporting controls as they relate to security, availability, confidentiality, and privacy of a cloud service. Available upon request ask your sales team for details.

Learn more - Varonis SaaS
AICPA | SOC

SOC 3

Varonis' cloud-hosted Data Security Platform achieved SOC compliance. SOC 3 (System and Organization Controls) focuses on internal controls as they relate to security, availability, confidentiality, and privacy of a cloud service.

View report - Varonis SaaS
pci-dss_250x250

PCI DSS

Payment Card Industry Data Security Standards are technical and operational requirements set by the PCI Security Standards Council to protect cardholder data. Varonis Data Security Platform is compliant with PCI DSS v3.2.1.
View certificate - Varonis SaaS
pci-dss_250x250

PCI DSS

Payment Card Industry Data Security Standards are technical and operational requirements set by the PCI Security Standards Council to protect cardholder data. Varonis DatAdvantage Cloud is compliant with PCI DSS v3.2.1.
View certificate - Varonis DAC

Government Compliance

niap_logo

NIAP Common Criteria Certification

Testing and validation for Varonis was completed by Acumen Security, a National Institute of Standards and Technology (NIST) accredited and NIAP-approved commercial testing laboratory. Common Criteria Certification is valid for two years.

View certificate
TX-RAMP-1024x576

TX-RAMP

The Texas Risk and Authorization Management Program (TX-RAMP) is a program that provides a review of security measures taken by cloud products and services that transmit data to Texas state agencies. Varonis SaaS received its Provisional Certification via Third-Party Audit/Attestation Review from TX-RAMP.

View certificate - Varonis SaaS
TX-RAMP-1024x576

TX-RAMP

The Texas Risk and Authorization Management Program (TX-RAMP) is a program that provides a review of security measures taken by cloud products and services that transmit data to Texas state agencies. Varonis DAC received its Provisional Certification via Third-Party Audit/Attestation Review from TX-RAMP.

View certificate - Varonis DAC
cyberEssentials-1

Cyber Essentials

Cyber Essentials is a UK-government backed program that helps protect organizations against a range of common cyber attacks. Varonis received its Certificate of Assurance from Cyber Essentials. 
View certificate
badge2-orig

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law, enacted to protect the privacy and security of individuals' medical records and other individually identifiable health information. Varonis practices are HIPAA-compliant, and we've executed Business Associate Agreements (BAAs) with our relevant sub-processors. Our HIPAA report is provided upon request; please see your Varonis account manager for more information.
View certificate
Security Practices

We’re committed to information security at every level of our organization.

The Varonis security program is based on industry-leading best practices. Along with third-party penetration tests, Varonis uses dynamic application testing and automated scanning to continually validate our software’s security.

Our secure software development lifecycle includes:

Icon_UserGroup_ElectricBlue.

A team of security architects within the R&D organization who specialize in software security.

Icon_Compliance_ElectricBlue.

Architecture design that adheres to National Institute of Standards and Technology (NIST) principles.

Icon_CyberSecurity_ElectricBlue.

Identifying and tracking application security issues, threat mapping, and developing appropriate mitigations.

Icon_FileLabel_ElectricBlue

Application Security Verification Processes (ASVS) closely aligned with the OWASP framework with elements of the OWASP ASVS.

Icon_DotGrid4_ElectricBlue.

Each new feature goes through security architecture review which includes threat mapping, applicable controls are included in the feature design and development.

Our approach to privacy

We know how much our customers data is valuable, and we put great efforts to ensure it is kept private. Our products are built in view of privacy-by-design and our processes are structured in accordance with the privacy-by-default principle.

Image_Whitepaper_Security_202212_FNLImage_Whitepaper_Security_202212_FNL
Privacy Policies

Your privacy matters to us. If you have any questions regarding your privacy or the information that we collect about you, please contact us at privacy@varonis.com.