Trust Center

On May 6, 2026, Drata became aware of the Braintrust security incident, in which attackers obtained unauthorized access to one of Braintrust's AWS accounts on May 4, 2026. The affected environment stored organization-level AI provider API keys that customers had configured within the Braintrust platform. Reputable threat intelligence sources have reported that Braintrust identified at least one impacted customer but had not found evidence of broader exposure at the time of disclosure.

Drata is not impacted by this incident based on the information currently available. Our investigation, conducted the same day the incident became public, supports this assessment:

• Drata currently uses Braintrust exclusively for internal, offline evaluation workflows. No customer data is processed on or streamed to Braintrust — it is not part of any customer-facing product workflow.

• Our code review confirmed the Braintrust SDK is scoped to an optional evaluation dependency group only and is not active in core production services.

• No indicators of compromise were observed in our environment.

Precautionary steps we took, even though we had no evidence of customer data impact:

• Revoked and rotated all AI provider API keys stored within the Braintrust platform, as recommended by Braintrust.

• Rotated the Braintrust API key across all environments.

• Reviewed the scope of our Braintrust integration and confirmed it is limited to internal eval tooling with no connection to customer data.

The confidentiality, integrity, and availability of the Drata product and customer data remain unharmed.

We will continue to monitor the situation and will update this post if additional information from Braintrust, our threat-intelligence providers, or our own ongoing investigation materially changes this assessment.

If you have questions about your Drata environment in connection with this incident, please contact security@drata.com.

On April 19, 2026, Drata became aware of the Vercel April 2026 security incident, in which attackers obtained unauthorized access to certain Vercel internal systems via a compromised third-party OAuth application (Context.ai). Reputable threat intelligence sources have reported that a limited subset of Vercel customers had credentials exposed in connection with this incident.

Drata is not impacted by this incident based on the information currently available. Our investigation, conducted the same day the incident became public, supports this assessment:

• Drata did not receive a notification from Vercel indicating that our credentials were part of the affected subset.
• No customer data is processed on Vercel. Vercel is used exclusively to host our public marketing website (drata.com) and its preview/staging environments. No customer data, no audit evidence, and no workloads that process customer information are hosted on Vercel.
• No indicators of compromise observed in our environment. We searched our environments for the indicator of compromise Vercel published — the compromised third-party OAuth application ID — and confirmed it does not appear in our logging sources.

Precautionary steps we took, even though we had no evidence of impact:

• Rotated API keys held in our marketing site's Vercel environment for supporting marketing-stack services (content, forms, recruiting integrations), and removed unused environment variables and unused projects.
• Reviewed downstream permissions on all rotated keys to confirm they remain appropriately scoped to the functions our marketing site actually requires.
• Marked newly created secrets with the most restrictive handling available in Vercel.

The confidentiality, integrity, and availability of the Drata product and customer data remain unharmed.

We will continue to monitor the situation and will update this post if additional information from Vercel, our threat-intelligence providers, or our own ongoing investigation materially changes this assessment.

If you have questions about your Drata environment in connection with this incident, please contact security@drata.com.

On March 30, 2026, Drata became aware of the Axios npm supply chain attack security incident.

Threat intelligence sources have reported that this incident introduced a malicious dependency into specific npm releases of the widely used HTTP client Axios, specifically axios@1.14.1 and axios@0.30.4.

-Recommended: Supply Chain Attack on Axios Pulls Malicious Dependency from npm, Socket Research Team
-Recommended: Hidden Blast Radius of the Axios Compromise, Socket Research Team

We want our customers to know that Drata is not impacted by this threat.

We do not leverage the affected versions of this software (axios@1.14.1 or axios@0.30.4) within our product and therefore the confidentiality, integrity, and availability of our systems remain unharmed.