Skip to main content

Security certifications and attestations

Splunk Cloud maintains a comprehensive security program designed to protect your data’s confidentiality, integrity and availability in accordance with the highest industry standards. Splunk Cloud has been certified by independent third-party auditors.

Product-specific compliance

Product NameSOC 2 Type IIPCI-DSSISO 27001HIPAAFedRAMP: ModerateDoD CC SRG: IL5IRAP: ProtectedSection 508, WCAG 2.0, WCAG 2.1

Splunk Cloud Platform

Splunk Security Cloud

- Splunk Enterprise Security

- Mission Control (Service of ES)

- Behavioral Analytics (Service of ES)

- Intelligence Management (Service of ES)

- Splunk SOAR (Cloud)

Splunk Observability Cloud

- Splunk IT Service Intelligence

- Splunk Infrastructure Monitoring

- Splunk Application Performance Monitoring

- Splunk Log Observer

- Splunk Real User Monitoring

- Splunk On-Call

Splunk Product Name FIPS 140-2 NIAP Common Criteria ISO 19770 Section 508, WCAG 2.0, WCAG 2.1

Splunk Enterprise


Splunk Enterprise Security




Splunk IT Service Intelligence




Splunk User Behavior Analytics


Splunk SOAR

U.K. Cyber Essentials U.K. Cyber Essentials Plus U.S. Trade Agreement Act Sarbanes-Oxley Act ITGC

Compliance certifications, standards, and regulations for our products

ISO 27001 Certification

Splunk Cloud achieved the International Organization for Standardization’s information security standard 27001 (ISO 27001) certification in December 2015 and continues to update it annually. ISO 27001 is a specification that outlines security requirements for an information security management system (ISMS). Authorized users can access related documentation in the Customer Trust Portal.

SOC 2 Type II Report

Splunk Cloud undergoes annual Service Organization Controls 2 (SOC 2) Type II audits to evaluate its information security system controls as they relate to the Security, Availability and Confidentiality of the Trust Services Criteria.*

* Splunk continues to update and extend the scope of its SOC 2 Type II audit program, and therefore, for some regions, the corresponding SOC 2 Type II may not yet be completed. For more information; see the Splunk Cloud Security Addendum. Authorized users can access related documentation in the Customer Trust Portal.


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a U.S. federal law that sets forth national standards governing the processing of protected health information or “PHI.” HIPAA is intended to improve the effectiveness and efficiency of healthcare systems by:

  • establishing standards for the use of electronic records in healthcare;
  • establishing standards for accessing, storing and transmitting PHI; and
  • protecting the privacy and security of PHI.

Splunk Cloud is reviewed by third-party auditors annually to certify that it meets HIPAA’s data security requirements, including encryption in transit and at rest. Authorized users can access related documentation in the Customer Trust Portal.


The PCI Data Security Standard (PCI DSS) is a set of comprehensive operational and technical controls required by businesses in the credit card industry to process payments. Splunk Cloud is audited annually to confirm its ongoing compliance with PCI DSS. Authorized users can access related documentation in the Customer Trust Portal.

FedRAMP Authorized

Splunk Cloud is FedRAMP Authorized by the General Services Administration FedRAMP PMO at a moderate impact level. This authorization facilitates the use of Splunk Cloud by U.S. Federal Government agencies requiring cloud-based services up to the moderate security impact level.

FIPS 140-2 Certification

Splunk Enterprise, Splunk Cloud Platform FedRAMP and Splunk Cloud Platform IL5 leverage the FIPS 140-2 validated Splunk Cryptographic Module for the protection of sensitive information when deployed on any compliant operating system. The Splunk cryptographic module achieved Federal Information Processing Standard 140-2 validation.

U.S. Department of Defense (DoD) Impact Level 5 (IL5)

U.S. Defense Information Systems Agency (DISA) has granted the Splunk Cloud Platform U.S. Department of Defense (DoD) Impact Level 5 (IL5) Provisional Authorization (PA). U.S. Government agencies are now able to leverage the power of Splunk Cloud Platform to solve their challenging mission-critical problems, even when working with high sensitivity Controlled Unclassified Information (CUI).

Common Criteria

Splunk Enterprise is Common Criteria certified by National Information Assurance Partnership (NIAP). This certification facilitates the use of Splunk Enterprise by Government Agencies requiring products that meet the Common Criteria security standard. Additional details are available on the NIAP Product Compliant List website.


VPATs/ACRs that reflect Splunk product conformance to applicable accessibility requirements can be found on the Splunk Accessibility Page.

Additional Resources

The Splunk Customer Trust Portal provides you with easy, on-demand access to documentation about Splunk’s global privacy, security, and compliance programs, including certifications, compliance reports, standard security questionnaires and white papers.