Security is central to Viam’s design. Our platform safeguards data on machines and in the cloud with strict protection measures that can’t be disabled or evaded, while giving users full control over data governance.
Key pillars of Viam’s security framework
Authentication
Real usernames and passwords that must be used for both cloud and device access.
Encryption
Comprehensive encryption across all data and communications with no backdoors.
Compliance
SOC 2 Type 2 and HIPAA compliant, verified by independent auditors.
Data privacy
Viam does not use customer data to train generic AI or ML models. Your data remains entirely yours.
Compliance with global security standards
Viam’s processes are designed to meet various objectives required by service commitments as well as local and international laws, including the following regulations:
SOC 2 Type 2 auditing
Viam undergoes annual SOC 2 Type 2 audits to ensure security, availability, processing integrity, confidentiality, and privacy. Evaluated controls include, among others:
Employee background checks
Multi-factor authentication
Continuous security monitoring
Incident response procedures
Change management processes
Disaster recovery protections
Access controls
HIPAA (Health Insurance Portability and Accountability Act)
HIPAA regulates US healthcare-related activities, driving stringent patient data security and privacy requirements. Viam undergoes annual HIPAA compliance audits. Evaluated controls include:
Restricting data access with predefined privileges and roles
Protecting against data disclosure, loss, or damage
Separation of duties for data access and processin
Recording activities of users, staff, and applications
GDPR (General Data Protection Regulation)
GDPR protects information privacy in the European Union, governing data collection, storage, processing, retention, and sharing for personal data. There is no official certification, but compliance is legally required, and any organization managing data within Europe can be held legally responsible for violations.
Viam adheres to GDPR through regular data protection impact assessments (DPIAs), contractual clauses for data processors, and detailed records of processing activities. This ensures compliance with requests for obtaining or erasing personal data.
CPRA (California Privacy Rights Act)
CPRA, similar to GDPR, sets stringent requirements for handling personal data of California residents, including data location, detailed records, and access controls. While both of these laws technically only apply to residents of their respective regions, Viam treats them as a standard to drive protection of user data globally.
Viam ensures compliance with GDPR and CPRA through:
Data encryption and strict access controls
Strict controls and authentication for database access by default
Proactive security management tools and incident response plans
Identity and access management to restrict employee access to data
Data loss prevention tools for resilience and disaster recovery
Tools for data discovery, retrieval, removal, and deletion
Solution architecture that prioritizes machine security
Viam's security architecture ensures compliance and robust protection. Secure keys are mandatory for access and use. Users must also create their own credentials before they can utilize the platform; no defaults are available. Connecting a machine to Viam involves the steps shown in the image below:
1
Users connect to Viam using secure authentication
Admins control access to locations and machines.
2
Smart machines connect with Viam
Every smart machine uses a unique machine secret to connect with app.viam.com.
3
Smart machines connect with each other
3A – Within a local network, machines use location certificates to establish TLS connections.
3B – Across the internet via WebRTC, machines share location secrets to connect within the same location.
4
Smart machines connect with client application
Client applications use the same location secret to connect with machines locally or over the internet via WebRTC.
A shared responsibility model for data security
Viam follows a shared responsibility model for data security, outlining the roles of service providers and customers in securing a cloud environment.
While Viam monitors and responds to security threats related to the cloud and its infrastructure, customers are responsible for protecting data stored in the cloud, including tasks such as creating users and roles, selecting providers, enabling backups, performing audits, and providing encryption keys.
At Viam, we understand that protecting your data is paramount. We believe security is so critical we did not launch our public beta before implementing rigorous security protocols into the platform. Viam is SOC2 Type I and HIPAA compliant per independent auditors, and has been since the moment the beta launched. Viam is committed to continually improving our security and privacy features as the platform evolves, and sharing advancements with customers.
With Viam, you have full governance of your smart machines: you control user access to Viam. Every smart machine has end-to-end encrypted communications with Viam’s platform, other smart machines, and the client applications they interact with.
Viam makes it easier than ever to do big things with smart machines, always with the confidence that security comes first.
For organizations in healthcare and related fields subject to the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Viam is HIPAA-ready and enables covered entities and their business associates to use a secure cloud database environment to process, maintain, and store protected health information (PHI).
