What information is available in ComplianceDocs?
Validation documentation related to our products, Operations reports (DR, Pen test, SOC report), and Informational Documents (e.g., regulatory assessments, Veeva Process Overviews, Veeva certifications).
See Veeva Compliance Docs Overview (QV-04100) and Veeva Audit Documentation Distribution List (QV-01377).
All referenced documents can be searched in the repository by title or QV number. Ensure ‘All Documents’ is selected for the search.
Links in this FAQ point to the ComplianceDocs reading room. Links in all documents point to Veeva’s internal EDMS which you will not be able to access.
As the ComplianceDocs reading room is a satellite repository the associated metadata is not applicable to the master EDMS document; version & approval date are on the footer of each rendered document.
Is Veeva certified against established standards?
Veeva is certified to ISO 9001, ISO14001, and ISO 27001 (ISO27017/ISO27018), plus is subject to an annual SOC2 Type II attestation. Certificates and reports are located here.
Have Veeva products been assessed for regulatory compliance?
Refer to Veeva Process Program Overview (QV-11211) for a high level description of Veeva’s core process and program overviews.
Veeva monitors global regulations and document interpretations for their impact on the business and applicable alignment. The following is a selection of assessments available in ComplianceDocs:
- FDA 21CFR11 Compliance Assessment (QV-00503)
- EU Annex 11 Compliance Assessment (QV-00451)
- Japan ERES Compliance Assessment (QV-03505)
- Commercial Products - Regulatory Assessment (QV-01183)
- Network MDM - Regulatory Assessment (QV-06728)
- HIPAA Security Standards Compliance Assessment (QV-05382)
- Vault Data Integrity Controls Assessment (QV-04400)
Does Veeva operate under a Quality Management System and have an independent Quality Unit?
Veeva’s approach to Quality Management is outlined in the Veeva QMS Program Overview (QV-04446).
Veeva is certified to ISO 9001.
What is Veeva’s Software Development (SDLC) process?
Veeva’s approach to design, development, testing, and release management is defined in Veeva’s SDLC Program Overview (QV-04681).
Are releases validated by Veeva?
Information regarding the type of release is available in Vault Help.
Validation Packages are made available for CRM, Network MDM, Vault, Vault Safety, Vault CDMS, Vault CP, Digital Trials Platform and RTSM.
All releases to GXP production systems follow the same change management process outlined in Veeva QMS Program Overview (QV-04446).
What is Veeva’s Computer System Validation (CSV) approach?
Veeva’s approach to CSV is defined in Veeva’s CSV Program Overview (QV-04447).
The Detailed ERES Trace Assessment for Vault (QV-01752) correlates Vault ERES related features to their corresponding regulatory section (e.g. 21CFR Part 11, EU Annex 11).
What does the Product Architecture look like?
Refer to the System Overview document in the latest Validation Pack for your application.
Where is my data stored?
Veeva’s AWS regions are described in Veeva’s Technical Operations Overview (QV-05377).
Further information can be found in IT Infrastructure Controls AWS (QV-06315).
How is my data backed up and how is disaster recovery (DR) managed?
Veeva’s backup and disaster recovery (DR) processes are described in Veeva’s Technical Operations Overview (QV-05377).
Evidence of testing of disaster recovery is published twice yearly in the DR Testing Summaries Tab. These reports define the test steps for failover and the outcome of the test. Each production POD is tested for failover once per year.
How does Veeva manage Information Security?
Refer to Veeva’s ISMS Overview (QV-10815).
Veeva’s infrastructure security is described in Veeva’s Technical Operations Overview (QV-05377).
Vault Data Integrity Controls Assessment (QV-04400) and HIPAA Security Standards Compliance Assessment (QV-05382).
ISO Certificates and SOC reports are located here.
Penetration Test Summary Reports published yearly in the Veeva Operational Reports Tab.
How does Veeva manage Data Privacy?
In addition to the ISMS references listed above, for Data Privacy; please refer to https://www.veeva.com/privacy/.
What reports does Veeva provide to support my periodic review of the system?
The following reports are published under the Operations Reports tab.
| Process Report | Description | Frequency |
|---|---|---|
| Performance Monitoring Report | System performance from 12 geographic regions. | Quarterly |
| Availability Report | Calculation of uptime metrics. | Quarterly |
| Disaster Recovery Postmortem | Summary of disaster recovery failover tests and backup recovery process. | Biannually* |
| Penetration Test Summary | Summary of independent third-party penetration/vulnerability testing on products and corporate networks. | Annually |
*Each production POD is subject to an annual DR test exercise.
Where can I find copies of the SOPs referenced? Can I audit Veeva?
Veeva Policies, Procedures, and Work Instructions are labelled as Company Confidential & Internal Use, they are only made available during a formal audit of Veeva.
Veeva is committed to supporting its customer’s regulatory obligation to perform due diligence on all GxP impacting services and software. As such Veeva has established and staffed a customer audit program to facilitate and respond to customer audit requests
Consult the Veeva Customer Audit Program Overview (QV-18329). To request an audit of Veeva contact audits@veeva.com or your Veeva Account Partner. (audits@veeva.com is solely for requests for a formal audit of Veeva by your organization)
How does Veeva manage its key suppliers?
Refer to Veeva’s Supplier Management Program Overview (QV-09641).
Can Veeva support regulatory audits of its customers? Consult the Customer Inspection Support Program Overview (QV-33760).
Customer’s war room (backroom) staff should be conversant in documents at their disposal in this repository.
Please notify your Account Partner/Customer Success Manager of the dates of your upcoming regulatory inspection.
Ensure any email communication for support with regulator questions is marked Urgent Inspection Action Required.
Veeva’s QAU provide this support for Regulatory Inspections only. Veeva’s QAU do not support other audits such as Sponsor Audits, Internal Audits, Corporate Quality Audits etc.