Chat Now


Compliance without complication.

Our compliance department works with independent auditors and third-party organizations to meet the industry’s most stringent guidelines to provide you reports and information for your own compliance needs.

The physical and virtual controls of our facilities, network, and customer portal are an extension of your own, and we make it easy for you to get the information you need for your own audits.


You secure your infrastructure using your own internal controls, and you rely on us to do the same.

Stringent Controls

We work with independent auditors and organizations to meet the industry’s strictest guidelines.

Easy Access

Our compliance reports are made available to all customers via the customer portal.

To learn more about our compliance standards, chat with a member of our sales team.

SOC Reports

SoftLayer provides SOC 1, SOC 2 and SOC 3 reports. These reports evaluate SoftLayer's operational controls with respect to criteria set by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. The Trust Services Principles define adequate control systems and establish industry standards for services providers such as SoftLayer to safeguard their customers' data and information.

Customers may download the current SoftLayer SOC 1 and SOC 2 reports from the customer portal or contact our sales team. Our SOC 3 report is available for general use and can be accessed here: SoftLayer SOC 3 Report.

ISO 27001

ISO 27001 is a widely-adopted global security standard that outlines the requirements for information security management systems and provides a systematic approach to managing company and customer information based on periodic risk assessments. The latest standard, ISO/IEC 27001:2013, was published on September 25, 2013 by by the International Organization of Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee.

In order to achieve ISO 27001:2013 certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information. This standard emphasizes the measurement and evaluation of how well an organization’s Information Security Management System (ISMS) is performing and also includes information security related controls based system along with other requirements.

The SoftLayer platform is audited by a third-party security firm and meets all requirements for ISO 27001 in every assessed data center: SoftLayer ISO 27001:2013 Certificate of Registration.

ISO 27017

ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provisioning and use of cloud services as well as implementation guidance for both cloud service providers and cloud service customers. ISO 27017 provides implementation guidance for relevant controls specified in ISO/IEC 27002 as well as additional controls and guidance that specifically relate to cloud services.

SoftLayer’s alignment with ISO 27017:2015 demonstrates that we have a highly sophisticated system of cloud-specific controls in place and that we are committed to being the best in IaaS, domestically and across the globe.

The SoftLayer platform is audited by a third-party security firm and meets all requirements for ISO 27017 in every assessed data center: SoftLayer ISO 27017:2015 Certificate of Registration.

ISO 27018

ISO 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO 29100 for the public cloud computing environment.

In particular, ISO 27018:2014 specifies guidelines based on ISO 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.

The SoftLayer platform is audited by a third-party security firm and meets all requirements for ISO 27018: SoftLayer ISO 27018:2014 Certificate of Registration.

Cloud Security Alliance – STAR Registrant

The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within cloud computing. One of the mechanisms the Cloud Security Alliance uses in pursuit of its mission is the Security, Trust, and Assurance Registry (STAR)—a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings.

Read SoftLayer's STAR Consensus Assessment Initiative Questionnaire

PCI Compliance

If you store or process credit card data then PCI Compliance and network security are of primary concern to your business. To ensure consistent standards for merchants, the Payment Card Industry Security Standards Council established Payment Card Industry (PCI) data security standards. These standards incorporate best practices to protect cardholder data, and they often require validation from a third-party Qualified Service Assessor (QSA). We help our customers meet their PCI compliance needs by providing an Attestation on Compliance from an independent QSA. The Attestation on Compliance can be used in conjunction with our SOC 2 report and ISO 27001 certification to demonstrate that the infrastructure meets the PCI controls. Customers and their auditors can use our reports to verify the PCI controls that are SoftLayer’s responsibility are met.

For more information about and assistance to achieve, certify, and maintain PCI compliance for your SoftLayer environment, please contact our sales team.

HIPAA Compliance

The U.S. Health Insurance Portability and Accountability Act requires specific security controls for businesses that store or process protected health information online. The SoftLayer cloud platform meets all of the necessary requirements for HIPAA on the data center/service provider side.

For more information about and assistance to achieve, certify, and maintain HIPAA compliance for your SoftLayer environment, please contact our sales team.

EU Model Clauses

SoftLayer offers its customers the ability to choose precisely where to locate data, with data centers on five continents. For customers who wish to transfer data originating in the European Economic Area to a country outside the EEA, SoftLayer offers European Model Clauses in the form approved by the European Commission and European Union's data protection authorities. The European Model Clauses guarantee European customers that SoftLayer supports the necessary data privacy protections in every location on the globe.

For more information and delivery of the EU Model Clauses for your SoftLayer environment, please contact our sales team.

Note Regarding Safe Harbor: On October 6, 2015, the EU Courts invalidated the Safe Harbor program. If you are a prospective SoftLayer EU/EEA customer, or are a current customer and have previously relied on SoftLayer’s Safe Harbor certification we offer the standard European Model Clause agreement approved by the European Commission for transfers of personal data from Europe to the United States. More Information: IBM Statement on Safe Harbor Ruling