// Trust & Security Report

    Vena Solutions Inc. logo

    Vena Solutions Inc.

    Excel-native FP&A (financial planning & analysis) platform: Complete Planning core (modeling, budgeting, close/consolidation, reporting), plus add-ons Vena Copilot for FP&A (AI agent/Microsoft Teams integration), Vena Insights (Power BI analytics), Vena for PowerPoint, and the newly-acquired Acterys (Microsoft-native Orchestrated Planning).

    Certifications held

    3

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 1 Type II
    HELD

    Vena has successfully completed SOC 1 and SOC 2 Type II audits for our platform which were performed by Deloitte LLP... conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants (AICPA).

    Verify on venasolutions.com
    SOC 2 Type II
    HELD

    Vena completes annual SOC 1 and SOC 2 Type II audits conducted by Deloitte per AICPA standards.

    Verify on venasolutions.com
    TRUSTe Enterprise Privacy Certification
    HELD

    Vena has earned the TRUSTe Enterprise Privacy Certification, which demonstrates that they have met the requirements of the TRUSTe Enterprise Privacy & Data Governance Practices Certification Assessment Criteria.

    Verify on venasolutions.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Vena operates only in AWS or Azure data centers that have been certified as ISO 27001 and PCI/DSS Service Provider Level 1. (This is the cloud host's certification, not a statement that Vena itself holds ISO 27001.) A third-party auditor blog (tempoaudits.com, not Vena's domain) separately claims Vena 'has successfully achieved their ISO 27001 certification,' which conflicts with Vena's own site language and cannot be used as vendor-domain proof.

    source: venasolutions.com
    PCI DSS
    NOT CONFIRMED

    Vena operates only in AWS or Azure data centers that have been certified as ISO 27001 and PCI/DSS Service Provider Level 1 (host-level certification of the underlying cloud infrastructure, not stated as Vena's own PCI DSS attestation).

    source: venasolutions.com
    HIPAA
    NOT CONFIRMED

    No public evidence on Vena's own domain. 'HIPAA' does not appear on the trust page (venasolutions.com/trust) or the security-and-compliance capabilities page; third-party review/aggregator sites reference HIPAA in passing but this is not corroborated by a Vena-hosted trust/security page.

    source: venasolutions.com
    CSA STAR
    NOT CONFIRMED

    Vena is a Trusted Cloud Provider Member with the Cloud Security Alliance (CSA) -- this is a CSA membership/badge, not the formal CSA STAR (Security, Trust, Assurance and Risk) registry certification, and no STAR registry listing was found.

    source: venasolutions.com
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No public evidence on Vena's own domain of ISO 42001 or an equivalent AI-governance certification.

    source: venasolutions.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization on Vena's own domain.

    source: venasolutions.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    Vena Hubs hosted in Canada, United States, or EU cloud regions; nightly backups stored within the same geography to maintain data residency (AWS S3 / Azure Blob Storage).

    Vena's AI marketing page states customer data is not used 'to train publicly accessible models' and that Azure OpenAI models 'will not be used to train other AI models.' However, Vena's own AI Terms Addendum states: 'Vena may collect and use usage data, including Service Learnings, in respect of Subscriber's interactions with and/or use of the AI Features, to develop, improve and provide the AI Features,' with monitoring of Inputs/Outputs and no opt-out mechanism described. Net: Vena does not train third-party/public LLMs on customer data, but does use subscriber usage data ('Service Learnings') to improve its own AI Features, with no publicly documented opt-out.

    // Security controls

    Encryption in transit

    All communications to Vena's cloud environment leverage TLS 1.2 encryption or higher.

    venasolutions.com

    Encryption at rest

    All data is encrypted at rest using AES 256-bit or stronger encryption; private keys managed via AWS Key Management Service.

    venasolutions.com

    SSO / MFA

    SAML 2.0 Single Sign-On available; multi-factor authentication optional; IP restriction functionality optional.

    venasolutions.com

    Sub-processors

    Publicly listed sub-processors page (28 as of May 2024) including AWS, Azure, Zendesk, Salesforce, and AI services such as Claude and ChatGPT Enterprise; SCCs / UK IDTA used for international personal-data transfers.

    venasolutions.com

    Historical SOC-report integrity incident (disclosed by a customer, not Vena's own trust page)

    In 2022, Nasdaq-listed customer Verra Mobility alleged in an SEC 10-K filing that Vena personnel 'falsely asserted' a SOC 1 Type II report had been independently audited when it had allegedly been prepared internally. Vena confirmed 'an issue relating to SOC reports' in Feb 2022, said there was 'no compromise of our production environment,' and stated it notified affected parties and took remediation steps; specifics of remediation and customer impact were not disclosed publicly. Vena's current site attributes ongoing SOC 1/SOC 2 Type II audits to independent auditor Deloitte LLP.

    betakit.com

    // Products & data scope

    Vena Complete Planning (core platform)FP&A / Excel-native planning, budgeting, forecasting, close & consolidation

    data: Enterprise financial data: budgets, forecasts, actuals, GL/ERP-sourced financial data, HR/workforce planning data via integrations

    Core SaaS platform; primary subject of SOC 1/SOC 2 Type II audits and the trust center.

    Vena Copilot for FP&AAI agent / Microsoft Teams-integrated finance assistant

    data: Same financial data as core platform, surfaced via natural-language queries; inherits CubeFLEX permissions

    Uses Azure OpenAI models per marketing copy ('will not be used to train other AI models'), but the AI Terms Addendum permits use of subscriber 'Service Learnings' to improve Vena's own AI Features, with no documented opt-out.

    Vena InsightsSelf-serve analytics / Power BI dashboards

    data: Same underlying planning/reporting data, visualized

    Add-on product, no separate certification scope found.

    Vena for PowerPointData-driven presentation add-on

    data: Financial reporting data surfaced into presentations

    Add-on product.

    Acterys (recently acquired)Microsoft-native 'Orchestrated Planning' finance foresight platform

    data: Overlaps with FP&A planning data

    Acquisition just completed per Vena's homepage ('Vena has completed its acquisition of Acterys'); no independent trust/security documentation for Acterys was found yet on Vena's domain -- treat as a distinct product pending its own compliance posture until integration is documented.

    // What to watch

    • Historical integrity incident: a 2022 customer allegation (Verra Mobility, disclosed via SEC 10-K, reported by BetaKit) that Vena staff misrepresented a SOC 1 report as independently audited. Vena has since attributed audits to Deloitte LLP on its current trust page, but the company itself has not published a public post-mortem; this should be disclosed as historical context, not treated as resolved without qualification.
    • ISO 27001 ambiguity: Vena's own trust/security pages state only that its AWS/Azure data centers are ISO 27001 certified (host-level), while a non-vendor third-party auditor site (tempoaudits.com) claims Vena itself achieved ISO 27001 -- these conflict and could not be resolved from vendor-domain evidence, so graded held=false pending vendor-domain confirmation.
    • Identity-conflation risk: a separate, unrelated company operates 'Vena | AI Powered Medical Scribe' at landing.venahealth.app. This is NOT Vena Solutions (the FP&A vendor assessed here) and must not be conflated in the AIFOXX listing.
    • AI-training nuance vs. marketing copy: Vena's AI marketing page emphasizes data is not used to train 'publicly accessible models,' but the AI Terms Addendum separately permits use of subscriber usage data ('Service Learnings') to improve Vena's own AI Features, with no publicly documented opt-out -- list both facts rather than only the marketing framing.
    • No explicit self-serve Data Processing Agreement (DPA) link was found; only Standard Contractual Clauses / UK IDTA references on the sub-processors page. A DPA may be available on customer request but is not publicly published.
    • HIPAA is referenced by third-party aggregator/review sites but not found anywhere on Vena's own trust center or security pages -- treat third-party HIPAA claims as unverified.

    // At a glance

    Pricing model

    Not publicly listed; enterprise quote-based (Request Demo / sales-led), consistent with mid-market/enterprise FP&A SaaS positioning.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Vena Solutions Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    venasolutions.com

    > Browse all vendor trust reports