As data volumes continue to increase and the world becomes more interconnected through the power of technology, the need for greater guidance and protection of sensitive information grows.
Information security leaders across industries are constantly evaluating new ways to protect customers, businesses, and public entities through modern regulations and compliance standards. When organizations fall short of best practices and compliance measures for data privacy — otherwise misusing or neglecting protection of sensitive information — the potential for negative impact on the business has been made clear: loss of brand reputation, loss of customer loyalty, and, of course, steep fines and penalties.
Whether it be safeguarding medical information, protecting customers' financial health, defending governmental intelligence, or even tackling information sharing in the automotive industry, the nuances of each sector require individual attention. Both the private and public sectors are taking note and choosing vendors & partners that meet and exceed the specific compliance standards of their industry.
Elastic's hosted and self-managed products are built with security in mind and include features engineered to keep customer and organizational information safe. We work closely with industry experts and governing regulatory boards to adhere to sector-specific regulations. Our services are independently audited and confirmed to meet privacy and compliance standards for data security and privacy via our certifications and attestations. Here are just a few industry standards Elastic proudly maintains compliance with:
Elastic is certified as a PCI DSS Level 1 Service Provider.
The Payment Card Industry Data Security Standard (PCI DSS), is the gold standard within the payments industry. Governed by the PCI Security Standards Council (PCI SSC), it delivers a set of security standards for any organization which accepts, transmits, or stores any cardholder data. The model dictates that providers must maintain a vulnerability management program, implement strong access controls, regularly monitor and test networks, and follow other standards that cover technical and operational system components. Read on
Elastic is TISAX certified as a trusted partner with the “High” level of protection in Information Security and Data privacy domains.
The German Association of the Automotive Industry (VDA), in association with the European Network Exchange (ENX), created the Trusted Information Security Assessment Exchange (TISAX). TISAX provides a common information security assessment for internal analysis, evaluation of suppliers, and information exchange — enabling a confident ecosystem of suppliers, vendors, contractors, solution providers, OEMs, and automakers across the industry. Read on
Elastic maintains compliance with HIPAA standards.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), is a set of US privacy laws and data standards that govern the use of sensitive patient data. The law covers entities including healthcare providers, health plans, healthcare clearinghouses, and business associates. In order to comply with the HIPAA security standards, covered entities must ensure the confidentiality, integrity, and availability of all electronic protected health information. Data must be protected against anticipated security threats or impermissible use, and their workforce must certify compliance.
Elastic Cloud is authorized at the Moderate Impact level for the Federal Risk and Authorization Management Program.
The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security authorizations for Cloud Service Offerings in the US. The program was established in 2011 as a means to provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government. FedRAMP standardizes security requirements for the authorization and ongoing cybersecurity of cloud services in accordance with FISMA ,OMB Circular A-130, and FedRAMP policy.
Compliance is just the start
Our experienced team of security practitioners work across disciplines to ensure world-class security for our technology and company. We carefully vet each of our vendors and open source projects to ensure they meet the standards and compliance we’re committed to. We also partner with select Infrastructure as a Service (IaaS) providers that regularly undergo independent third-party audits to ensure the security of their services.
Learn more about Elastic’s compliance and industry information security standards such as CSA STAR, ISAE 3000, ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 2, and SOC 3. Also, ensure your Elasticsearch data is GDPR-compliant through our GDPR compliance page.