Security is central to Viam’s design. Our platform safeguards data on machines and in the cloud with strict protection measures that can’t be disabled or evaded, while giving users full control over data governance.
Real usernames and passwords that must be used for both cloud and device access.
Encryption
Comprehensive encryption across all data and communications with no backdoors.
Compliance
SOC 2 Type 2 and HIPAA compliant, verified by independent auditors.
Data privacy
Viam does not use customer data to train generic AI or ML models. Your data remains entirely yours.
Compliance with global security standards
Viam’s processes are designed to meet various objectives required by service commitments as well as local and international laws, including the following regulations:
SOC 2 Type 2 auditing
Viam undergoes annual SOC 2 Type 2 audits to ensure security, availability, processing integrity, confidentiality, and privacy. Evaluated controls include, among others:
Employee background checks
Multi-factor authentication
Continuous security monitoring
Incident response procedures
Change management processes
Disaster recovery protections
Access controls
HIPAA (Health Insurance Portability and Accountability Act)
HIPAA regulates US healthcare-related activities, driving stringent patient data security and privacy requirements. Viam undergoes annual HIPAA compliance audits. Evaluated controls include:
Restricting data access with predefined privileges and roles
Protecting against data disclosure, loss, or damage
Separation of duties for data access and processin
Recording activities of users, staff, and applications
GDPR (General Data Protection Regulation)
GDPR protects information privacy in the European Union, governing data collection, storage, processing, retention, and sharing for personal data. There is no official certification, but compliance is legally required, and any organization managing data within Europe can be held legally responsible for violations.
Viam adheres to GDPR through regular data protection impact assessments (DPIAs), contractual clauses for data processors, and detailed records of processing activities. This ensures compliance with requests for obtaining or erasing personal data.
CPRA (California Privacy Rights Act)
CPRA, similar to GDPR, sets stringent requirements for handling personal data of California residents, including data location, detailed records, and access controls. While both of these laws technically only apply to residents of their respective regions, Viam treats them as a standard to drive protection of user data globally.
Viam ensures compliance with GDPR and CPRA through:
Data encryption and strict access controls
Strict controls and authentication for database access by default
Proactive security management tools and incident response plans
Identity and access management to restrict employee access to data
Data loss prevention tools for resilience and disaster recovery
Tools for data discovery, retrieval, removal, and deletion
Solution architecture that prioritizes machine security
Viam's security architecture ensures compliance and robust protection. Secure keys are mandatory for access and use. Users must also create their own credentials before they can utilize the platform; no defaults are available. Connecting a machine to Viam involves the steps shown in the image below:
1
Users connect to Viam using secure authentication
Admins control access to locations and machines.
2
Smart machines connect with Viam
Every smart machine uses a unique machine secret to connect with app.viam.com.
3
Smart machines connect with each other
3A – Within a local network, machines use location certificates to establish TLS connections.
3B – Across the internet via WebRTC, machines share location secrets to connect within the same location.
4
Smart machines connect with client application
Client applications use the same location secret to connect with machines locally or over the internet via WebRTC.
A shared responsibility model for data security
Viam follows a shared responsibility model for data security, outlining the roles of service providers and customers in securing a cloud environment.
While Viam monitors and responds to security threats related to the cloud and its infrastructure, customers are responsible for protecting data stored in the cloud, including tasks such as creating users and roles, selecting providers, enabling backups, performing audits, and providing encryption keys.
Reporting a security incident
If you find a serious security issue such as any of the following, please file a report via security@viam.com with the steps to reproduce:
Anything from the OWASP Top 10 Project
Database injection attacks
Authentication or session problems
Improper access to sensitive data
Cross-site scripting
Email spoofing, SPF, DKIM, or DMARC errors
Upon discovering a vulnerability, we ask that you work with us to close the vulnerability before disclosing it to others.
Viam does not offer bug bounties for discovered vulnerabilities. We hope that if you discover vulnerabilities you will share them with us so that we can improve the health of the overall internet ecosystem.
