|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Jan. 31, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Information Security Management System
We maintain a comprehensive Information Security Management System (ISMS) that is designed to ensure the confidentiality, integrity, and availability of customer data, corporate data (such as intellectual property or source code), employee data, and our systems. Our ISMS is founded on the following industry-leading and regulatory standards:
•ISO 9001:2015 – Quality Management Systems
•ISO/IEC 27001:2013 – Information Security Management
•SOC2 Type II – System and Organization Controls
•SEI Capability Maturity Model Integration (v1.3)
•IT Infrastructure Library (ITIL) version 3
•ICH Q9 – Quality Risk Management
We have achieved ISO 27001 certification for our ISMS, which is managed by our CISO. As a data processor, we are the custodian of customer information that can be both confidential and sensitive. We are also certified to ISO 27018 for privacy controls.
Critical elements of our ISMS include:
•Operational measures to monitor and respond to data breaches and cyberattacks. We have application, database, network, and resource monitoring in place that are designated to identify vulnerabilities, protect our applications, and alert incident response personnel. Security incidents are addressed by our Security Incident Management Policy, which includes a formal incident response process. We also provide a trust site that displays upcoming maintenance downtimes, data center incidents, and relevant security communications.
•Preventative measures to hinder or limit cyberattacks. We procure, develop, deploy, and maintain preventative solutions and follow preventative practices for our corporate IT and product engineering infrastructures, as well as the production infrastructure that processes our customer data. These solutions and practices include identity and access management, separation of duties, secure software development, network and data security, and system hardening.
•Vulnerability and penetration testing. We commission annual vulnerability and penetration testing of certain systems by industry-recognized, third-party security specialists. In addition, our software products undergo internal vulnerability testing using automated and manual methods prior to general availability.
•Training. We require role-based security and security awareness training. All employees receive annual training on our Code of Conduct and our Acceptable Use Policy, which establishes our commitment to protecting the confidential and proprietary information of our customers and partners. In addition, all new hires and contractors must undergo information security awareness training. Subsequent security awareness training is required annually for all active employees and contractors. Employees are trained to promptly report security incidents. Employees in certain roles (e.g., customer support representatives, developers, and hiring managers) receive more extensive data and application security training annually.
•Disaster recovery and business continuity. Our solutions are designed to help avoid single points of failure to reduce the chance of business disruption from security breaches, incidents, and other disruptions of systems. We maintain formally documented recovery processes that may be activated in the event of a significant business disruption of our corporate IT infrastructure or the production infrastructure that processes our customer data. We conduct testing, at least annually, to verify the validity of the recovery processes and provide reports on the test results for production infrastructure that processes our customer data to customers via access to a customer portal.
Process for Identifying Material Cybersecurity Incidents
Potentially material cybersecurity incidents are escalated according to our Security Incident Management Policy to a management response team comprising our EVP of Internal Operations, Chief Financial Officer, Chief Accounting Officer, General Counsel, Chief Privacy Officer, and Associate General Counsel (Corporate). Our Security Incident Management Policy is designed to inform the management response team about, and monitor, the prevention, detection, mitigation, and remediation of cybersecurity incidents. The management response team is responsible for timely determining materiality and overseeing the appropriate reporting of certain cybersecurity incidents.
Cybersecurity risks, including as a result of any previous cybersecurity incidents, have not materially affected and are not reasonably likely to materially affect our business strategy, results of operations, or financial condition. For additional information regarding risks from cybersecurity threats that we face, and regarding our likelihood of being materially affected by risks from cybersecurity threats, please see Item 1A, “Risk Factors”.
Supplier Management Program
Through our Supplier Management Program, we maintain procedures that specify requirements for the assessment of suppliers and contractors who provide services that may impact our product and process quality. These procedures allow us to identify risks from potential cybersecurity incidents associated with our use of products and services from these suppliers and ensure that there is an appropriate level of oversight of our vendors’ quality systems. We perform initial audits and then periodic, risk-based audits on our suppliers to ensure their products and services conform to our established quality standards.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Cybersecurity risk management is integrated into our broader risk management framework. We have a security points of contact program, which embeds security experts into product development, services, and IT teams. In addition, a security council, chaired by our CISO, meets monthly to discuss the security program, security incidents, and ongoing program objectives. The council is comprised of senior leaders in product development, operations, security, quality, and services, and helps ensure that security remains a top priority across the enterprise.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Our board of directors formed a Cybersecurity Committee to exercise oversight over our cybersecurity and privacy programs and controls for our products and our internal-use information technology. The Cybersecurity Committee is chaired by a director with cybersecurity expertise and board and executive experience at large technology companies. The Cybersecurity Committee receives reports from management on a regular basis on a range of topics, including the current cybersecurity landscape and emerging threats, the status of ongoing cybersecurity initiatives, incident reports from cybersecurity and privacy events, data privacy policies and procedures, and compliance with regulatory requirements and industry standards.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our board of directors formed a Cybersecurity Committee to exercise oversight over our cybersecurity and privacy programs and controls for our products and our internal-use information technology. The Cybersecurity Committee is chaired by a director with cybersecurity expertise and board and executive experience at large technology companies. The Cybersecurity Committee receives reports from management on a regular basis on a range of topics, including the current cybersecurity landscape and emerging threats, the status of ongoing cybersecurity initiatives, incident reports from cybersecurity and privacy events, data privacy policies and procedures, and compliance with regulatory requirements and industry standards.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Cybersecurity Committee receives reports from management on a regular basis on a range of topics, including the current cybersecurity landscape and emerging threats, the status of ongoing cybersecurity initiatives, incident reports from cybersecurity and privacy events, data privacy policies and procedures, and compliance with regulatory requirements and industry standards.
|Cybersecurity Risk Role of Management [Text Block]
|
Our day-to-day cybersecurity and technology risk management efforts, including oversight of our information security management system, are led by our EVP of Internal Operations, a member of our executive leadership team with over three decades of experience in the field, whose cybersecurity experience includes serving as our Chief Information Officer and in executive roles at other companies leading security, operations, audit, and compliance teams. Our Chief Information Security Officer (CISO), who has over two decades of experience in cybersecurity, including over five years at Veeva, reports to the EVP of Internal Operations and oversees our security team. Our CISO’s cybersecurity experience includes serving as a security architect and Director of Security Engineering at Veeva, and overseeing security, automation, and performance testing for other technology companies.Cybersecurity risk management is integrated into our broader risk management framework. We have a security points of contact program, which embeds security experts into product development, services, and IT teams. In addition, a security council, chaired by our CISO, meets monthly to discuss the security program, security incidents, and ongoing program objectives. The council is comprised of senior leaders in product development, operations, security, quality, and services, and helps ensure that security remains a top priority across the enterprise.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
Our day-to-day cybersecurity and technology risk management efforts, including oversight of our information security management system, are led by our EVP of Internal Operations, a member of our executive leadership team with over three decades of experience in the field, whose cybersecurity experience includes serving as our Chief Information Officer and in executive roles at other companies leading security, operations, audit, and compliance teams. Our Chief Information Security Officer (CISO), who has over two decades of experience in cybersecurity, including over five years at Veeva, reports to the EVP of Internal Operations and oversees our security team. Our CISO’s cybersecurity experience includes serving as a security architect and Director of Security Engineering at Veeva, and overseeing security, automation, and performance testing for other technology companies.Cybersecurity risk management is integrated into our broader risk management framework. We have a security points of contact program, which embeds security experts into product development, services, and IT teams. In addition, a security council, chaired by our CISO, meets monthly to discuss the security program, security incidents, and ongoing program objectives. The council is comprised of senior leaders in product development, operations, security, quality, and services, and helps ensure that security remains a top priority across the enterprise.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our Chief Information Security Officer (CISO), who has over two decades of experience in cybersecurity, including over five years at Veeva, reports to the EVP of Internal Operations and oversees our security team. Our CISO’s cybersecurity experience includes serving as a security architect and Director of Security Engineering at Veeva, and overseeing security, automation, and performance testing for other technology companies.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|We have a security points of contact program, which embeds security experts into product development, services, and IT teams. In addition, a security council, chaired by our CISO, meets monthly to discuss the security program, security incidents, and ongoing program objectives. The council is comprised of senior leaders in product development, operations, security, quality, and services, and helps ensure that security remains a top priority across the enterprise.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef