Security

Security and data protection, built into the platform

A GRC platform holds some of your most sensitive data, so the controls that protect it are part of the architecture — not features bolted on later. Here is how VeriGRC is built.

Security as architecture, not an afterthought

The controls below are how the platform is built today. They are described as engineering decisions — what is enforced and where — rather than promises of an outcome. No security control makes any system absolutely secure; what these do is reduce risk and keep activity accountable and reviewable.

How VeriGRC is built

Isolation, auditability, access control, and encryption — engineered into the platform.

Customer data isolation

Each customer organization's data is isolated at the database layer with row-level security, so separation is enforced below the application — helping prevent application errors or misconfigured queries from exposing data across organization boundaries.

Append-only audit logs

Critical activity is captured in append-only audit logs enforced below the application layer, so the history of key actions stays reviewable over time.

MFA for privileged access

Multi-factor authentication is required for privileged access, adding a second factor where it matters most.

Encrypted credentials at rest

Stored integration credentials are encrypted at rest using AES-256-GCM.

Signed webhooks

Outbound webhooks are signed with HMAC-SHA256, so a receiving system can verify that an event genuinely came from VeriGRC before acting on it.

Single sign-on (SAML / OIDC)

Where configured, customer organizations can use single sign-on via SAML or OpenID Connect.

Controlled auditor access

External auditors receive read-only, time-limited, revocable access to only the records they need, with every auditor action logged.

MFA for local accounts

Local-account users, including vendor users, complete MFA setup during registration and cannot sign in until it is configured.

Scoped vendor access

Vendor users see only the assigned assessments, requested evidence, or items they are invited to complete — not broad access to your organization's workspace.

Built to support your own program

The same platform that protects your data helps you run your program: signed events through secure integrations, framework work in compliance and control, evidence and controlled auditor access in audit and reporting, and vendor risk in third-party risk management. Explore the full platform.

Security — frequently asked questions

How does VeriGRC protect customer data?

Each customer organization's data is isolated at the database layer using row-level security, so separation is enforced below the application rather than left to application code alone. This helps prevent application errors or misconfigured queries from exposing data across organization boundaries.

Are audit logs tamper-resistant?

Critical activity is recorded in append-only audit logs enforced below the application layer, so the history of key actions is preserved and stays reviewable over time.

Does VeriGRC support single sign-on and MFA?

Yes. Where configured, customer organizations can use single sign-on via SAML or OpenID Connect, and multi-factor authentication is required for privileged access.

How is auditor access controlled?

External auditors are granted read-only, time-limited, revocable access to only the records they need to review, and every auditor action is logged — so external review never means handing over broad access to the platform.

Is VeriGRC certified to a specific standard?

VeriGRC does not claim a certification on this page. Contact us for the current status of any security reviews, certifications, or documentation available during evaluation.

Ready to consolidate your GRC stack?

Book a walkthrough and see third-party risk, compliance, and audit evidence on one platform.