Compliance programs and certifications

Our Commitment to Compliance

At Sitecore, protecting customer data is fundamental to how we build, deliver, and support our cloud-based products and services. We are committed to upholding the highest standards of security, privacy, and regulatory compliance across our global operations.

To demonstrate this commitment, Sitecore maintains a comprehensive portfolio of independently audited certifications and compliance programs aligned with internationally recognized standards. These include frameworks such as ISO/IEC 27001, SOC 2 Type II, and more. Compliance with these standards, confirmed by accredited third-party assessors, demonstrates Sitecore’s continued investment in the people, processes, and technologies that protect customer data and support our global cloud-based services.

We encourage customers and partners to review our current list of certifications to understand the scope, assurance level, and coverage of each compliance program.

	ISO/IEC 27001:2022 – Information Security Management Systems (ISMS) Sitecore’s Information Security Management System (ISMS) is certified to ISO/IEC 27001:2022, the globally recognized standard for information security. This certification affirms our structured, risk-based approach to protecting information assets, ensuring that the people, processes, and technologies across our organization work cohesively to safeguard data. Through this framework, Sitecore implements and maintains comprehensive controls to uphold the confidentiality, integrity, and availability (CIA) of customer data across its cloud environments, while demonstrating continuous improvement and alignment with global security best practices.	Global
	ISO/IEC 27017:2015 – Code of Practice for Cloud Security To enhance our cloud security posture, Sitecore implements controls outlined in ISO/IEC 27017:2015, which provides guidance tailored to cloud service providers and customers. This ensures that our security controls are aligned with industry best practices for public cloud environments and address the unique challenges of cloud computing.	Global
	ISO/IEC 27018:2019 – Protection of PII in Public Cloud Sitecore aligns with ISO/IEC 27018:2019, the code of practice for the protection of personally identifiable information (PII) processed in the public cloud. By providing cloud services, Sitecore acts as a data processor, we implement strict privacy controls to ensure transparency, lawfulness, and compliance with global data protection laws such as the GDPR and CCPA.	Global
	CSA STAR Certification – Cloud Security Alliance Security, Trust & Assurance Registry Sitecore holds the CSA STAR Certification, an independent, third-party attestation that integrates ISO/IEC 27001:2022 with the Cloud Security Alliance’s Cloud Controls Matrix (CCM). This certification validates the maturity, transparency, and effectiveness of Sitecore’s cloud security and privacy practices across key domains such as identity and access management, encryption, threat detection, vulnerability management, and incident response. By aligning with CSA STAR, Sitecore demonstrates its ongoing commitment to measurable cloud security assurance, giving customers and stakeholders confidence in our ability to protect data and maintain operational resilience in dynamic cloud environments.	Global
	PCI DSS SAQ-D – Payment Card Industry Data Security Standard (Self-Assessment Questionnaire D) Sitecore aligns with the PCI DSS SAQ-D requirements to support the secure handling of cardholder data within applicable services. The SAQ-D is the most comprehensive self-assessment questionnaire for entities that store, process, or transmit payment card information. Note: PCI DSS SAQ-D is only applicable to Platform DXP (MC, XP, XM, XC) and Storefront by Four51. Other Sitecore products do not fall within PCI scope.	Global
	SOC 1 Type II – System and Organization Controls (SSAE 18) Sitecore undergoes SOC 1 Type II audits, which provide independent assurance over the design and operating effectiveness of internal controls, as defined by the AICPA’s SSAE 18 standards.	Global
	SOC 2 Type II – System and Organization Controls (SSAE 18) Sitecore undergoes regular SOC 2 Type II audits conducted under the AICPA’s SSAE 18 framework. These independent assessments validate the operational effectiveness of our internal controls across key areas including security, availability, and confidentiality, giving customers peace of mind about how we manage their data in real-world production environments.	Global
	HIPAA – Health Insurance Portability and Accountability Act For organizations operating in the U.S. healthcare sector, Sitecore aligns with the Health Insurance Portability and Accountability Act (HIPAA). We implement safeguards to protect Protected Health Information (PHI / ePHI), supporting healthcare customers’ compliance obligations under the HIPAA Privacy and Security Rules when Sitecore acts as a business associate.	Americas
	TISAX – Trusted Information Security Assessment Exchange Sitecore supports TISAX (Trusted Information Security Assessment Exchange) compliance requirements for customers in the automotive sector. Based on ISO/IEC 27001, TISAX ensures secure handling of sensitive data and intellectual property. Our alignment enables secure collaboration across highly regulated automotive supply chains.	Europe
	IRAP – Information Security Registered Assessors Program Sitecore participates in assessments under the Information Security Registered Assessors Program (IRAP) to align with the Australian Government Information Security Manual (ISM). This ensures our cloud environments meet the security standards necessary to support sensitive workloads for Australian public sector organizations.	Asia Pacific
	Sitecore complies with the EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF were respectively developed by the U.S. Department of Commerce and the European Commission, UK Government, and Swiss Federal Administration to provide U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union, United Kingdom, and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law. For more information on this certification, please see here.	Europe and United States

Why It Matters

Sitecore’s commitment to global security and compliance standards reinforces our role as a trusted partner for regulated industries, including aviation, automotive, finance, government, healthcare, pharma, and retail. We are committed to global standards, and we help customers deliver secure personalized digital experiences.

For more information, please visit the Sitecore Legal Hub to explore our DPA, SLA and FAQ.

Explore Sitecore

Learn more

Use Cases

Modernize your DX

Manage global content

Deliver limitless commerce

Optimize with data

Popular topics

Industries

Products & Services

Explore Products & Services

Useful Links

Experience Management

XM Cloud

Search

Personalize

CDP

Send

Experience Platform (XP)

Content Lifecycle

Content Hub

Commerce

OrderCloud

Capabilities

Stream

Connect

Services

Partners

Learn more

Why Work with Partners

Find a Partner

Explore Partners

Explore Partner Solutions

Explore App Marketplace

Partner Opportunities

Partner Connect

Sitecore Partner Network

Resources

Browse more resources

Resource Hub

Insights & Guides

Insights & Articles

Sitecore on Sitecore

Events & Webinars

Customer Stories

Sitecore Learning

Support

Analyst report

About Us

Learn more

Learn more about us

Newsroom

Office Locations

Contact Us

Request a Demo

Careers @ Sitecore

Compliance programs and certifications

Our Commitment to Compliance