Security certifications and attestations
Splunk maintains a comprehensive set of compliance certifications and attestations to support customers in meeting their own compliance obligations across global regulated markets. This webpage provides a list of Splunk products that are in scope of Splunk’s compliance programs and is solely for informational purposes.
For generally available products listed below, not all features of the product may be within the scope of the relevant third-party audit report. Specific key features that are within the relevant third-party audit report for the product are listed below. Also, for generally available products and features that are currently in scope of Splunk’s compliance program as listed below, the product or feature may not be a part of the third-party audit report until the next assessment cycle.
Additional detailed information about Splunk’s compliance programs, including third party reports, is available to Splunk customers under non-disclosure agreement from the Customer Trust Portal.
Product | Feature | SOC 1 | SOC 2 | ISO 27001 | ISO 27017 | ISO 27018 | PCI | CSA Star level 1 | CSA Star level 2 |
---|---|---|---|---|---|---|---|---|---|
Splunk® Cloud Platform | |||||||||
Splunk Cloud Platform | Admin Config Service | ||||||||
Splunk Cloud Platform | Dashboard Studio | ||||||||
Splunk Cloud Platform | Data Manager | ||||||||
Splunk Cloud Platform | KV Store | ||||||||
Splunk Cloud Platform | Federated Search | ||||||||
Splunk Cloud Platform | Automated Private App Validation | ||||||||
Splunk Cloud Platform | Private Connectivity | ||||||||
Splunk Cloud Platform | Ingest Actions | ||||||||
Splunk Cloud Platform | Cloud Monitoring Console (CMC) | ||||||||
Splunk Cloud Platform | Dynamic Data Active Searchable (DDAS) | ||||||||
Splunk Cloud Platform | Dynamic Data Active Archive (DDAA) | ||||||||
Splunk Cloud Platform | Dynamic Data Self-Storage (DDSS) | ||||||||
Splunk Cloud Platform | DMX Edge Processor | ||||||||
Splunk Cloud Platform | Federated Search S3 | ||||||||
Splunk Cloud Platform | DMX Ingest Processor | ||||||||
Splunk Cloud Platform | Federated Analytics | ||||||||
Splunk AI Assistant | |||||||||
Splunk® Mission Control | |||||||||
Splunk® SOAR (Cloud) | |||||||||
Splunk® Enterprise Security | |||||||||
Splunk® Enterprise Security | Behavioral Analytics | ||||||||
Splunk® Enterprise Security | Threat Intelligence Management | ||||||||
Splunk Attack Analyzer | |||||||||
Splunk® IT Service Intelligence | |||||||||
Splunk® Infrastructure Monitoring (IMM) | |||||||||
Splunk® Infrastructure Monitoring (IMM) | Network Explorer | ||||||||
Splunk® Application Performance Monitoring (APM) | |||||||||
Splunk® Application Performance Monitoring (APM) | AlwaysOn Profiling | ||||||||
Log Observer Connect | |||||||||
Splunk® Real User Monitoring | |||||||||
Splunk® Synthetic Monitoring |
✓= This product is currently in scope of Splunk’s third party audit/attestation reports.
✓* = IL5 limited scope. Only on-premises to cloud available.
Product | Feature | HIPAA |
---|---|---|
Splunk® Cloud Platform | ||
Splunk Cloud Platform | Admin Config Service | |
Splunk Cloud Platform | Dashboard Studio | |
Splunk Cloud Platform | Data Manager | |
Splunk Cloud Platform | KV Store | |
Splunk Cloud Platform | Federated Search | |
Splunk Cloud Platform | Automated Private App Validation | |
Splunk Cloud Platform | Private Connectivity | |
Splunk Cloud Platform | Ingest Actions | |
Splunk Cloud Platform | Cloud Monitoring Console (CMC) | |
Splunk Cloud Platform | Dynamic Data Active Searchable (DDAS) | |
Splunk Cloud Platform | Dynamic Data Active Archive (DDAA) | |
Splunk Cloud Platform | Dynamic Data Self-Storage (DDSS) | |
Splunk Cloud Platform | DMX Edge Processor | |
Splunk Cloud Platform | Federated Search S3 | |
Splunk Cloud Platform | DMX Ingest Processor | |
Splunk® Mission Control | ||
Splunk® SOAR (Cloud) | ||
Splunk® Enterprise Security | ||
Splunk® Enterprise Security | Behavioral Analytics | |
Splunk® Enterprise Security | Threat Intelligence Management | |
Splunk® IT Service Intelligence | ||
Splunk® Infrastructure Monitoring (IMM) | ||
Splunk® Infrastructure Monitoring (IMM) | Network Explorer | |
Splunk® Application Performance Monitoring (APM) | ||
Splunk® Application Performance Monitoring (APM) | AlwaysOn Profiling | |
Log Observer Connect | ||
Splunk® Real User Monitoring | ||
Splunk® Synthetic Monitoring |
✓= This product is currently in scope of Splunk’s third party audit/attestation reports.
✓* = IL5 limited scope. Only on-premises to cloud available.
Product | Feature | DoD CC SRG IL5 | FedRAMP Moderate | FedRAMP High | StateRAMP | TX-RAMP |
---|---|---|---|---|---|---|
Splunk® Cloud Platform | ||||||
Splunk® Cloud Platform | Admin Config Service | |||||
Splunk® Cloud Platform | Dashboard Studio | |||||
Splunk® Cloud Platform | KV Store | |||||
Splunk® Cloud Platform | Federated Search | |||||
Splunk® Cloud Platform | Automated Private App Validation | |||||
Splunk® Cloud Platform | Ingest Actions | |||||
Splunk® Cloud Platform | Cloud Monitoring Console (CMC) | |||||
Splunk® Cloud Platform | Private Connectivity | |||||
Splunk® Cloud Platform | Dynamic Data Active Searchable (DDAS) | |||||
Splunk® Cloud Platform | Dynamic Data Active Archive (DDAA) | |||||
Splunk® Cloud Platform | Dynamic Data Self-Storage (DDSS) | |||||
Splunk® Cloud Platform | DMX Edge Processor | |||||
Splunk® Cloud Platform | Federated Search S3 | |||||
Splunk® Cloud Platform | DMX Ingest Processor | |||||
Splunk® Mission Control | ||||||
Splunk® SOAR | ||||||
Splunk® Enterprise Security | ||||||
Splunk® Enterprise Security | Behavioral Analytics | |||||
Splunk® Enterprise Security | Threat Intelligence Management | |||||
Splunk® IT Service Intelligence | ||||||
Splunk® Infrastructure Monitoring (IMM) | ||||||
Splunk® Infrastructure Monitoring (IMM) | Network Explorer | |||||
Splunk® Application Performance Monitoring (APM) | ||||||
Splunk® Application Performance Monitoring (APM) | AlwaysOn Profiling | |||||
Log Observer Connect | ||||||
Splunk® Real User Monitoring | ||||||
Splunk® Synthetic Monitoring |
✓= This product is currently in scope of Splunk’s third party audit/attestation reports.
✓* = IL5 limited scope. Only on-premises to cloud available.
Product | Feature | IRAP |
---|---|---|
Splunk® Cloud Platform | ||
Splunk® Cloud Platform | Admin Config Service | |
Splunk® Cloud Platform | Dashboard Studio | |
Splunk® Cloud Platform | Data Manager | |
Splunk® Cloud Platform | KV Store | |
Splunk® Cloud Platform | Federated Search | |
Splunk® Cloud Platform | Automated Private App Validation | |
Splunk® Cloud Platform | Private Connectivity | |
Splunk® Cloud Platform | Ingest Actions | |
Splunk® Cloud Platform | Cloud Monitoring Console (CMC) | |
Splunk® Cloud Platform | Dynamic Data Active Searchable (DDAS) | |
Splunk® Cloud Platform | Dynamic Data Active Archive (DDAA) | |
Splunk® Cloud Platform | Dynamic Data Self-Storage (DDSS) | |
Splunk® Cloud Platform | DMX Edge Processor | |
Splunk® Cloud Platform | Federated Search S3 | |
Splunk® Cloud Platform | DMX Ingest Processor | |
Splunk® Mission Control | ||
Splunk® SOAR | ||
Splunk® Enterprise Security | ||
Splunk® Enterprise Security | Threat Intelligence Management | |
Splunk® Enterprise Security | Behavioral Analytics | |
Splunk® IT Service Intelligence | ||
Splunk® Infrastructure Monitoring (IMM) | ||
Splunk® Infrastructure Monitoring (IMM) | Network Explorer | |
Splunk® Application Performance Monitoring (APM) | ||
Splunk® Application Performance Monitoring (APM) | AlwaysOn Profiling | |
Log Observer Connect | ||
Splunk® Real User Monitoring | ||
Splunk® Synthetic Monitoring |
✓= This product is currently in scope of Splunk’s third party audit/attestation reports.
✓* = IL5 limited scope. Only on-premises to cloud available.
Product | Feature | TISAX |
---|---|---|
Splunk® Cloud Platform | ||
Splunk® Cloud Platform | Admin Config Service | |
Splunk® Cloud Platform | Dashboard Studio | |
Splunk® Cloud Platform | Data Manager | |
Splunk® Cloud Platform | KV Store | |
Splunk® Cloud Platform | Federated Search | |
Splunk® Cloud Platform | Automated Private App Validation | |
Splunk® Cloud Platform | Private Connectivity | |
Splunk® Cloud Platform | Ingest Actions | |
Splunk® Cloud Platform | Cloud Monitoring Console (CMC) | |
Splunk® Cloud Platform | Dynamic Data Active Searchable (DDAS) | |
Splunk® Cloud Platform | Dynamic Data Active Archive (DDAA) | |
Splunk® Cloud Platform | Dynamic Data Self-Storage (DDSS) | |
Splunk® Cloud Platform | DMX Edge Processor | |
Splunk® Cloud Platform | Federated Search S3 | |
Splunk® Cloud Platform | DMX Ingest Processor | |
Splunk® Mission Control | ||
Splunk® SOAR (Cloud) | ||
Splunk® Enterprise Security | ||
Splunk® Enterprise Security | Behavioral Analytics | |
Splunk® Enterprise Security | Threat Intelligence Management | |
Splunk® IT Service Intelligence | ||
Splunk® Infrastructure Monitoring (IMM) | ||
Splunk® Infrastructure Monitoring (IMM) | Network Explorer | |
Splunk® Application Performance Monitoring (APM) | ||
Splunk® Application Performance Monitoring (APM) | AlwaysOn Profiling | |
Log Observer Connect | ||
Splunk® Real User Monitoring | ||
Splunk® Synthetic Monitoring |
✓= This product is currently in scope of Splunk’s third party audit/attestation reports.
✓* = IL5 limited scope. Only on-premises to cloud available.
This document addresses the named product(s) only as of November 2024. Since laws are frequently amended, the listed information may not reflect all changes or recent amendments to applicable law or how such changes might affect our products. Accordingly, Splunk does not represent, warrant or guarantee that the listed information is complete, accurate, or up-to-date and no part of the information should be construed as part of any contractual commitment to be included in any contract absent Splunk’s express acknowledgement through language in the contract itself.
The International Organization for Standardization (ISO) is an independent, international organization. The ISO 27001 standard outlines and provides the requirements for an information security management system (ISMS), specifies a set of best practices, and details the security controls that can help manage identified risks.
On an annual basis, specified Splunk products are reviewed and certified by an independent third-party assessor against the ISO 27001 requirements (surveillance audits) and certifications are reissued every 3 years (renewal audits). Authorized users can access related documentation in the Customer Trust Portal.
The ISO 27017 standard provides cloud service providers guidance on the information security aspects of cloud computing, providing recommendations on the implementation of cloud-specific information security controls to support the ISO 27001 standard.
On an annual basis, specified Splunk products are reviewed and certified by an independent third-party assessor against the ISO 27017 requirements and certifications are reissued every 3 years. Authorized users can access related documentation in the Customer Trust Portal.
The ISO 27018 standard covers the protection of personally identifiable information (PII) for cloud service providers. ISO 27018 builds upon the existing ISO 27001 standard by adding specific items for cloud privacy and provides new security controls for personal data.
On an annual basis, specified Splunk products are reviewed and certified by an independent third-party assessor against the ISO 27018 requirements and certifications are reissued every 3 years. Authorized users can access related documentation in the Customer Trust Portal.
A Service Organization Controls (SOC) 1 report evaluates internal controls that are applicable to a user entity's controls and is governed by the American Institute of Certified Public Accountants (AICPA). It is specially designed to meet the needs of customers and the accountants who audit our financial statements.
On a semi-annual basis, Splunk’s critical systems related to financial reporting are reviewed and evaluated by an independent third-party auditor against the SOC 1 control objectives. Authorized users can access related documentation in the Customer Trust Portal.
A Service Organization Controls (SOC) 2 report is designed to provide assurance about the effectiveness of controls in place that is relevant to the security, availability, and confidentiality of the systems where customer data is processed. The SOC 2 control objectives are governed by the American Institute of Certified Public Accountants (AICPA) and the reports are inclusive of specified Splunk products utilized by our customers. For more information; see the Splunk Cloud Security Addendum.
On a semi-annual basis, specified Splunk products and services are reviewed and evaluated by an independent third-party auditor against the SOC 2 control objectives. Authorized users can access related documentation in the Customer Trust Portal.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a U.S. federal law that establishes data privacy and security requirements for organizations that are responsible for safeguarding individuals' protected health information (PHI). Under HIPAA, these organizations meet the definition of “covered entities” or “business associates.” Customers that are subject to HIPAA and want to utilize HIPAA compliant Splunk Cloud products in connection with PHI must review and accept Splunk’s Business Associate Agreement (BAA).
On an annual basis, specified Splunk products are reviewed and evaluated by an independent third-party auditor against the HIPAA requirements. Authorized users can access related documentation in the Customer Trust Portal.
The Payment Card Industry Security Standards Council (PCI SSC) developed one standard policy, the PCI Data Security Standards (PCI DSS) to ensure a baseline level of protection for consumers and vendors. All merchants and their service providers that store, process, or transmit cardholder data must be compliant with PCI DSS.
As a Level 1 PCI service provider, Splunk is required to undergo an Annual Compliance Report (ROC) by Qualified Security Assessor (QSA) or Internal Security Assessor and quarterly network scanning by an Approved Scanning Vendor (ASV). Authorized users can access related documentation in the Customer Trust Portal.
The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings. STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). For CSA STAR level 1, cloud providers submit the Consensus Assessments Initiative Questionnaire (CAIQ) to document compliance with the Cloud Controls Matrix (CCM).
On an annual basis, Splunk self-attests specified products against the CSA STAR Level 1 requirements and submits to the STAR registry. This information then becomes publicly available, promoting industry transparency and providing customer visibility into specific provider security practices. Authorized users can access related documentation in the Customer Trust Portal.
The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings. STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). The CSA STAR Level 2 certification leverages the requirements of the ISO 27001:2013 management system standard together with the CSA CCM criteria.
On an annual basis, specified Splunk products are reviewed and evaluated by an independent third-party auditor against the CSA STAR Level 2 requirements. This information is submitted to the STAR registry then becomes publicly available, promoting industry transparency and providing customer visibility into specific Splunk security practices. Authorized users can access related documentation in the Customer Trust Portal.
The U.S. Department of Defense (DoD) has information protection requirements that extend beyond the common set of requirements established by the Federal Risk and Authorization Management Program (FedRAMP) program. Using FedRAMP requirements as a foundation, the U.S. DoD has defined cloud computing security and compliance requirements in their DoD Cloud Computing Security Requirements Guide (SRG). Cloud service providers supporting U.S. DoD customers are required to comply with these requirements.
Per DISA’s Memorandum for FedRAMP-approved Cloud Service Providers on August 15th, 2019, Splunk’s FedRAMP moderate offering is eligible for Impact Level 2 (IL2) customer use by the DoD for public data under reciprocity. Prospective DoD customers may submit a FedRAMP Package Access Request form at: https://www.fedramp.gov/assets/resources/documents/Agency_Package_Request_Form.pdf to request Splunk’s FedRAMP Moderate documentation for review and issuance of IL2 authorization.
The U.S. Department of Defense (DoD) has information protection requirements that extend beyond the common set of requirements established by the Federal Risk and Authorization Management Program (FedRAMP) program. Using FedRAMP requirements as a foundation, the U.S. DoD has defined cloud computing security and compliance requirements in their DoD Cloud Computing Security Requirements Guide (SRG). Cloud service providers supporting U.S. DoD customers are required to comply with these requirements.
Splunk does not have an Impact Level 4 (IL4) offering, however, specified Splunk products are assessed by an independent third-party auditor against the Impact Level 5 (IL5) requirements. Splunk’s IL5 offering provides additional security controls beyond IL4 requirements and may be leveraged by customers to meet and exceed IL4 compliance obligations.
The U.S. Department of Defense (DoD) has information protection requirements that extend beyond the common set of requirements established by the Federal Risk and Authorization Management Program (FedRAMP) program. Using FedRAMP requirements as a foundation, the U.S. DoD has defined cloud computing security and compliance requirements in their DoD Cloud Computing Security Requirements Guide (SRG). Cloud service providers supporting U.S. DoD customers are required to comply with these requirements.
On an annual basis, specified Splunk products are assessed by an independent third-party auditor against the Impact Level 5 (IL5) requirements. DoD IL5 is a designation that includes high sensitivity controlled unclassified information (CUI) and mission data, along with Unclassified National Security Information (U-NSI).
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP leverages a standardized set of requirements, established in accordance with the Federal Information Security Management Act (FISMA), to improve consistency and confidence in the security of cloud solutions. Cloud Service Providers (CSP) that support U.S. government customers or operate on U.S. government information are responsible for complying with the requirements established by the FedRAMP program.
On an annual basis, specified Splunk products are assessed by an independent third-party auditor against the FedRAMP Moderate requirements, see Splunk’s FedRAMP authorizations. Authorized users can access related documentation in the Customer Trust Portal.
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP leverages a standardized set of requirements, established in accordance with the Federal Information Security Management Act (FISMA), to improve consistency and confidence in the security of cloud solutions. Cloud Service Providers (CSP) that support U.S. government customers or operate on U.S. government information are responsible for complying with the requirements established by the FedRAMP program.
On an annual basis, specified Splunk products are assessed by an independent third-party auditor against the FedRAMP High Security baseline, see Splunk’s FedRAMP authorizations.
StateRAMP is a non-profit, 501(c)6 membership organization that brings U.S. state and local governments, educational institutions, and special districts with the cloud service providers (CSP) who serve them and to promote best cyber practices and to establish a common set of security criteria. Similar to the Federal Risk Authorization Management Program (FedRAMP), StateRAMP established a certification program which verifies CPSs meet the controls for National Institute of Standards and Technology (NIST) Special Publication 800- 53 by impact level.
On an annual basis, specified Splunk products are assessed by an independent third-party auditor against the StateRAMP moderate impact level requirements, see the StateRAMP product list.
The Texas Risk and Authorization Management Program (TX-RAMP) provides a standardized approach for security assessment, certification, and continuous monitoring of cloud computing services that process the data of Texas state agencies. Similar to the Federal Risk Authorization Management Program (FedRAMP), TX-RAMP established a certification program which verifies Cloud Service Providers (CSP) meet the controls for National Institute of Standards and Technology (NIST) Special Publication 800- 53 by impact level.
On an annual basis, specified Splunk products are assessed by an independent third-party auditor against the FedRAMP moderate impact level requirements. Texas provides reciprocal authorization for FedRAMP M services at TX-RAMP level 2, see the TX-RAMP certified cloud product list. Authorized users can access related documentation in the Customer Trust Portal.
Trusted Information Security Assessment Exchange (TISAX) is a European information security assessment (ISA) for the automotive industry. The TISAX ISA is based on the ISO 27001 standard and covers key aspects of information security adapted for the automotive industry, suppliers, and subcontractors. The standard was created by the Association of the German Automotive Industry (VDA) and the association of European automotive manufacturers, European Network Exchange (ENX). ENX accredits the audit service providers and monitors the quality of the implementation and the assessment results.
Specified splunk products are reviewed and certified by an independent third-party auditor against the TISAX requirements. The certification is valid for 3 years.
The Information Security Registered Assessors Program (IRAP) enables Australian Government customers to validate that appropriate controls are in place and determine the appropriate responsibility model for addressing the requirements of the Australian Government Information Security Manual (ISM) produced by the Australian Cyber Security Centre (ACSC). The ISM describes the security control mechanisms that cloud services providers require for providing services to the government.
Specified Splunk products are assessed by an independent third-party auditor against the protected level IRAP requirements. The resulting report from the third party auditor is valid for 2 years.
Splunk Enterprise, Splunk Cloud Platform FedRAMP and Splunk Cloud Platform IL5 leverage the FIPS 140-2 validated Splunk Cryptographic Module for the protection of sensitive information when deployed on any compliant operating system. The Splunk cryptographic module achieved Federal Information Processing Standard 140-2 validation.
Splunk Enterprise is Common Criteria certified by National Information Assurance Partnership (NIAP). This certification facilitates the use of Splunk Enterprise by Government Agencies requiring products that meet the Common Criteria security standard. Additional details are available on the NIAP Product Compliant List website.
VPATs/ACRs that reflect Splunk product conformance to applicable accessibility requirements can be found on the Splunk Accessibility Page.
Cyber Essentials is a UK Government backed scheme that will help protect organisations against a range of the most common cyber attacks.