We are excited to share that the Verkada Command Platform has achieved cybersecurity and privacy certifications for the following standards governed by the International Organization for Standardization (ISO):

• ISO 27001:2022 (information security management systems); 

• ISO 27017:2015 (information security controls for cloud services); and 

• ISO 27018:2019 (privacy controls for personally identifiable information (PII) in public clouds).

The independent audit for these globally recognized certifications, performed by Consilium Labs, demonstrated that Verkada’s Command Platform meets the stringent requirements set forth by the ISO 27001:2022, ISO 27017:2015, and ISO 27018:2019 standards. Verkada’s ISO certifications are available to view here.

We are pleased to provide this additional assurance to our customers as we transform the way that organizations protect people and property. These global certifications reflect Verkada’s commitment to upholding industry-standard practices for information security and data protection.

Other security compliance includes SOC 2 Type 2 attestation and provisional compliance status for the Texas Risk and Authorization Management Program (TX-RAMP). You can find more information about Verkada’s governance, risk and compliance standards here.

Kyle Randolph

CISO, Verkada Inc.

Verkada Customers and Partners,

One way to ensure our data protection efforts remain strong is by undergoing a SOC 2 Type 2 audit. Conducted by an independent auditor and developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 Type 2 compliance validates that Verkada is complying with industry standards in the design and performance of its controls for handling customer data securely.

CVE-2021-44228 is a vulnerability in Log4j, a Java logging framework. Generally, Verkada products and services do not utilize Java or specifically Log4j. We have found some infrastructure components we have that may use Log4j. The components we’ve found are not exposed to the internet, and we are preparing to further mitigate with patching or configuration changes. We will provide an update here if this information changes materially.

Verkada Customers and Partners,

One way to ensure our data protection efforts remain strong is by undergoing a SOC 2 Type 1 audit. Conducted by an independent auditor and developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 Type 1 compliance validates that Verkada is complying with industry standards in the design of its controls for handling customer data securely.

Verkada Customers and Partners,

We want to inform you of a number of security-enhancing features we have released to help our customers have more visibility and control over how their Command platform is used.

Verkada Customers and Partners,

In the past few months following the March security incident, you — our customers and the Verkada community — have asked tough questions, provided helpful suggestions, and shown us patience and support. For that, we are extremely grateful. Today, we are sharing additional details regarding the projects we pursued over the 100 days after the incident as we redoubled our efforts to strengthen our systems and your trust in us.

To our customers,

Two months ago, following a cyber incident, I launched a weekly webinar to address your questions and hear your concerns. These weekly forums helped provide timely updates, outline changes, and solicit your input and ideas for how we can improve our products and strengthen our security.

Verkada Customers and Partners,

We’re writing to let you know that Mandiant — the external firm hired to conduct an independent review of our March 9th security incident — has concluded its investigation and confirmed that its findings are consistent with those from our own internal investigation. You can download the letter here.

Please find a copy of the March 9th, 2021 security incident report by clicking here.

Thank you,

Verkada Customers –

We are writing to let you know that Verkada has concluded its own review of the security incident. While we wait for the final report from our outside forensic firm, Mandiant, we want to update you on our findings thus far.

As we continue to talk to our customers, we want to provide an update and respond to questions we have received.

Addressing Your Concerns

As part of our ongoing investigation, we have notified customers whose Verkada systems were accessed by the attackers.

If you have not been contacted, we want to let you know that currently available evidence shows no access to your organization’s image or video data by the attackers.

It is important to note that our investigation remains ongoing and we have engaged a third party firm, Mandiant, to conduct their own investigation. If we discover that your organization’s image or video data was accessed, we will notify you promptly.

To our customers,

We founded Verkada five years ago to build the world’s safest and most sophisticated physical security systems. We saw shortcomings in the market and inefficiencies in how companies were trying to address their security concerns. We believed we could find the solution in better software, and we set out to build a system that would be easy to use, highly scalable, and fully secure out of the box.

To Our Verkada Customers –

Yesterday, we contacted you after learning that Verkada’s system was accessed by attackers. We want to share an update on the security of our system, the status of our investigation, and the steps we are taking to ensure the protection of our system and our customers.

Dear Verkada Customers,

This morning we were made aware of a potential security incident involving unauthorized access of some of our products. Our internal security experts are actively investigating the matter.