Chat Now


Compliance without complication.

Our compliance department works with independent auditors and third-party organizations to meet the industry’s most stringent guidelines to provide you reports and information for your own compliance needs.

The physical and virtual controls of our facilities, network, and customer portal are an extension of your own, and we make it easy for you to get the information you need for your own audits.


You secure your infrastructure using your own internal controls, and you rely on us to do the same.

Stringent Controls

We work with independent auditors and organizations to meet the industry’s strictest guidelines.

Easy Access

Our compliance reports are made available to all customers via the customer portal.

To learn more about our compliance standards, chat with a member of our sales team.

SOC Reports

SoftLayer provides SOC 1, SOC 2 and SOC 3 reports. These reports evaluate SoftLayer's operational controls with respect to criteria set by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. The Trust Services Principles define adequate control systems and establish industry standards for services providers such as SoftLayer to safeguard their customers' data and information.

Customers may download the current SoftLayer SOC 1 and SOC 2 reports from the customer portal or contact our sales team. Our SOC 3 report is available for general use and can be accessed here: SoftLayer SOC 3 Report.

ISO 27001

ISO 27001 is a widely-adopted global security standard that outlines the requirements for information security management systems and provides a systematic approach to managing company and customer information based on periodic risk assessments. The latest standard, ISO/IEC 27001:2013, was published on September 25, 2013 by by the International Organization of Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee.

In order to achieve ISO 27001:2013 certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information. This standard emphasizes the measurement and evaluation of how well an organization’s Information Security Management System (ISMS) is performing and also includes information security related controls based system along with other requirements.

The SoftLayer platform is audited by a third-party security firm and meets all requirements for ISO 27001 in every assessed data center: SoftLayer ISO 27001:2013 Certificate of Registration.

ISO 27017

ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provisioning and use of cloud services as well as implementation guidance for both cloud service providers and cloud service customers. ISO 27017 provides implementation guidance for relevant controls specified in ISO/IEC 27002 as well as additional controls and guidance that specifically relate to cloud services.

SoftLayer’s alignment with ISO 27017:2015 demonstrates that we have a highly sophisticated system of cloud-specific controls in place and that we are committed to being the best in IaaS, domestically and across the globe.

The SoftLayer platform is audited by a third-party security firm and meets all requirements for ISO 27017 in every assessed data center: SoftLayer ISO 27017:2015 Certificate of Registration.

ISO 27018

ISO 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO 29100 for the public cloud computing environment.

In particular, ISO 27018:2014 specifies guidelines based on ISO 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.

The SoftLayer platform is audited by a third-party security firm and meets all requirements for ISO 27018: SoftLayer ISO 27018:2014 Certificate of Registration.

MTCS Accredited Certificate

SoftLayer is certified at MTCS Level 2 under the SS 584:2015 standard for the Hong Kong and Singapore locations. This certification demonstrates SoftLayer's commitment to security in support of customers in Singapore and throughout the Asia-Pacific region. The SoftLayer platform is audited by a third-party security firm and meets all requirements for Level 2 of the SS 584:2015 standard.

Download MTCS Accredited Certificate.

Cloud Security Alliance – STAR Registrant

The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within cloud computing. One of the mechanisms the Cloud Security Alliance uses in pursuit of its mission is the Security, Trust, and Assurance Registry (STAR)—a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings.

Read SoftLayer's STAR Consensus Assessment Initiative Questionnaire

PCI Compliance

If you store or process credit card data then PCI Compliance and network security are of primary concern to your business. To ensure consistent standards for merchants, the Payment Card Industry Security Standards Council established Payment Card Industry (PCI) data security standards. These standards incorporate best practices to protect cardholder data, and they often require validation from a third-party Qualified Service Assessor (QSA). We help our customers meet their PCI compliance needs by providing an Attestation on Compliance from an independent QSA. The Attestation on Compliance can be used in conjunction with our SOC 2 report and ISO 27001 certification to demonstrate that the infrastructure meets the PCI controls. Customers and their auditors can use our reports to verify the PCI controls that are SoftLayer’s responsibility are met.

For more information about and assistance to achieve, certify, and maintain PCI compliance for your SoftLayer environment, please contact our sales team.

HIPAA Compliance

The U.S. Health Insurance Portability and Accountability Act covers the storing and processing of protected health information (PHI and e-PHI). Companies and individuals falling under HIPAA must implement a set of technical, administrative and physical controls which are designed to secure this protected health information. The SoftLayer cloud platform is designed to be HIPAA ready for these purposes, and to conform to the security settings the customer selects for their particular environment.

SoftLayer’s HIPAA ready Bluemix IaaS cloud platform is available to covered entities and business associates to support their HIPAA workloads. Clients should also be aware that SoftLayer regularly performs assessments of the HIPAA ready controls which apply to Bluemix IaaS, in order to test their effectiveness. In accordance with HIPAA, SoftLayer offers a standard Business Associate Agreement* to its clients who intend to place HIPAA workload in SoftLayer’s Bluemix IaaS cloud.

* Please note that SoftLayer’s managed services or public (multi-tenant) virtual hosting services are not designed to be HIPAA ready and so not proper repositories of PHI.

CJIS Standards

The Criminal Justice Information Systems (CJIS) Division is a division of the United States Department of Justice Federal Bureau of Investigation. CJIS Division created and published a Security Policy (CJISD-ITS-DOC-08140-5.4), which contains minimum information security requirements, guidelines, and agreements reflecting the will of law enforcement and criminal justice agencies for protecting the sources, transmission, storage, and generation of Criminal Justice Information (CJI).

SoftLayer is approved and ready for CJI workloads. For more information about how to leverage SoftLayer for Criminal Justice Information workloads, download our guide on Leveraging SoftLayer for CJIS workloads.

EU Model Clauses

SoftLayer offers its customers the ability to choose precisely where to locate data, with data centers on five continents. For customers who wish to transfer data originating in the European Economic Area to a country outside the EEA, SoftLayer offers European Model Clauses in the form approved by the European Commission and European Union's data protection authorities. The European Model Clauses guarantee European customers that SoftLayer supports the necessary data privacy protections in every location on the globe.

For more information and delivery of the EU Model Clauses for your SoftLayer environment, please contact our sales team.

Privacy Shield

SoftLayer and IBM are approved members of the EU-US Privacy Shield Framework. This program was designed as a way for organizations to comply with the EU data protection requirements covering transfers of data from the European Union to the United States and associated processing activities. More information can be found at