Security at Drata

Trust is everything to us, but you can’t have trust without security. That’s why we use independent experts to verify our security, privacy, and compliance controls.

No company is impenetrable, and we're always aiming to be better. If you find any security issues with Drata, please report it.

Report a Security Issue
Drata Security

Trust Is Our Ethos

Customer Trust Center Views

Total Drata Users

Automated Tests Run

Trust Center

See Our Security

Drata was founded to help build trust across the internet by allowing companies to publish and share their security posture—including us.

We’ve achieved certification and attestations against stringent standards. And you’re welcome to take a look under the hood.

Explore Our Trust Center
Image

Security as a Core Value

At Drata, we’re here to help companies earn and keep the trust of their users, customers, partners, and prospects. We believe the best way to earn trust is by first proving that you deserve it. Here’s how we walk the walk when it comes to our own security program:

  • Identifies and prevents security flaws during CI/CD with code security scanning tools.

  • Prevents any chance of an accidental code merge with Credential Checking.

  • Trains on secure code development (OWASP Top 10 Secure Coding Practices, etc.).

  • Block the latest threats with our Web Application Firewall (WAF).

  • Mitigate attacks with robust Content Security Policy headers.

  • Peer review code changes before being merged to a protected main.

  • Run-time monitoring and detection for application exploits.

Image

Vulnerability Disclosure Program

We host a private bug bounty program on the Bugcrowd platform. Please contact [email protected] if you would like to be invited to the program. For other urgent reports, please follow our responsible disclosure policy.

Report a Security Issue
Our #1 Customer

Since day one we’ve used Drata to achieve and maintain compliance

Drata is committed to complying with the highest standards, including:

Image
Image

Continuous Compliance

We monitor 100+ security controls and work with auditors and security experts to ensure automated tests are accurate.

Automated Detection & Response

Automated Detection & Response

We use best-in-class services and tools to provide 24/7 automated detection and response capabilities.

DevSecOps Forward

DevSecOps Forward

Security checks are baked into our software development lifecycle and secure baselines are automatically enforced.

Zero Trust

Zero Trust

We're a remote-first, cloud-native company, and have designed our networks and access controls with Zero Trust principles.

Phishing Resistance MFA

Phishing Resistance MFA

We use the Web Authentication API (WebAuthn) multi-factor standard to protect authentication to sensitive systems.

Red Team Testing

Red Team Testing

We conduct red team testing both internally and with third parties to best identify security gaps.

Trusted Sub-Processors

We’re only as strong as our weakest link. See which authorized third-party vendors Drata partners with, and view their security posture in the Sub-Processors page of our Trust Center.