Quick Contact : 408-458-8343
Select Page

SFDC Certifications

Success is built on trust.
Trust starts with transparency.

REQUEST A DEMO

ComplianceQuest is a 100% native force.com application suite, built and run on the Salesforce platform. As such, ComplianceQuest EQMS suite inherits all attributes of the Salesforce platform such as:

Trusted Security

Always-On

Performance At Scale

Application Innovation

Multi-Tenant Infrastructure

Salesforce maintains a comprehensive set of compliance certifications and attestations to validate the #1 value of trust.

To learn more about the compliance certifications, please explore:

  • Global
  • The Americas
  • Europe, the Middle East & Africa
  • Asia-Pacific & Japan

ISO 27001

ISO 27017

ISO 27018

SOC 1

SOC 2

SOC 3

PCI DSS

FedRAMP Moderate

DoD IL2

DoD IL4

NIST SP 800-171

HIPAA

NEN 7510

HITRUST

Financial Services Compliance - USA

Salesforce BCRs

Privacy Shield

TRUSTe Certified Privacy Seal

PrivacyMark

ASP/SaaS

TüV Rheinland CCS

iRAP

UK Cyber Essentials

CSA STAR

iRAP

The Information Security Registered Assessors Program (iRAP) is an Australian Signals Directorate (ASD) initiative to provide high-quality information and communications technology (ICT) services to government in support of Australia's security. iRAP provides the framework to endorse individuals from the private and public sectors to provide cyber security assessment services to Australian governments. Endorsed iRAP Assessors can provide an independent assessment of ICT security, suggest mitigations and highlight residual risks. iRAP Assessors may provide assessment up to the TOP SECRET level for cloud services and others.

Learn More

TüV Rheinland CCS

Technischer Überwachungs-Verein Certified Cloud Service (TüV Rheinland) is a widely-recognized technology certification in the EMEA region, specifically in Germany.

Salesforce has held the TüV Rheinland CCS certification for the past four years now. The TüV Rheinland CCS certification currently does not apply to the following Salesforce Services: Site.com, Database.com and Communities.

Learn More

ASP/SaaS

The Application Service Provider / Software as a Service (ASP/SaaS) certification increases the transparency of the safety and reliability measures employed by SaaS cloud service providers in Japan.

Salesforce is a founding member and has been certified since 2008. The ASP/SaaS certification currently does not apply to the following Salesforce Services: Force.com, Site.com, Database.com, and Chatter.

Learn More

PrivacyMark

PrivacyMark is a reputable privacy-centric certification in Japan that focuses on enhancing consumers’ awareness of personal information protection and increases social trust from consumers and business partners. The requirements are based on JISQ standards and are governed by JIPDEC (Japan Institute for Promotion of Digital Economy and Community).

PrivacyMark is considered a Japan equivalent of ISO 27001, and Salesforce has been certified since 2008. PrivacyMark is a legal entity-based program and it applies to salesforce.com Co., Ltd.

Learn More

TRUSTe Certified Privacy Seal

For certain of our products, TRUSTe has assessed compliance with its Privacy Certification. For more detail about our TRUSTe certifications, please see here.

Learn More

Privacy Shield

For certain Services, for which we act as a data processor, Salesforce has certified under the EU-U.S. Privacy Shield framework. For more details about the scope of the certification see here. For additional information about the multiple legal mechanisms (including EU Standard Contractual Clauses) which Salesforce has to help customers validate transfers of personal data from the European Economic Area to Salesforce’s services, please see this FAQ as well as our Data Processing Addendum.

The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.

Learn More

Salesforce BCRs

For certain Salesforce Services, Salesforce has received approval for its Binding Corporate Rules for the Processing of Personal Data (“Salesforce Processor BCR”) from European data protection authorities. For more details about the scope of the Salesforce Processor BCR and applicable services, please see here. For additional information about the multiple legal mechanisms (including EU Standard Contractual Clauses) which Salesforce has to help customers validate transfers of personal data from the European Economic Area to Salesforce’s services, please see this FAQ as well as our Data Processing Addendum.

"Binding Corporate Rules" (or "BCRs") are company­ specific, group-­wide data protection policies approved by European data protection authorities to facilitate transfers of personal data from the European Economic Area to other countries. BCRs are based on strict privacy principles established by European Union data protection authorities and require intensive consultation with European data protection authorities.

Learn More

Financial Services Compliance - USA

HITRUST

HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain.

Salesforce Services Systems that are HITRUST CSF Certified: Force.com (Platform Services), Site.com, Database.com, Sales Cloud, Service Cloud, Community Cloud, Chatter, Einstein Analytics, Work.com, and Industries Applications (Financial Services Cloud, Health Cloud) at the following production data centers - WAS, CHI, CHX, WAX, LON, WAC, FRF, PHX, DFW, TYO, PAR and UKB.

Salesforce.com Exact Target products are HITRUST CSF Certified at the Atlanta, Las Vegas and Indianapolis data centers.

Learn More

NEN7510

NEN7510 provides specific controls supplementary to ISO27001 applicable to the Dutch healthcare sector and organisations processing Dutch healthcare data. Salesforce has engaged an independent third-party assessor to map the relevant NEN7510 controls against Salesforce's existing certifications and controls. Please contact your Salesforce representative for a copy of the report.

Learn More

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is government legislation that defines the privacy and security provisions for safeguarding medical information (protected healthcare information: PHI). The HIPAA regulation framework includes the following categories of regulations: Security Rule, Privacy Rule, Breach Notification, and Enforcement Rule.

Learn More

NIST SP 800-171

In October 2016, the U.S. Department of Defense (DoD) updated acquisition requirements for government contractors to provide more specific guidance in light of their continued use of cloud computing services as it relates to the transmission, storage, and processing of controlled defense information. When cloud services are used by a contractor as part of a system operated on behalf of the U.S. government, those cloud services are expected to comply with the requirements defined in the DoD Cloud Computing Security Requirements Guide (SRG). When cloud services are used by a contractor as part of a system not operated on behalf of the U.S. government, those cloud services are expected to comply with the Moderate Impact requirements defined by the Federal Risk and Authorization Management Program (FedRAMP).

Since May 2014, Salesforce has maintained a FedRAMP Authority to Operate (ATO) at the Moderate Impact level for the Salesforce Government Cloud. Further, as of January 2017, Salesforce was granted a Provisional Authorization for the Salesforce Government Cloud at Information Impact Level 4 (IL4) by the Defense Information Systems Agency (DISA). These authorizations may assist DoD mission owners and authorized contractors in their management of Controlled Unclassified Information (CUI), including Personal Identifiable Information (PII), Protected Health Information (PHI), and other mission-critical data requiring protection from unauthorized disclosure.

Additional information can be found at https://www.salesforce.com/solutions/industries/government/overview/.

Learn More

DoD IL4

The U.S. Department of Defense (DoD) has unique information protection requirements that extend beyond the common set of requirements established by the Federal Risk and Authorization Management Program (FedRAMP) program. Using FedRAMP requirements as a foundation, the U.S. DoD specifically has defined additional cloud computing security and compliance requirements in their DoD Cloud Computing Security Requirements Guide (SRG). Cloud Service Providers (CSPs) supporting U.S. DoD customers are required to comply with these requirements.

The Salesforce Government Cloud has been granted Provisional Authorization (PA) for Impact Level 4 (IL4) from Defense Information Systems Agency (DISA) leveraging Salesforce’s FedRAMP Moderate ATO and undergoing additional assessments by independent organizations. This provides DoD mission owners and authorized contractors the ability to utilize the Salesforce Government Cloud to manage Controlled Unclassified Information (CUI), including Personal Identifiable Information (PII) and Protected Health Information (PHI). This also includes data requiring protection from unauthorized disclosure and other mission-critical data.

Additional information can be found at https://www.salesforce.com/solutions/industries/government/overview/.

Learn More

DoD IL2

The U.S. Department of Defense (DoD) has unique information protection requirements that extend beyond the common set of requirements established by the Federal Risk and Authorization Management Program (FedRAMP) program. Using FedRAMP requirements as a foundation, the U.S. DoD specifically has defined additional cloud computing security and compliance requirements in their DoD Cloud Computing Security Requirements Guide (SRG). Cloud Service Providers (CSPs) supporting U.S. DoD customers are required to comply with these requirements.

The Salesforce Government Cloud has been granted a Provisional Authorization (PA) for Impact Level 2 (IL2) from Defense Information Systems Agency (DISA) leveraging Salesforce’s FedRAMP Moderate ATO. IL2 is for non-Controlled Unclassified Information (non-CUI), which includes all data cleared for public release, as well as some DoD private unclassified information not designated as CUI or critical mission data that requires some minimal level of access control.

Additional information can be found at https://www.salesforce.com/solutions/industries/government/overview/.

Learn More

FedRAMP Moderate

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The FedRAMP program has helped to accelerate the adoption of secure cloud solutions through the reuse of assessments and authorizations across government agencies. FedRAMP leverages a standardized set of requirements, established in accordance with the Federal Information Security Management Act (FISMA), to improve consistency and confidence in the security of cloud solutions. Cloud Service Providers (CSP) that support U.S. government customers or operate on U.S. government information are responsible for complying with the requirements established by the FedRAMP program.

In May 2014, Salesforce achieved and has since maintained a FedRAMP Agency Authority to Operate (ATO) at the moderate impact level issued by U.S. Department of Health and Human Services (HHS) for the Salesforce Government Cloud.

Additional information can be found at https://www.salesforce.com/solutions/industries/government/overview/.

Learn More

PCI DSS

The Payment Card Industry Data Security Standards (PCI DSS) is a proprietary information security standard designed to ensure that companies processing, storing or transmitting payment card information maintain a secure environment. The PCI DSS applies to credit cards from the major card brands, including Visa, MasterCard, American Express, Discover, and JCB. A third-party PCI Qualified Security Assessor (QSA) assesses company systems and processes on an annual basis and issues an Attestation of Compliance (AOC).

Learn More

SOC 3

The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. The reports cover IT General controls and controls around availability, confidentiality and security of customer data.

The SOC 3 report covers the Security, Availability, and Confidentiality Trust Services Principles.

Learn More

SOC 2

The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. The reports cover IT General controls and controls around availability, confidentiality and security of customer data.

The SOC 2 reports cover controls around security, availability, and confidentiality of customer data.

Learn More

SOC 1

The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. The reports cover IT General controls and controls around availability, confidentiality and security of customer data.

The SOC 1 reports are primarily concerned with examining controls that are relevant for the financial reporting of customers.

Learn More

ISO 27018

The International Organization for Standardization 27018 Standard (ISO 27018) covers privacy protections for the processing of personal information by cloud service providers.

Learn More

ISO 27017

ISO 27017 provides guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of the ISO 27002 and ISO 27001 standards. This code of practice provides additional information security controls implementation guidance specific to cloud service providers. The standard advises both cloud service customers and cloud service providers, with the primary guidance laid out side-by-side in each section.

Learn More

ISO 27001

The International Organization for Standardization 27001 Standard (ISO 27001) is an information security standard that ensures office sites, development centers, support centers and data centers are securely managed. These certifications run for 3 years (renewal audits) and have annual touch point audits (surveillance audits).

To view the Salesforce ISO 27001 certification, click the "Learn More" button below.

Learn More

Follow Us