Compliance
IBM® Cloudant® for IBM Cloud® provides a trustworthy and secure cloud database system. The service is built on best-in-industry standards, including ISO 27001:2013.
Tier-1 physical systems
IBM Cloudant DBaaS is physically hosted on Tier-1 cloud infrastructure providers such as IBM Cloud®. Therefore, your data is protected by the network and physical security measures that are employed by these providers.
General Data Protection Regulation (GDPR)
The GDPR seeks to create a harmonized data protection law framework across the EU. It also aims to give citizens back the control of their personal data, while it imposes strict rules on those entities who host and "process" this data, anywhere in the world. The Regulation also introduces rules that relate to the free movement of personal data within and outside the EU. For more information, see the IBM privacy statement.
HIPAA
IBM Cloudant meets the required IBM controls that are commensurate with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Privacy Rule requirements. These requirements include the appropriate administrative, physical, and technical safeguards required of Business Associates in 45 CFR Part 160 and Subparts A and C of Part 164. HIPAA must be requested at the time of provisioning and applies to the IBM Cloudant Enterprise plan, IBM Cloudant on IBM Cloud Dedicated plan, and IBM Cloudant Dedicated Hardware plan on IBM Cloud. Contact your sales representative to sign a Business Associate Addendum (BAA) agreement with IBM.
International Organization for Standardization (ISO)
IBM Cloudant and IBM Cloudant Dedicated Cluster are audited by a third-party security firm and meet ISO 27001, ISO 27017, and ISO 27018 requirements. For more information, see the IBM Cloudant Compliance page for links to the certificates. The following descriptions on the IBM Cloudant Compliance page cover the IBM Cloudant service and respective certifications:
- IBM Cloud Services (PaaS and SaaS) certified cloud product listing
- IBM Cloud Services (PaaS and SaaS) certificate - ISO 27001
- IBM Cloud Services (PaaS and SaaS) certificate - ISO 27017
- IBM Cloud Services (PaaS and SaaS) certificate - ISO 27018
PCI
The following IBM Cloudant plans are compliant with the Payment Card Industry Data Security Standard (PCI DSS):
- Multi-tenant Lite.
- Standard.
- Standard plan instances that are deployed on Dedicated Hardware plan environments.
IBM Cloud completes annual PCI DSS assessments by using an approved Qualified Security Assessor (QSA), and the resulting Attestations of Compliance (AOCs) and Service Responsibility Matrix guides are available upon customer request. Auditors reviewed IBM Cloudant for compliance under PCI DSS version 3.2.1 at Service Provider Level 1.
If you intend to store sensitive information in an IBM Cloudant database, you must use client-side encryption to render data unreadable to IBM Cloudant operators. For example, for PCI DSS compliance, you must encrypt the Primary Account Number (PAN) before sending a document that contains it to the database.
Customers are responsible for the storing, processing, and transmission of their cardholder data, and can create cardholder data environments (CDEs) that can store, transmit, or process cardholder data by using IBM Cloudant. Customers can use the IBM Cloud AOCs and SRM guides when they seek their own PCI DSS certifications. It is the responsibility of the customer to document and operate CDEs and applications that are built by using IBM Cloud Platform services in a PCI DSS-compliant manner.
IBM Cloudant documentation on service security and deletion of data covers methods to manage cardholder data within the environment in accordance with PCI requirements. It is the customer’s responsibility to familiarize themselves with these processes and to manage data retention and removal from the service according to the customer’s policies. To facilitate this process, no cardholder data can be used in an IBM Cloudant document ID. If PAN data is to be stored in IBM Cloudant, they must be rendered unreadable (in accordance with PCI requirement 3.5) before transmission to the IBM Cloudant service.
A full list of PCI DSS-ready IBM Cloud Platform services and options to request that a PCI DSS AOC and SRM guide can be found at the IBM Cloud compliance page.
SOC 1 Type 2, SOC 2 Type 2, and SOC 3 Certification
IBM provides a Service Organization Controls (SOC) report for IBM Cloudant. The reports evaluate IBM's operational controls according to the criteria set by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. The Trust Services Principles define adequate control systems and establish industry standards for service providers such as IBM Cloud to safeguard their customers' data and information.
You can request an SOC report from the Customer portal or contact your sales representative. Alternatively, you can open a support ticket with IBM Cloud Support.