Compliance engineered for the Cloud
HowardCRM on Salesforce maintains a comprehensive set of compliance certifications and attestations including HIPAA to validate our #1 value of Trust.
The HDS Certification was introduced by the “Agence Nationale des Systèmes d’Information Partagés de Santé” (French Governmental Agency for Digital Health) and enables certified hosting providers to host French health data on behalf of third parties. As such the HDS certification is only applicable to health data produced in France in the context of the provision of healthcare as defined by Article L.1111-8 of the French Public Health Code. For more information, please visit https://esante.gouv.fr/labels-certifications/hebergement-des-donnees-de-sante
The Application Service Provider / Software as a Service (ASP/SaaS) certification increases the transparency of the safety and reliability measures employed by SaaS cloud service providers in Japan. Salesforce is a founding member and has been certified since 2008. The certificate document is available only in Japanese. Additional information can be found at http://www.cloud-nintei.org
ISAE 3000 (Revised) Report on Management’s Description of salesforce.com, inc.’s Salesforce Services system on German Federal Office for Information Security BSI Cloud Computing Compliance Controls Catalogue (C5). Additional information can be found at https://www.bsi.bund.de/EN/Topics/CloudComputing/Compliance_Criteria_Catalogue/Compliance_Criteria_Catalogue_node.html
CS Gold Mark, accredited by the Japan Information Security Audit Association (JASA), is the certification for cloud service providers certifying that their security level is equivalent to the global standard (ISO/IEC 27017). Salesforce has been certified CS Gold Mark by a JASA-certified auditor. The certificate document is available only in Japanese. Additional information can be found at http://jcispa.jasa.jp
Salesforce maintains a Disaster Recovery plan that supports a robust business continuity strategy for the production services and platforms. This plan has been developed from industry-accepted methodologies and encompasses principles of high-availability engineering. The Disaster Recovery plan is constantly measured against strict regulatory and governance requirements, and is a crucial part of the acceptance plan when making changes or additions to the production environment. More information on Site Switching is available in this knowledge article.
The U.S. Department of Defense (DoD) has unique information protection requirements that extend beyond the common set of requirements established by the Federal Risk and Authorization Management Program (FedRAMP) program. Using FedRAMP requirements as a foundation, the U.S. DoD specifically has defined additional cloud computing security and compliance requirements in their DoD Cloud Computing Security Requirements Guide (SRG). Cloud Service Providers (CSPs) supporting U.S. DoD customers are required to comply with these requirements.
The Salesforce Government Cloud and Government Cloud Plus has been granted a Provisional Authorization (PA) for Impact Level 2 (IL2) from Defense Information Systems Agency (DISA) leveraging Salesforce’s FedRAMP Moderate and High ATOs. IL2 is for non-Controlled Unclassified Information (non-CUI), which includes all data cleared for public release, as well as some DoD private unclassified information not designated as CUI or critical mission data that requires some minimal level of access control. Additional information can be found at https://www.salesforce.com/solutions/industries/government/compliance/
The U.S. Department of Defense (DoD) has unique information protection requirements that extend beyond the common set of requirements established by the Federal Risk and Authorization Management Program (FedRAMP) program. Using FedRAMP requirements as a foundation, the U.S. DoD specifically has defined additional cloud computing security and compliance requirements in their DoD Cloud Computing Security Requirements Guide (SRG). Cloud Service Providers (CSPs) supporting U.S. DoD customers are required to comply with these requirements.
The Salesforce Government Cloud has been granted Provisional Authorization (PA) for Impact Level 4 (IL4) from Defense Information Systems Agency (DISA) leveraging Salesforce’s FedRAMP Moderate ATO and undergoing additional assessments by independent organizations. This provides DoD mission owners and authorized contractors the ability to utilize the Salesforce Government Cloud to manage Controlled Unclassified Information (CUI), including Personal Identifiable Information (PII) and Protected Health Information (PHI). This also includes data requiring protection from unauthorized disclosure and other mission-critical data. Additional information can be found at https://www.salesforce.com/solutions/industries/government/compliance/ and https://help.salesforce.com/articleView?id=000270080&language=en_US&type=1
Attestation of penetration tests and security assessments performed by third parties. The document does not contain details of any vulnerabilities or findings and is intended only to provide information on the tests performed and scope of testing. As verified by external audits, vulnerabilities discovered during testing are tracked and resolved in accordance with corporate policy and industry best practice.
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The FedRAMP program has helped to accelerate the adoption of secure cloud solutions through the reuse of assessments and authorizations across government agencies. FedRAMP leverages a standardized set of requirements, established in accordance with the Federal Information Security Management Act (FISMA), to improve consistency and confidence in the security of cloud solutions. Cloud Service Providers (CSP) that support U.S. government customers or operate on U.S. government information are responsible for complying with the requirements established by the FedRAMP program.
In May 2020 the Salesforce Government Cloud Plus achieved a provisional Authority to Operate (ATO) at the high impact level issued by the FedRAMP Joint Authorization Board (JAB).
Additional information can be found at https://www.salesforce.com/solutions/industries/government/overview/
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The FedRAMP program has helped to accelerate the adoption of secure cloud solutions through the reuse of assessments and authorizations across government agencies. FedRAMP leverages a standardized set of requirements, established in accordance with the Federal Information Security Management Act (FISMA), to improve consistency and confidence in the security of cloud solutions. Cloud Service Providers (CSP) that support U.S. government customers or operate on U.S. government information are responsible for complying with the requirements established by the FedRAMP program.
In May 2014 the Salesforce Government Cloud achieved and has since maintained a FedRAMP Agency Authority to Operate (ATO) at the moderate impact level issued by U.S. Department of Health and Human Services (HHS).
Additional information can be found at https://www.salesforce.com/solutions/industries/government/overview/
Regulatory changes in the financial services industry are requiring financial professionals to be more transparent in the way they manage their clients’ investments. Financial Services Cloud combined with Salesforce Shield can support firms with visibility into interactions between clients, advisors, agents and teams. Financial services institutions can now rely on Salesforce to assist them in putting their clients’ best interests at the center of everything they do. Additional information can be found at https://www.salesforce.com/solutions/industries/financial-services/resources/
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that regulates the use of personal data of EU residents and provides individuals rights to exercise control over their data. We are committed to our customers’ success, including supporting them on their GDPR compliance journeys. Additional information can be found at https://www.salesforce.com/privacy/regions/
The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. Customers who want to build healthcare applications on Salesforce that comply with US HIPAA can contact your account representative regarding a Business Associate Addendum.
HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. Additional information can be found at https://hitrustalliance.net
The Information Security Registered Assessors Program (iRAP) is an Australian Signals Directorate (ASD) initiative to provide high-quality information and communications technology (ICT) services to government in support of Australia’s security. iRAP provides the framework to endorse individuals from the private and public sectors to provide cyber security assessment services to Australian governments. Endorsed iRAP Assessors can provide an independent assessment of ICT security, suggest mitigations and highlight residual risks. iRAP Assessors may provide assessment up to the TOP SECRET level for cloud services and others. Additional information can be found at https://acsc.gov.au/infosec/irap/index.htm
Internal Revenue Service Publication 1075 (IRS Pub 1075) provides guidance to ensure the policies, practices, controls, and safeguards employed by recipient agencies, agents, or contractors adequately protect the confidentiality of Federal Tax Information (FTI).
The Salesforce Government Cloud Plus Service has been independently assessed by an outside auditor to meet IRS 1075 requirements while leveraging FedRAMP High baseline controls. The assessment included a rigorous review of Salesforce policy, procedures and technical implementations of FedRAMP and NIST SP 800-53, revision 4 and IRS 1075 required security controls as they applied to Salesforce Government Cloud Plus.
For our Customers that must meet 1075 requirements, please review the Salesforce Government Cloud Plus FedRAMP package and request the independent auditor’s Letter of Attestation – Internal Revenue Service (IRS) 1075 Compliance from your account representative.
Information system Security Management and Assessment Program, or ISMAP, is a program that was established to assess and register cloud services that meet security criteria defined by the Japanese government. The list of cloud services registered for ISMAP is published in the IPA web page (currently only available in Japanese).
The International Organization for Standardization 27001 Standard (ISO 27001) is an information security standard that ensures office sites, development centers, support centers and data centers are securely managed. These certifications run for 3 years (renewal audits) and have annual touch point audits (surveillance audits).
ISO 27017 provides guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of the ISO 27002 and ISO 27001 standards. This code of practice provides additional information security controls implementation guidance specific to cloud service providers.
The International Organization for Standardization 27018 Standard (ISO 27018) covers privacy protections for the processing of personal information by cloud service providers.
NEN7510 provides specific controls supplementary to ISO27001 applicable to the Dutch healthcare sector and organizations processing Dutch healthcare data. Salesforce has engaged an independent third-party assessor to map the relevant NEN7510 controls against Salesforce’s existing certifications and controls. Additional information can be found at https://www.werkenmetnen7510.nl/achtergrond/wat-is-nen-7510
In October 2016, the U.S. Department of Defense (DoD) updated acquisition requirements for government contractors to provide more specific guidance in light of their continued use of cloud computing services as it relates to the transmission, storage, and processing of DoD controlled unclassified information (CUI). When cloud services containing CUI are part of a system operated on behalf of the U.S. Government, those cloud services must comply with the requirements defined in the DoD Cloud Computing Security Requirements Guide (SRG). When cloud services are part of a system not operated on behalf of the U.S. Government, those cloud services are expected to comply with the Moderate Impact requirements defined by the Federal Risk and Authorization Management Program (FedRAMP).
Since May 2014, Salesforce has maintained an agency FedRAMP authorization at the Moderate Impact level for the Salesforce Government Cloud. Further, as of January 2017, Salesforce was granted a Provisional Authorization for the Salesforce Government Cloud at Information Impact Level 4 (IL4) by the Defense Information Systems Agency (DISA).
In May 2020, Salesforce Government Cloud Plus received U.S. Government authorizations (as detailed at https://compliance.salesforce.com/en/services/government-cloud-plus) that may assist DoD mission owners and authorized contractors in their management of CUI, including Personal Identifiable Information (PII), Protected Health Information (PHI), and other mission-critical data requiring protection from unauthorized disclosure. Additional information can be found at https://www.salesforce.com/solutions/industries/government/overview/.
The Payment Card Industry Data Security Standards (PCI DSS) is a proprietary information security standard designed to ensure that companies processing, storing or transmitting payment card information maintain a secure environment. The PCI DSS applies to credit cards from the major card brands, including Visa, MasterCard, American Express, Discover, and JCB. A third-party PCI Qualified Security Assessor (QSA) assesses company systems and processes on an annual basis and issues an Attestation of Compliance (AOC). Additional information can be found at https://www.pcisecuritystandards.org
PrivacyMark is a reputable privacy-centric certification in Japan that focuses on enhancing consumers’ awareness of personal information protection and increases social trust from consumers and business partners. The requirements are based on JISQ standards and are governed by JIPDEC (Japan Institute for Promotion of Digital Economy and Community). PrivacyMark is considered a Japan equivalent of ISO 27001, and Salesforce has been certified since 2008. PrivacyMark is a legal entity-based program and it applies to salesforce.com Co., Ltd. The certificate document is available only in Japanese. Additional information can be found at https://privacymark.org
For certain Services, for which we act as a data processor, Salesforce has certified under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks. For more details about the scope of the certification see here. The Privacy Shield frameworks were designed by the U.S. Department of Commerce, European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with EU and Swiss data protection requirements when transferring personal data from the European Union and Switzerland to the United States, but have since been held by the the Court of Justice of the European Union and the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland to be invalid. Additional information can be found at https://www.privacyshield.gov/Program-Overview.
EU and Swiss personal data may however still be transferred to and within Salesforce’s services pursuant to Salesforce’s Processor Binding Corporate Rules and the European Commission’s standard contractual clauses, both of which are incorporated by reference into Salesforce’s Data Processing Addendum. For further information, please see our International Transfers of EU Personal Data to Salesforce’s Services document.
Binding Corporate Rules (or “BCRs”) are company specific, group-wide data protection policies approved by European data protection authorities to facilitate transfers of personal data from the European Economic Area to other countries. BCRs are based on strict privacy principles established by European Union data protection authorities and require intensive consultation with European data protection authorities.
Salesforce has received approval from European data protection authorities for its Binding Corporate Rules (“Salesforce Processor BCR”). For more details about the scope of the Salesforce Processor BCR and applicable services, please see here. For additional information about the multiple legal transfer mechanisms which Salesforce has to help customers validate transfers of personal data, please see our Data Processing Addendum.
The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. The reports cover IT General controls and controls around availability, confidentiality and security of customer data. The SOC 1 reports are primarily concerned with examining controls that are relevant for the financial reporting of customers. Additional information can be found at https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc1report.html
The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. The reports cover IT General controls and controls around availability, confidentiality and security of customer data. The SOC 2 reports cover controls around security, availability, and confidentiality of customer data. Additional information can be found at https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc2report.html
The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. The reports cover IT General controls and controls around availability, confidentiality and security of customer data. The SOC 3 report covers the Security, Availability, and Confidentiality Trust Services Principles. Additional information can be found at https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc3report.html
Frequently Asked Questions, white papers and standard questionnaires from industry groups.
The Asia-Pacific Economic Cooperation (APEC) is a regional economic forum established in 1989, aimed at increasing prosperity for the region by promoting balanced, inclusive, sustainable, innovative and secure growth and accelerating regional economic integration. As part of this Cooperation, the APEC Privacy Framework was adopted. The Framework sets out a series of non-binding principles and implementation guidelines to ensure continued trade and economic growth and, in particular, the free flow of data.
Salesforce obtained its certification with TRUSTe. TRUSTe is approved to certify data transfer practices pursuant to the APEC CBPR and PRP systems. The TRUSTe APEC Processor Seal verifies Salesforce’s compliance with the APEC PRP system.
Additional information can be found at https://privacy.truste.com/privacy-seal/validation?rid=b5e42bbd-4d3e-4631-a14e-c04a441f1a4a and http://cbprs.org/compliance-directory/prp/
By displaying the TRUSTe Privacy Verified seal, Salesforce has demonstrated that our privacy programs, policies and practices meet the requirements of EU-U.S. Privacy Shield and/or Swiss-U.S. Privacy Shield. TRUSTe verifies compliance consistent with the requirements of the Privacy Shield Supplemental Principle on Verification. TRUSTe monitors ongoing compliance through annual recertifications and complaints received through the Privacy Feedback mechanism.
Additional information can be found at https://privacy.truste.com/privacy-seal/validation?rid=0a5802d6-2a9a-4865-9fe9-70e1140cf3b6
The UK Cyber Essentials Scheme was developed as part of the UK’s National Cyber Security Programme. This scheme is mandatory for the UK central government contracts that involve handling personal data and providing certain ICT products and services. The UK Cyber Essentials Scheme is backed by UK industry, including the Federation of Small Businesses, the CBI and a number of insurance organizations offering incentives for businesses. UK Cyber Essentials Plus is a legal entity-based program and it applies to salesforce.com EMEA Ltd.
