Product-specific compliance
| Product or Feature | CSA STAR Level 1 | HIPAA | IRAP | ISO 27001 | PCI-DSS | SOC 1 | SOC 2 | TISAX |
|---|---|---|---|---|---|---|---|---|
Splunk® Cloud Platform | ||||||||
Admin Config Service | ||||||||
Dashboard Studio | ||||||||
Data Manager | ||||||||
KV Store | ||||||||
Federated Search | ||||||||
Automated Private App Validation | ||||||||
Private Connectivity | ||||||||
Ingest Actions | ||||||||
Cloud Monitoring Console (CMC) | ||||||||
Dynamic Data Active Searchable (DDAS) | ||||||||
| Dynamic Data Active Archive (DDAA) | ||||||||
| Dynamic Data Self-Storage (DDSS) | ||||||||
| Splunk® Enterprise Security | ||||||||
| Splunk® Mission Control | ||||||||
| Threat Intelligence Management | ||||||||
| Splunk® APM | ||||||||
| Splunk® IT Service Intelligence | ||||||||
| Splunk® Infrastructure Monitoring | ||||||||
| Splunk® Log Observer | ||||||||
| Splunk® Real User Monitoring | ||||||||
| Splunk® Synthetic Monitoring | ||||||||
| Splunk® SOAR (Cloud) |
Splunk maintains a comprehensive set of compliance certifications and third party attestations intended to help inform customers' own compliance obligations. The list above is provided solely for informational purposes and includes Splunk products that are in scope of Splunk's third party compliance certification or attestation. Generally available features of each of the products are considered in scope of Splunk’s compliance programs unless otherwise noted.
Additional detailed information about Splunk’s global privacy, security, and compliance programs, including certifications, compliance reports, standard security questionnaires and white papers is available in Splunk Customer Trust Portal (NDA required).
This document addresses the named product(s) only and not prerequisite products or optional products. Since laws are frequently amended, the listed information may not reflect all changes or recent amendments to applicable law or how such changes might affect our products. Accordingly, Splunk does not represent, warrant or guarantee that the listed information is complete, accurate or up-to-date and no part of the information provided should be construed as part of any contractual commitment to be included in any contract absent Splunk’s express acknowledgment through language in the contract itself.
| Product or Feature | US PBST DoD CC SRG IL2 | US PBST DoD CC SRG IL5 | US PBST FedRAMP Moderate A-ATO | US PBST StateRAMP | US PBST TX-RAMP |
|---|---|---|---|---|---|
Splunk® Cloud Platform | |||||
Admin Config Service | |||||
Dashboard Studio | |||||
Federated Search | |||||
Automated Private App Validation | |||||
| Ingest Actions | |||||
| Cloud Monitoring Console (CMC) | |||||
| Private Connectivity | |||||
| Dynamic Data Active Searchable (DDAS) | |||||
| Dynamic Data Active Archive (DDAA) | |||||
| Dynamic Data Self-Storage (DDSS) | |||||
| Splunk® Enterprise Security | |||||
| Splunk® IT Service Intelligence |
Splunk maintains a comprehensive set of compliance certifications and third party attestations intended to help inform customers' own compliance obligations. The list above is provided solely for informational purposes and includes Splunk products that are in scope of Splunk's third party compliance certification or attestation. Generally available features of each of the products are considered in scope of Splunk’s compliance programs unless otherwise noted.
Additional detailed information about Splunk’s global privacy, security, and compliance programs, including certifications, compliance reports, standard security questionnaires and white papers is available in Splunk Customer Trust Portal (NDA required).
This document addresses the named product(s) only and not prerequisite products or optional products. Since laws are frequently amended, the listed information may not reflect all changes or recent amendments to applicable law or how such changes might affect our products. Accordingly, Splunk does not represent, warrant or guarantee that the listed information is complete, accurate or up-to-date and no part of the information provided should be construed as part of any contractual commitment to be included in any contract absent Splunk’s express acknowledgment through language in the contract itself.
Compliance certifications, standards, and regulations for our products
Splunk Cloud Platform achieved the International Organization for Standardization’s information security standard 27001 (ISO 27001) certification in December 2015 and continues to update it annually. ISO 27001 is a specification that outlines security requirements for an information security management system (ISMS). Authorized users can access related documentation in the Customer Trust Portal.
Service Organization Controls (SOC) compliance is a standardized framework created by the American Institute of Certified Public Accountants (AICPA). It aims to assess service organizations' internal controls, policies and procedures with a focus on controls that impact financial reporting. Splunk Cloud Platform undergoes annual SOC 1 audits to assure the security, availability, processing integrity, confidentiality, and privacy of applicable data and systems.
Splunk Cloud Platform undergoes annual Service Organization Controls 2 (SOC 2) Type II audits to evaluate its information security system controls as they relate to the Security, Availability and Confidentiality of the Trust Services Criteria.*
* Splunk continues to update and extend the scope of its SOC 2 Type II audit program, and therefore, for some regions, the corresponding SOC 2 Type II may not yet be completed. For more information; see the Splunk Cloud Security Addendum. Authorized users can access related documentation in the Customer Trust Portal.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a U.S. federal law that sets forth national standards governing the processing of protected health information or “PHI.” HIPAA is intended to improve the effectiveness and efficiency of healthcare systems by:
- establishing standards for the use of electronic records in healthcare;
- establishing standards for accessing, storing and transmitting PHI; and
- protecting the privacy and security of PHI.
Splunk Cloud Platform is reviewed by third-party auditors annually to certify that it meets HIPAA’s data security requirements, including encryption in transit and at rest. Authorized users can access related documentation in the Customer Trust Portal.
The PCI Data Security Standard (PCI DSS) is a set of comprehensive operational and technical controls required by businesses in the credit card industry to process payments. Splunk Cloud Platform is audited annually to confirm its ongoing compliance with PCI DSS. Authorized users can access related documentation in the Customer Trust Portal.
Splunk Cloud Platform is FedRAMP Authorized by the General Services Administration FedRAMP PMO at a moderate impact level. This authorization facilitates the use of Splunk Cloud Platform by U.S. Federal Government agencies requiring cloud-based services up to the moderate security impact level.
Splunk Cloud Platform is authorized at the StateRAMP Moderate Impact Level. StateRAMP Moderate baseline controls align with NIST and map to data or systems that involve confidential data or are critical to the continuity of government. This authorization facilitates the use of Splunk Cloud Platform by U.S. State and Local Government organizations requiring cloud-based services up to the moderate security impact level.
Splunk Enterprise, Splunk Cloud Platform FedRAMP and Splunk Cloud Platform IL5 leverage the FIPS 140-2 validated Splunk Cryptographic Module for the protection of sensitive information when deployed on any compliant operating system. The Splunk cryptographic module achieved Federal Information Processing Standard 140-2 validation.
U.S. Defense Information Systems Agency (DISA) has granted the Splunk Cloud Platform U.S. Department of Defense (DoD) Impact Level 5 (IL5) Provisional Authorization (PA). U.S. Government agencies are now able to leverage the power of Splunk Cloud Platform to solve their challenging mission-critical problems, even when working with high sensitivity Controlled Unclassified Information (CUI).
Splunk Enterprise is Common Criteria certified by National Information Assurance Partnership (NIAP). This certification facilitates the use of Splunk Enterprise by Government Agencies requiring products that meet the Common Criteria security standard. Additional details are available on the NIAP Product Compliant List website.
VPATs/ACRs that reflect Splunk product conformance to applicable accessibility requirements can be found on the Splunk Accessibility Page.
The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings. Splunk Cloud Platform has obtained CSA STAR Level 1; a self-assessment intended for Cloud Service Providers that operate in a low-risk environment and want to offer greater visibility into the security controls they have in place.
Splunk Cloud Platform is attestested at the Protected Level under the Australian Information Security Registered Assessors Program (IRAP). IRAP is an initiative of the Australian Signals Directorate (ASD) through the Australian Cyber Security Center (ACSC), designed to provide cyber security assessments on Information and Communications Technology (ICT) services to government organisations. IRAP is also a recognised standard with robust security controls for cloud services in the private sector across Australia.
Trusted Information Security Assessment Exchange (TISAX) is an assessment and exchange mechanism for information security in the automotive industry. The TISAX label confirms that a company’s information security management system complies with defined security levels and allows sharing of assessment results across a designated platform operated by the ENX Association.
Cyber Essentials is a UK Government backed scheme that will help protect organisations against a range of the most common cyber attacks.
