A note from our CEO, Filip Kaliszan.

To our customers,

We founded Verkada five years ago to build the world’s safest and most sophisticated physical security systems. We saw shortcomings in the market and inefficiencies in how companies were trying to address their security concerns. We believed we could find the solution in better software, and we set out to build a system that would be easy to use, highly scalable, and fully secure out of the box.

From the beginning, we understood that video surveillance is a powerful tool and that privacy controls for our customers, their employees, and their clients would be paramount. That is exactly why we structured our business to give full data ownership to our customers and laid out a clear privacy framework. We have always aimed to strike the right balance between ensuring full control for our customers and maintaining just enough access to provide the best product and customer support.

But as the attack earlier this week showed, we fell short of our goals for ourselves and your expectations for us. We promised that you would have control, and this incident has shown us that we have failed to keep that promise – we are deeply sorry.

As co-founder and CEO, I want to assure you that everyone at Verkada is committed to keeping our promise. To do that, we have developed a plan to guide our work over the next 100 days–and beyond–as we redouble our efforts to strengthen the safeguards in our products and earn back your trust. And we have already started – here are some of the things we are doing right now:

• REFOCUSING OUR ENGINEERS – I have redirected our engineering team to make security, trust and privacy, their number one priority, effective immediately. We are also prioritizing the hiring of security engineers ahead of other technical roles.

• ENGINEERING SWAT TEAM – I am working with my senior team to identify a core group of engineers who can lead our work addressing any questions pertaining to privacy and security. I will meet weekly with this team, whose work will be directed by Kyle Randolph, Verkada CISO. Our goal is to work together to maintain and rebuild your trust, and to reinforce that our system is created to put and keep your data in your hands.

• ENGAGING THIRD-PARTY EXPERTS – We have engaged Mandiant and Perkins Coie to conduct a comprehensive review of the security of our systems, so we can better understand any issues and work to resolve them. Additionally we are considering partnerships with other third party firms & experts that can help with a comprehensive review of our systems.

• WEEKLY CUSTOMER WEBINARS – Starting at 11:00am on Wednesday March 17th, I will host weekly webinars to listen to customers and get a sense of your concerns while helping you identify and implement the best security practices for your systems.

The Next 100 Days

In addition to what we have already started, here is what we are looking to do over the next 100 days:

• ACCESS TRANSPARENCY – While we already have robust logging and audit capabilities, we will ensure that customers receive proactive notifications whenever their data is accessed by Verkada, including by our technical staff.

• GOVERNANCE PROGRAM – Establish strong checks and balances on our security program, including:

  • Security and Privacy Governance Committee including members of our executive team and CISO to review the progress on improving Verkada’s security program

  • Quarterly update by our CISO to the board of directors on the state of our security and privacy programs

  • Establish a compliance program building on our history of independent audits and progress towards a SOC 2 examination and report

• CUSTOMER CISO COUNCIL – Kyle Randolph, Verkada’s CISO, will create and lead a group of CISOs to advise Verkada on security procedures and protocols.

• REVIEWING OUR INTERNAL ACCESS MANAGEMENT – We will review our policies and procedures and identify new ways to strengthen our existing controls and add new levels of security, while identifying new ways to better practice the principle of least privilege, manage access privileges and to secure our system.

• CUSTOMER DATA GOVERNANCE TOOLS – We will build new capabilities to give you better visibility into how your data, account information and audit logs are protected, stored, accessed, retained, deleted and exported.

• LAUNCHING A BUG BOUNTY PROGRAM – We will launch a bug bounty program to incentivize engineers and security researchers to find, report and help resolve issues – strengthening our platform to prevent future issues.

• ENHANCED PENETRATION TESTING – While external firms and Verkada engineers have conducted penetration tests for years, we will increase both the number and scope of these penetration testing efforts.

• CHANGE AND CONFIGURATION MANAGEMENT - Reduce the potential for vulnerabilities to be introduced by continuing our adoption of configuration-as-code, automated testing, and separation of duty.

Lastly, I wanted to thank you for your partnership and look forward to engaging with you on the security and privacy work we have outlined above. We will continue to update you on this page and I encourage you to continue asking questions and providing us with feedback on what we can do better.