Trust Center

On April 19, 2026, Drata became aware of the Vercel April 2026 security incident, in which attackers obtained unauthorized access to certain Vercel internal systems via a compromised third-party OAuth application (Context.ai). Reputable threat intelligence sources have reported that a limited subset of Vercel customers had credentials exposed in connection with this incident.

Drata is not impacted by this incident based on the information currently available. Our investigation, conducted the same day the incident became public, supports this assessment:

• Drata did not receive a notification from Vercel indicating that our credentials were part of the affected subset.
• No customer data is processed on Vercel. Vercel is used exclusively to host our public marketing website (drata.com) and its preview/staging environments. No customer data, no audit evidence, and no workloads that process customer information are hosted on Vercel.
• No indicators of compromise observed in our environment. We searched our environments for the indicator of compromise Vercel published — the compromised third-party OAuth application ID — and confirmed it does not appear in our logging sources.

Precautionary steps we took, even though we had no evidence of impact:

• Rotated API keys held in our marketing site's Vercel environment for supporting marketing-stack services (content, forms, recruiting integrations), and removed unused environment variables and unused projects.
• Reviewed downstream permissions on all rotated keys to confirm they remain appropriately scoped to the functions our marketing site actually requires.
• Marked newly created secrets with the most restrictive handling available in Vercel.

The confidentiality, integrity, and availability of the Drata product and customer data remain unharmed.

We will continue to monitor the situation and will update this post if additional information from Vercel, our threat-intelligence providers, or our own ongoing investigation materially changes this assessment.

If you have questions about your Drata environment in connection with this incident, please contact security@drata.com.

On March 30, 2026, Drata became aware of the Axios npm supply chain attack security incident.

Threat intelligence sources have reported that this incident introduced a malicious dependency into specific npm releases of the widely used HTTP client Axios, specifically axios@1.14.1 and axios@0.30.4.

-Recommended: Supply Chain Attack on Axios Pulls Malicious Dependency from npm, Socket Research Team
-Recommended: Hidden Blast Radius of the Axios Compromise, Socket Research Team

We want our customers to know that Drata is not impacted by this threat.

We do not leverage the affected versions of this software (axios@1.14.1 or axios@0.30.4) within our product and therefore the confidentiality, integrity, and availability of our systems remain unharmed.