Adobe Compliance Certifications, Standards, and Regulations

Adobe Service Offering	Completed certifications and attestations
Adobe-wide	ISO 22301 Assessed by TruSight Registered, Trusted Information Security Assessment Exchange (TISAX) CSA STAR Level 1
Adobe Creative Cloud for enterprise (NOTE: these certifications apply to both User Storage and Enterprise Storage configurations)	SOC 2–Type 2 (Security, Availability, & Confidentiality) ISO 27001:2013 FedRAMP Tailored GLBA-Ready [1] FERPA-Ready [1]
Adobe Document Cloud - Adobe Sign for Enterprise	SOC 2–Type 2 (Security, Availability, & Confidentiality + HIPAA Security) ISO 27001:2013 FedRAMP Tailored/FedRAMP Moderate [in progress] IRAP assessed at Official classification (Australia) HIPAA-Ready [1] GLBA-Ready [1] FERPA-Ready [1] FDA 21 CFR Part 11 compliant [1] PCI DSS V3.2.1 compliant merchant and service provider [3] Qualified Trust Service Provider (QTSP) offering eIDAS-compliant certificates Microsoft 365 Certification
Adobe Document Cloud - PDF Services	SOC 2–Type 2 (Security, Availability, & Confidentiality) [7] ISO 27001:2013 [7] FedRAMP Tailored GLBA-Ready [1] FERPA-Ready [1]
Adobe Experience Cloud (all solutions) [2]	FedRAMP Tailored [5] SOC 2–Type 2 (Security, Availability, & Confidentiality) ISO 27001:2013 GLBA-Ready [1] TrustArc GDPR Privacy Practices Management Compliance Validation [4]
Adobe Managed Services (Connect and Adobe Experience Manager (AEM) [2] only)	FedRAMP Moderate SOC 2–Type 2 (Security, Availability, & Confidentiality + HIPAA Security) ISO 27001:2013 Esquema Nacional de Seguridad (ENS) High (Spain) [6] IRAP assessed at Official classification (Australia) [6] GLBA-Ready [1] FERPA-Ready [1] HIPAA-Ready [1]
Adobe Commerce	SOC 2-Type 2 (Security, Availability, & Confidentiality) ISO 27001:2013 PCI DSS 3.2.1 compliant service provider
Adobe Commerce Business Intelligence and Order Management	SOC 2-Type 2 (Security, Availability, & Confidentiality) ISO 27001:2013 GLBA-Ready [1] FERPA-Ready [1]
Adobe Marketo Engage and Bizible Adobe Workfront	SOC 2-Type 2 (Security, Availability, & Confidentiality + HIPAA Security) ISO 27001:2013 HIPAA-Ready
Adobe.com eCommerce	PCI DSS 3.2.1 compliant merchant
Adobe Captivate Prime	SOC 2–Type 2 (Security, Availability, & Confidentiality) ISO 27001:2013 FedRAMP Tailored GLBA-Ready [1] FERPA-Ready [1]
Adobe Connect On-Demand	SOC 2–Type 2 (Security, Availability, & Confidentiality) ISO 27001:2013 GLBA-Ready [1]

[1] An Adobe service that is GLBA–Ready, FERPA-Ready, FDA 21 CFR Part 11 compliant, or HIPAA-ready means that the service can be used in a way that enables the customer to help meet its legal obligations related to the use of service providers. Ultimately, the customer is responsible for ensuring compliance with legal obligations, that the Adobe service meet its compliance needs, and that the customer secures the service appropriately. Under FERPA guidelines, Adobe can contractually agree to act as a “school official” when it comes to handling regulated student data and therefore to enable our education customers to comply with FERPA requirements.

[2] Adobe Experience Cloud includes Adobe Advertising Cloud, Adobe Analytics, Audience Manager, Adobe Campaign, Adobe Experience Manager, Adobe Primetime, Adobe Target, Adobe Connect, and Adobe Experience Platform.

[3] PCI DSS compliance excludes Adobe Send & Track service.

[4] Please view the independent GDPR Privacy Practices Validation Findings Letter from TrustArc for more information.

[5] FedRAMP Tailored applies to Adobe Analytics and Adobe Campaign only.

[6] Applies to Adobe Experience Manager (AEM) only.

[7] PDF Services API is included.

[8] Applies to Adobe Marketo Engage only.