// Trust & Security Report
Veracode, Inc.
Application Risk Management / AppSec platform covering Static Analysis (SAST), Dynamic Analysis (DAST), Software Composition Analysis (SCA, enhanced by the Phylum acquisition with malicious-package detection for npm/PyPI), Pipeline Scan (CI/CD), Infrastructure-as-Code scanning, Manual Penetration Testing, and Veracode Fix (AI-powered vulnerability remediation).
Certifications held
7
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on veracode.com“Veracode has received a SOC 2 Type II attestation report, verifying that we have implemented effective controls to protect the security, availability, and confidentiality of customer data in accordance with the AICPA's Trust Services Criteria.”
Verify on trust.veracode.com“ISO/IEC 42001:2023 (listed in the Compliance section of the Veracode Trust Center)”
Verify on veracode.com“Veracode, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles; GDPR is also listed in the Trust Center compliance section.”
Verify on veracode.com“On March 5, 2022, Veracode received a FedRAMP Moderate Authority to Operate (ATO) from the U.S. Securities and Exchange Commission (SEC)... requires compliance with over 300 security controls aligned with NIST SP 800-53 Rev. 5. (Note: the Trust Center separately lists this as 'FedRAMP Certified Class C' - terminology is inconsistent across the two vendor pages; both confirm FedRAMP authorization.)”
Verify on trust.veracode.com“NIST 800-53 Rev. 5 (listed in the Compliance section of the Veracode Trust Center; also referenced as the control baseline for Veracode's FedRAMP ATO)”
Verify on trust.veracode.com“GovRAMP (listed in the Compliance section of the Veracode Trust Center)”
Verify on trust.veracode.com“TX-RAMP Level 2 (listed in the Compliance section of the Veracode Trust Center)”
> Show 4 unconfirmed / not-held certifications
source: trust.veracode.comNo public evidence Veracode itself holds ISO 27001 certification. Veracode's Trust Center compliance list (FedRAMP Certified Class C, GDPR, SOC 2, GovRAMP, ISO/IEC 42001:2023, NIST 800-53 Rev. 5, TX-RAMP Level 2) does not include ISO 27001. Vendor-domain content mentioning ISO 27001 only describes helping CUSTOMERS map evidence to ISO 27001/27002 controls for their own audits, not a Veracode certification.
source: veracode.comNo public evidence Veracode itself is HIPAA-certified or offers a signed BAA as a covered entity/business associate. Vendor-domain content (Developer's Guide to HIPAA Compliance, HIPAA Vulnerabilities Prevention Guide, Meet Compliance Requirements page) is guidance to help CUSTOMERS secure their own HIPAA-regulated applications, not a statement that Veracode is HIPAA compliant itself.
source: trust.veracode.comNo public evidence found on Veracode's own domain that Veracode itself holds a PCI DSS attestation. PCI DSS appears only as a compliance framework Veracode's tooling helps customers report against.
source: trust.veracode.comNo public evidence / not listed on the Veracode Trust Center compliance section or certifications page.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Primary processing in the United States. EU/EEA/Swiss/UK personal data is transferred to the US and other countries under Veracode's EU-U.S. Data Privacy Framework self-certification and Standard Contractual Clauses, per the Privacy Statement.
For Veracode Fix (the AI remediation feature), vendor product pages state: 'Fix delivers reliable, expert-reviewed solutions without storing your code' and that Fix 'is trained on a highly-curated, proprietary dataset' rather than customer code, and does not retain customer code. This is a product-level assurance for Veracode Fix specifically; no blanket, company-wide AI-training policy statement covering every product/feature was found in the main Privacy Statement itself.
// Security controls
SOC 2 Type II attestation
Independent AICPA Trust Services Criteria audit covering security, availability, and confidentiality; full report gated behind a Trust Center access request.
veracode.comFedRAMP authorization
FedRAMP Moderate Authority to Operate (sponsor: U.S. SEC, granted March 5, 2022); also shown on Trust Center as 'FedRAMP Certified Class C'.
veracode.comNIST SP 800-53 Rev. 5 control alignment
Over 300 security controls aligned with NIST SP 800-53 Rev. 5 as part of the FedRAMP authorization.
veracode.comEU-U.S. Data Privacy Framework self-certification
Veracode, Inc. self-certified to the U.S. Department of Commerce as adhering to the DPF Principles (notice, choice, onward transfer, security, data integrity, access, enforcement).
veracode.comResponsible disclosure / vulnerability reporting
Published Responsible Disclosure Policy for reporting security issues in Veracode's own products.
veracode.com// Products & data scope
data: Source code, compiled binaries, or hybrid uploads for scanning
Also offered as Pipeline Scan for CI/CD/IDE integration with sub-90-second results.
data: Tests against a running/deployed web application
Simulates real-world attacks against deployed configurations.
data: Open-source dependency manifests and packages
Enhanced with Phylum (acquired January 2025) for ML-powered malicious-package detection and a package firewall for npm and PyPI.
data: Customer code snippets analyzed to generate fix suggestions in IDEs and pull requests
Vendor states the underlying model is trained on Veracode's own curated dataset, not customer code, and that customer code is not retained/stored.
data: Application/environment under test per engagement
Delivered as a professional services engagement.
data: Federal agency application code and scan results
FedRAMP-authorized product set reported to include static analysis, pipeline scan, eLearning, dynamic analysis, API scanning, and SCA.
// What to watch
- FedRAMP terminology is inconsistent across Veracode's own pages: the certifications page describes a 'FedRAMP Moderate Authority to Operate (ATO)' (SEC-sponsored, March 2022) while the Trust Center badge reads 'FedRAMP Certified Class C'. Both vendor-domain sources confirm FedRAMP authorization, but the exact current authorization level/class should be re-confirmed directly with Veracode before quoting to a customer.
- Marketing/blog content on veracode.com repeatedly references ISO 27001, HIPAA, and PCI DSS in the context of helping CUSTOMERS meet those frameworks for their own applications. This is not evidence that Veracode itself holds ISO 27001 certification or a HIPAA BAA - graded held=false for the vendor's own posture accordingly; avoid conflating 'helps you comply' language with 'is certified'.
- Full SOC 2 report and other Trust Center documents (subprocessor list, cyber insurance, DPA) are gated behind a SafeBase 'Get Access' request; this assessment relies on Veracode's public marketing description of the SOC 2 scope, not the underlying report.
- The 'no training on customer data' assurance was found only on Veracode Fix product pages, not as a company-wide AI-governance statement in the main Privacy Statement; if AIFOXX lists this as a blanket company policy it should be scoped explicitly to Veracode Fix.
// At a glance
Pricing model
Enterprise quote-based licensing via demo/sales contact; no public self-serve pricing found in evidence.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Veracode, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.veracode.com