At Cloudflare, we prioritize initiatives that improve the security and privacy of our products and services. The security organization believes trust and transparency are foundational principles that are ingrained in what we build, the policies we set, and the data we protect. Many of our enterprise customers have stringent regulatory compliance obligations and require their cloud service providers like ourselves to provide assurance that we meet and exceed industry security standards. In the last couple of years, we’ve decided to invest in ways to make the evaluation of our security posture easier. We did so not only by obtaining recognized security certifications and reports in an aggressive timeline, but we also built a team that partners with our customers to provide transparency into our security and privacy practices.
Security Certifications & Reports
We understand the importance of providing transparency into our security processes, controls, and how our customers can continuously rely on them to operate effectively. Cloudflare complies with and supports the following standards:
SOC-2 Type II / SOC 3 (Service Organizations Controls) - Cloudflare maintains SOC reports that include the security, confidentiality, and availability trust principles. The SOC-2 report provides assurance that our products and underlying infrastructure are secure and highly available while protecting the confidentiality of our customer’s data. We engage with our third-party assessors on an annual basis, and the report provided to our customers covers a period of one full year.
ISO 27001:2013 (International Standards Organization) - Cloudflare’s ISO certification covers our entire platform including our edge network and core data centers. Customers can be assured that Cloudflare has a formal information security management program that adheres to a globally recognized standard.
PCI Data Security Standard (DSS) - Cloudflare engages with a QSA (qualified security assessor) on an annual basis to evaluate us as a Level 1 Merchant and a Service Provider. This way, we can assure our customers that we meet the requirements to transmit their payment data securely. As a service provider, our customers can trust Cloudflare’s products to meet requirements of the DSS and transmit cardholder data securely through our services.
HIPAA/HITECH Act (Health Insurance Portability and Accountability Act/Health Information Technology for Economic and Clinical Health - Covered healthcare entities that are leveraging our enterprise version of our security products to protect their application layer can be assured that Cloudflare can sign Business Associates Agreements (BAA).
188.8.131.52 Public DNS Resolver Privacy Examination - Cloudflare conducted a first-of-its-kind privacy examination by a leading accounting firm to determine whether the 184.108.40.206 resolver was effectively configured to meet Cloudflare’s privacy commitments. A public summary of the assessment can be found here.
Security Engagement Team
We understood that having security compliance certifications and reports would provide ease of mind when using our products, but we knew it may not be enough for those who are sending their most sensitive information through our services. We decided that it was paramount to build out a Security Engagement Team within our Security Organization. Our Security Engagement Team can work with our customer’s security and compliance functions to understand their regulatory and compliance landscape. They are here to understand our customer’s use cases, address concerns, and communicate asks and requests to our Validations, Risk, and Security Engineering Teams so we know what’s top of mind from our customers.
We strive to put trust first. The certifications and reports we obtain, the security features we build, the white papers, faqs, and documents that we create — we build all of these resources based on the needs of our customers. In the future, we will continue to listen closely to our customers, with the goal of continuously improving the security and privacy of our products and services.