New: Manage Compliance and Risk in One Location with Drata. Learn More.

Security at Drata

A security-first mindset that’s rooted in our core value of trust.

Report Security Issue

Responsible Disclosure Policy


Trust is Our Ethos

Drata was founded to help build trust across the internet by allowing companies to stand up and maintain their security posture. Security and compliance is at the core of what we provide, and it’s also at the core of what we do. Drata works with independent experts to verify our own security, privacy, and compliance controls, and have achieved certification against stringent standards. Download our security whitepaper to learn more.

Visit our Trust Center

SOC 2 Type 2 Report

We work with an independent auditor to maintain a SOC 2 Type 2 report, which objectively certifies our controls to ensure the continuous security, availability, confidentiality, and integrity of our customers' data.

Developed by the Assurance Services Executive Committee (ASEC) of the AICPA, the Trust Services Criteria is the set of control criteria to be used when evaluating the suitability of the design and operating effectiveness of controls relevant to the security, availability, or processing integrity of information and systems, or the confidentiality or privacy of the information processed by the systems at an entity, a division, or an operating unit of an entity.

Trusted by the best:

Stringent Security Controls

Drata continuously monitors 100+ security controls across the organization using its own automation platform. Automated alerts and evidence collection allows Drata to confidently prove its security and compliance posture any day of the year, while fostering a security-first mindset and culture of compliance across the organization.

3rd Party Pen Testing
Drata completes annual 3rd party penetration tests by a qualified assessor as well as between major feature releases.
Annual Security Training
We’ve partnered with a leading security training company to cover 13 major topics for our employee training.
Phishing Testing
We simulate phishing exercises monthly with all staff using extremely realistics phishing emails.
Secure by Design
We use least privilege when connecting to customers’ environments, scoped to only what’s needed to satisfy the control.

Data Security, Privacy and Compliance

Being in the security and compliance automation business means holding our own internal programs to the highest of standards. The team at Drata is committed to achieving and maintaining the trust of our customers, partners, and employees through these efforts. If you have any compliance or privacy questions please contact us at [email protected].

SOC 2 Type II
Drata has achieved a SOC 2 Type II attestation from a certified auditor with no exceptions in the final report. We work with an AICPA certified audit firm to evaluate our information security program and controls on an annual basis and continuously monitor those controls using the Drata platform.
General Drata Protection Regulation (GDPR)

At Drata, we are strong supporters of privacy and we adhere to GDPR and other privacy regulations in everything we do. We as a processor will enter into a data processing addendum (DPA) with our customers that will include standard contractual clauses (SCC) around data transfers and data protection.
For more information please visit our GDPR page, sub processors page, or to make a removal request please email [email protected].

California Consumer Privacy Act (CCPA)
Drata will accept any removal request from any location as long as it is a valid request made by a qualified party. If you have a removal request please email [email protected].
Consensus Assessments Initiative Questionnaire
Download Drata’s Consensus Assessments Initiative Questionnaire (CAIQ). This self-assessment offers an industry-accepted way to document what security controls exist Drata’s SaaS platform. Download here.
ISO 27001

Drata has received its ISO 27001/IEC 27001:2013 certification, adhering to the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). Download here.


Web Application Firewall
Industry leading Web Application Firewall with automatic updates to block against the latest threats spotted around the world.

DNSSEC to block against dns hijacking attacks. We take your access to Drata seriously and go in-depth, enabling every security measure we can.

DDoS Protection

Application level DDoS protection from CDN provider and network level DDoS protection from cloud provider.


TLS 1.2 minimum for data in transit and encryption at rest for all instances and databases.



AWS handles physical and virtual aspects as part of the shared responsibility model. Deployments with AWS Fargate limit our footprint and ensure a better security posture.

Infrastructure as Code

Infrastructure as code with Terraform allows peer reviewed changes, template scanning for vulnerabilities, and quick recovery in case of outages.

Spoofing Protection

Network spoofing protection is enabled in our cloud provider which prevents adversaries from spoofing traffic or arp addresses.

Anomaly Detection

Drata uses a number of services for anomaly detection including GuardDuty as well as third party security services from trusted vendors.


Static Code Analysis
Every code merge has a static code analysis check done that must be passed before code can be merged to main.
Third Party Library Scanning
A leading third party security solution scans all of our libraries to ensure we don’t have vulnerable libraries in the code base.
Credential Checking
We scan our codebase for credentials to ensure they aren’t accidentally merged into code.
Peer Reviewed Merges
All code is peer reviewed by a Senior Engineer before being merged to main.


Mobile Device Management

All of our devices are centrally managed with policies around security, patching, and encryption enforced.

Endpoint Detection Response

Drata uses the latest technology in endpoint security to identify potential threats. We go beyond anti-virus and use EDR to see malicious activating and the chain of events that lead up to it.

Advanced Persistent Threat Detection

There are many threat actors that target specific companies, Drata combats this by using solution that have ATP protections and have 24/7 managed threat hunting capabilities.

DNS Filtering
We have implemented Advanced DNS Filtering on our endpoints to filter malicious requests that could harm our employees or infrastructure.


Drata hosts a private bug bounty program on the HackerOne platform. Please contact [email protected] if you would like to be invited to the program. For other urgent reports, please follow our responsible disclosure policy.

Case Study:

Learn how Iteratively used Drata to get their SOC 2 report faster than most thought possible, and now monitor their security & compliance posture…