// Trust & Security Report

    Veracode, Inc. logo

    Veracode, Inc.

    Application Risk Management / AppSec platform covering Static Analysis (SAST), Dynamic Analysis (DAST), Software Composition Analysis (SCA, enhanced by the Phylum acquisition with malicious-package detection for npm/PyPI), Pipeline Scan (CI/CD), Infrastructure-as-Code scanning, Manual Penetration Testing, and Veracode Fix (AI-powered vulnerability remediation).

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Veracode has received a SOC 2 Type II attestation report, verifying that we have implemented effective controls to protect the security, availability, and confidentiality of customer data in accordance with the AICPA's Trust Services Criteria.

    Verify on veracode.com
    ISO/IEC 42001:2023 (AI management system)
    HELD

    ISO/IEC 42001:2023 (listed in the Compliance section of the Veracode Trust Center)

    Verify on trust.veracode.com
    GDPR (compliance posture)
    HELD

    Veracode, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles; GDPR is also listed in the Trust Center compliance section.

    Verify on veracode.com
    FedRAMP
    HELD

    On March 5, 2022, Veracode received a FedRAMP Moderate Authority to Operate (ATO) from the U.S. Securities and Exchange Commission (SEC)... requires compliance with over 300 security controls aligned with NIST SP 800-53 Rev. 5. (Note: the Trust Center separately lists this as 'FedRAMP Certified Class C' - terminology is inconsistent across the two vendor pages; both confirm FedRAMP authorization.)

    Verify on veracode.com
    NIST SP 800-53 Rev. 5 (control alignment)
    HELD

    NIST 800-53 Rev. 5 (listed in the Compliance section of the Veracode Trust Center; also referenced as the control baseline for Veracode's FedRAMP ATO)

    Verify on trust.veracode.com
    GovRAMP
    HELD

    GovRAMP (listed in the Compliance section of the Veracode Trust Center)

    Verify on trust.veracode.com
    TX-RAMP Level 2
    HELD

    TX-RAMP Level 2 (listed in the Compliance section of the Veracode Trust Center)

    Verify on trust.veracode.com
    > Show 4 unconfirmed / not-held certifications
    ISO/IEC 27001
    NOT CONFIRMED

    No public evidence Veracode itself holds ISO 27001 certification. Veracode's Trust Center compliance list (FedRAMP Certified Class C, GDPR, SOC 2, GovRAMP, ISO/IEC 42001:2023, NIST 800-53 Rev. 5, TX-RAMP Level 2) does not include ISO 27001. Vendor-domain content mentioning ISO 27001 only describes helping CUSTOMERS map evidence to ISO 27001/27002 controls for their own audits, not a Veracode certification.

    source: trust.veracode.com
    HIPAA
    NOT CONFIRMED

    No public evidence Veracode itself is HIPAA-certified or offers a signed BAA as a covered entity/business associate. Vendor-domain content (Developer's Guide to HIPAA Compliance, HIPAA Vulnerabilities Prevention Guide, Meet Compliance Requirements page) is guidance to help CUSTOMERS secure their own HIPAA-regulated applications, not a statement that Veracode is HIPAA compliant itself.

    source: veracode.com
    PCI DSS
    NOT CONFIRMED

    No public evidence found on Veracode's own domain that Veracode itself holds a PCI DSS attestation. PCI DSS appears only as a compliance framework Veracode's tooling helps customers report against.

    source: trust.veracode.com
    CSA STAR
    NOT CONFIRMED

    No public evidence / not listed on the Veracode Trust Center compliance section or certifications page.

    source: trust.veracode.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Primary processing in the United States. EU/EEA/Swiss/UK personal data is transferred to the US and other countries under Veracode's EU-U.S. Data Privacy Framework self-certification and Standard Contractual Clauses, per the Privacy Statement.

    For Veracode Fix (the AI remediation feature), vendor product pages state: 'Fix delivers reliable, expert-reviewed solutions without storing your code' and that Fix 'is trained on a highly-curated, proprietary dataset' rather than customer code, and does not retain customer code. This is a product-level assurance for Veracode Fix specifically; no blanket, company-wide AI-training policy statement covering every product/feature was found in the main Privacy Statement itself.

    // Security controls

    SOC 2 Type II attestation

    Independent AICPA Trust Services Criteria audit covering security, availability, and confidentiality; full report gated behind a Trust Center access request.

    veracode.com

    FedRAMP authorization

    FedRAMP Moderate Authority to Operate (sponsor: U.S. SEC, granted March 5, 2022); also shown on Trust Center as 'FedRAMP Certified Class C'.

    veracode.com

    NIST SP 800-53 Rev. 5 control alignment

    Over 300 security controls aligned with NIST SP 800-53 Rev. 5 as part of the FedRAMP authorization.

    veracode.com

    EU-U.S. Data Privacy Framework self-certification

    Veracode, Inc. self-certified to the U.S. Department of Commerce as adhering to the DPF Principles (notice, choice, onward transfer, security, data integrity, access, enforcement).

    veracode.com

    Responsible disclosure / vulnerability reporting

    Published Responsible Disclosure Policy for reporting security issues in Veracode's own products.

    veracode.com

    // Products & data scope

    Veracode Static Analysis (SAST)Application security testing

    data: Source code, compiled binaries, or hybrid uploads for scanning

    Also offered as Pipeline Scan for CI/CD/IDE integration with sub-90-second results.

    Veracode Dynamic Analysis (DAST)Application security testing

    data: Tests against a running/deployed web application

    Simulates real-world attacks against deployed configurations.

    Veracode SCASoftware composition analysis

    data: Open-source dependency manifests and packages

    Enhanced with Phylum (acquired January 2025) for ML-powered malicious-package detection and a package firewall for npm and PyPI.

    Veracode FixAI-powered vulnerability remediation

    data: Customer code snippets analyzed to generate fix suggestions in IDEs and pull requests

    Vendor states the underlying model is trained on Veracode's own curated dataset, not customer code, and that customer code is not retained/stored.

    Veracode Manual Penetration TestingHuman-led security testing

    data: Application/environment under test per engagement

    Delivered as a professional services engagement.

    Veracode for Government (FedRAMP-authorized offering)Public sector / regulated AppSec

    data: Federal agency application code and scan results

    FedRAMP-authorized product set reported to include static analysis, pipeline scan, eLearning, dynamic analysis, API scanning, and SCA.

    // What to watch

    • FedRAMP terminology is inconsistent across Veracode's own pages: the certifications page describes a 'FedRAMP Moderate Authority to Operate (ATO)' (SEC-sponsored, March 2022) while the Trust Center badge reads 'FedRAMP Certified Class C'. Both vendor-domain sources confirm FedRAMP authorization, but the exact current authorization level/class should be re-confirmed directly with Veracode before quoting to a customer.
    • Marketing/blog content on veracode.com repeatedly references ISO 27001, HIPAA, and PCI DSS in the context of helping CUSTOMERS meet those frameworks for their own applications. This is not evidence that Veracode itself holds ISO 27001 certification or a HIPAA BAA - graded held=false for the vendor's own posture accordingly; avoid conflating 'helps you comply' language with 'is certified'.
    • Full SOC 2 report and other Trust Center documents (subprocessor list, cyber insurance, DPA) are gated behind a SafeBase 'Get Access' request; this assessment relies on Veracode's public marketing description of the SOC 2 scope, not the underlying report.
    • The 'no training on customer data' assurance was found only on Veracode Fix product pages, not as a company-wide AI-governance statement in the main Privacy Statement; if AIFOXX lists this as a blanket company policy it should be scoped explicitly to Veracode Fix.

    // At a glance

    Pricing model

    Enterprise quote-based licensing via demo/sales contact; no public self-serve pricing found in evidence.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Veracode, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.veracode.com

    > Browse all vendor trust reports