Security at Drata

Trust is everything to us, but you can’t have trust without security. That’s why we use independent experts to verify our security, privacy, and compliance controls. No company is impenetrable, and we're always aiming to be better. If you find any security issues with Drata, please report it.

Drata Security

Trust Is Our Ethos


Customer Trust Center Views


Total Drata Users


Automated Tests Run

Trust Center

See Our Security

Drata was founded to help build trust across the internet by allowing companies to publish and share their security posture—including us. We’ve achieved certification and attestations against stringent standards. And you’re welcome to take a look under the hood.

Trust Center - Streamline Vendor Security Reviews

Security as a Core Value

At Drata, we’re here to help companies earn and keep the trust of their users, customers, partners, and prospects. We believe the best way to earn trust is by first proving that you deserve it. Here’s how we walk the walk when it comes to our own security program:

  • Identifies and prevents security flaws during CI/CD with code security scanning tools.

  • Prevents any chance of an accidental code merge with Credential Checking.

  • Trains on secure code development (OWASP Top 10 Secure Coding Practices, etc.).

  • Block the latest threats with our Web Application Firewall (WAF).

  • Mitigate attacks with robust Content Security Policy headers.

  • Peer review code changes before being merged to a protected main.

  • Run-time monitoring and detection for application exploits.

  • DDoS mitigation at both the application layer (CDN provider) and the network layer (cloud service provider).

  • Data is encrypted at rest and in transit using known strong protocols and ciphers.

  • Access to data is reviewed and authorized. 

  • Authentication uses 2FA with phishing-resistant hardware. 

  • Hosted on reputable cloud services provider, Amazon Web Services (AWS).

  • Peer reviews of infrastructure changes, Infrastructure as Code vulnerability security scans, Compliance as Code compliance scans, and quick recovery for failover with Infrastructure as Code.

  • Anomaly detection supported by GuardDuty as well as third-party security services from trusted vendors.

  • Cloud Security Posture Management deployed and informs on vulnerabilities and misconfigurations.

  • Vulnerability management process to mitigate vulnerabilities in a timely manner.

  • DNSSEC to help prevent domain spoofing.

  • Deployed security tooling to detect and protect.

  • Devices centrally managed with MDM with known hardened security configurations, such as firewalls, patching, and encryption. 

  • Endpoints protected with endpoint detection and response capabilities to monitor for malicious activity and associated chain of events. 

  • Filter malicious requests that could harm employees (or our company) with Advanced DNS Filtering on endpoints and endpoint network protections.


Vulnerability Disclosure Program

Subtitle Goes Here

We host a private bug bounty program on the HackerOne platform. Please contact [email protected] if you would like to be invited to the program. For other urgent reports, please follow our responsible disclosure policy.

Our #1 Customer

Since day one we’ve used Drata to achieve and maintain compliance

Drata is committed to complying with the highest standards, including:

Since Day One

Trusted by the Best

Security, Automated

An automation-led approach gives us 24/7 confidence in our security and compliance posture, while fostering a culture of trust.


Continuous Compliance

Quis nostrud (Subtitle)

We monitor 100+ security controls and work with auditors and security experts to ensure automated tests are accurate.

Automated Detection & Response

Automated Detection & Response

We use best-in-class services and tools to provide 24/7 automated detection and response capabilities.

DevSecOps Forward

DevSecOps Forward

Security checks are baked into our software development lifecycle and secure baselines are automatically enforced.

Zero Trust

Zero Trust

We're a remote-first, cloud-native company, and have designed our networks and access controls with Zero Trust principles.

Phishing Resistance MFA

Phishing Resistance MFA

We use the Web Authentication API (WebAuthn) multi-factor standard to protect authentication to sensitive systems.

Red Team Testing

Red Team Testing

We conduct red team testing both internally and with third parties to best identify security gaps.


Trusted Sub-Processors

We’re only as strong as our weakest link. See which authorized third-party vendors Drata partners with, and view their security posture in the Sub-Processors page of our Trust Center.