// Trust & Security Report
Vena Solutions Inc.
Excel-native FP&A (financial planning & analysis) platform: Complete Planning core (modeling, budgeting, close/consolidation, reporting), plus add-ons Vena Copilot for FP&A (AI agent/Microsoft Teams integration), Vena Insights (Power BI analytics), Vena for PowerPoint, and the newly-acquired Acterys (Microsoft-native Orchestrated Planning).
Certifications held
3
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on venasolutions.com“Vena has successfully completed SOC 1 and SOC 2 Type II audits for our platform which were performed by Deloitte LLP... conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants (AICPA).”
Verify on venasolutions.com“Vena completes annual SOC 1 and SOC 2 Type II audits conducted by Deloitte per AICPA standards.”
Verify on venasolutions.com“Vena has earned the TRUSTe Enterprise Privacy Certification, which demonstrates that they have met the requirements of the TRUSTe Enterprise Privacy & Data Governance Practices Certification Assessment Criteria.”
> Show 6 unconfirmed / not-held certifications
source: venasolutions.comVena operates only in AWS or Azure data centers that have been certified as ISO 27001 and PCI/DSS Service Provider Level 1. (This is the cloud host's certification, not a statement that Vena itself holds ISO 27001.) A third-party auditor blog (tempoaudits.com, not Vena's domain) separately claims Vena 'has successfully achieved their ISO 27001 certification,' which conflicts with Vena's own site language and cannot be used as vendor-domain proof.
source: venasolutions.comVena operates only in AWS or Azure data centers that have been certified as ISO 27001 and PCI/DSS Service Provider Level 1 (host-level certification of the underlying cloud infrastructure, not stated as Vena's own PCI DSS attestation).
source: venasolutions.comNo public evidence on Vena's own domain. 'HIPAA' does not appear on the trust page (venasolutions.com/trust) or the security-and-compliance capabilities page; third-party review/aggregator sites reference HIPAA in passing but this is not corroborated by a Vena-hosted trust/security page.
source: venasolutions.comVena is a Trusted Cloud Provider Member with the Cloud Security Alliance (CSA) -- this is a CSA membership/badge, not the formal CSA STAR (Security, Trust, Assurance and Risk) registry certification, and no STAR registry listing was found.
source: venasolutions.comNo public evidence on Vena's own domain of ISO 42001 or an equivalent AI-governance certification.
source: venasolutions.comNo public evidence of FedRAMP authorization on Vena's own domain.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
Vena Hubs hosted in Canada, United States, or EU cloud regions; nightly backups stored within the same geography to maintain data residency (AWS S3 / Azure Blob Storage).
Vena's AI marketing page states customer data is not used 'to train publicly accessible models' and that Azure OpenAI models 'will not be used to train other AI models.' However, Vena's own AI Terms Addendum states: 'Vena may collect and use usage data, including Service Learnings, in respect of Subscriber's interactions with and/or use of the AI Features, to develop, improve and provide the AI Features,' with monitoring of Inputs/Outputs and no opt-out mechanism described. Net: Vena does not train third-party/public LLMs on customer data, but does use subscriber usage data ('Service Learnings') to improve its own AI Features, with no publicly documented opt-out.
// Security controls
Encryption in transit
All communications to Vena's cloud environment leverage TLS 1.2 encryption or higher.
venasolutions.comEncryption at rest
All data is encrypted at rest using AES 256-bit or stronger encryption; private keys managed via AWS Key Management Service.
venasolutions.comSSO / MFA
SAML 2.0 Single Sign-On available; multi-factor authentication optional; IP restriction functionality optional.
venasolutions.comSub-processors
Publicly listed sub-processors page (28 as of May 2024) including AWS, Azure, Zendesk, Salesforce, and AI services such as Claude and ChatGPT Enterprise; SCCs / UK IDTA used for international personal-data transfers.
venasolutions.comHistorical SOC-report integrity incident (disclosed by a customer, not Vena's own trust page)
In 2022, Nasdaq-listed customer Verra Mobility alleged in an SEC 10-K filing that Vena personnel 'falsely asserted' a SOC 1 Type II report had been independently audited when it had allegedly been prepared internally. Vena confirmed 'an issue relating to SOC reports' in Feb 2022, said there was 'no compromise of our production environment,' and stated it notified affected parties and took remediation steps; specifics of remediation and customer impact were not disclosed publicly. Vena's current site attributes ongoing SOC 1/SOC 2 Type II audits to independent auditor Deloitte LLP.
betakit.com// Products & data scope
data: Enterprise financial data: budgets, forecasts, actuals, GL/ERP-sourced financial data, HR/workforce planning data via integrations
Core SaaS platform; primary subject of SOC 1/SOC 2 Type II audits and the trust center.
data: Same financial data as core platform, surfaced via natural-language queries; inherits CubeFLEX permissions
Uses Azure OpenAI models per marketing copy ('will not be used to train other AI models'), but the AI Terms Addendum permits use of subscriber 'Service Learnings' to improve Vena's own AI Features, with no documented opt-out.
data: Same underlying planning/reporting data, visualized
Add-on product, no separate certification scope found.
data: Financial reporting data surfaced into presentations
Add-on product.
data: Overlaps with FP&A planning data
Acquisition just completed per Vena's homepage ('Vena has completed its acquisition of Acterys'); no independent trust/security documentation for Acterys was found yet on Vena's domain -- treat as a distinct product pending its own compliance posture until integration is documented.
// What to watch
- Historical integrity incident: a 2022 customer allegation (Verra Mobility, disclosed via SEC 10-K, reported by BetaKit) that Vena staff misrepresented a SOC 1 report as independently audited. Vena has since attributed audits to Deloitte LLP on its current trust page, but the company itself has not published a public post-mortem; this should be disclosed as historical context, not treated as resolved without qualification.
- ISO 27001 ambiguity: Vena's own trust/security pages state only that its AWS/Azure data centers are ISO 27001 certified (host-level), while a non-vendor third-party auditor site (tempoaudits.com) claims Vena itself achieved ISO 27001 -- these conflict and could not be resolved from vendor-domain evidence, so graded held=false pending vendor-domain confirmation.
- Identity-conflation risk: a separate, unrelated company operates 'Vena | AI Powered Medical Scribe' at landing.venahealth.app. This is NOT Vena Solutions (the FP&A vendor assessed here) and must not be conflated in the AIFOXX listing.
- AI-training nuance vs. marketing copy: Vena's AI marketing page emphasizes data is not used to train 'publicly accessible models,' but the AI Terms Addendum separately permits use of subscriber usage data ('Service Learnings') to improve Vena's own AI Features, with no publicly documented opt-out -- list both facts rather than only the marketing framing.
- No explicit self-serve Data Processing Agreement (DPA) link was found; only Standard Contractual Clauses / UK IDTA references on the sub-processors page. A DPA may be available on customer request but is not publicly published.
- HIPAA is referenced by third-party aggregator/review sites but not found anywhere on Vena's own trust center or security pages -- treat third-party HIPAA claims as unverified.
// At a glance
Pricing model
Not publicly listed; enterprise quote-based (Request Demo / sales-led), consistent with mid-market/enterprise FP&A SaaS positioning.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Vena Solutions Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
venasolutions.com