Adobe Compliance Certifications, Standards, and Regulations

Adobe Service Offering	Completed certifications and attestations
Adobe-wide Security [7]	Assessed by TruSight Registered, Trusted Information Security Assessment Exchange (TISAX) [9] CSA STAR Level 1
Adobe-wide Privacy	General Data Protection Regulation (GDPR) California Consumer Privacy Act (CCPA)
Adobe-wide Accessibility	WCAG 2.1 level AA European Accessibility Act EN 301 549 V3.2.1 (2021-03) (Harmonized European Accessibility Standard) Section 508 of the Rehabilitation Act of 1973 (United States only) ISO 32000-2:2020 (PDF Standard) ISO 14289-1:2014 (PDF/UA) (PDF standard enhancement for accessibility)
Adobe Creative Cloud for enterprise [7] [8]	SOC 2–Type 2 (Security, Availability, & Confidentiality) SOC 3 (Security, Availability, & Confidentiality) ISO 27001:2013 ISO 27017:2015 ISO 27018:2019 ISO 22301:2019 FedRAMP Tailored GLBA ready [1] FERPA ready [1]
Adobe Document Cloud - Acrobat Sign Solutions for enterprise and business	SOC 2– Type 2 (Security, Availability, & Confidentiality) SOC 3 (Security, Availability, & Confidentiality) ISO 27001:2013 ISO 27017:2015 ISO 27018:2019 ISO 22301:2019 IRAP Assessed [10] (Australia) ISMAP Registered (Japan) HIPAA ready [1] FDA 21 CFR Part 11 ready [1] EudraLex Volume 4 Annex 11 ready [1] PCI DSS V3.2.1 compliant merchant and service provider [3] Qualified Trust Service Provider (QTSP) for time stamps Microsoft 365 Certification GLBA ready [1] FERPA ready [1]
Adobe Document Cloud - Acrobat [6]	SOC 2–Type 2 (Security, Availability, & Confidentiality) SOC 3 (Security, Availability, & Confidentiality) ISO 27001:2013 ISO 27017:2015 ISO 27018:2019 ISO 22301:2019 FedRAMP Tailored ISMAP Registered (Japan) GLBA ready [1] FERPA ready [1]
Adobe Document Cloud - Acrobat Services (APIs)	SOC 2–Type 2 (Security, Availability, & Confidentiality) SOC 3 (Security, Availability, & Confidentiality) ISO 27001:2013 ISO 27017:2015 ISO 27018:2019 ISO 22301:2019 FedRAMP Tailored ISMAP Registered (Japan) GLBA ready [1] FERPA ready [1]
Adobe Experience Cloud (all solutions, except as noted) [2]	FedRAMP Tailored [4] SOC 2–Type 2 (Security, Availability, & Confidentiality) SOC 3 (Security, Availability, & Confidentiality) ISO 27001:2013 ISO 27017:2015 ISO 27018:2019 ISO 22301:2019 HIPAA ready (RTCDP B2P and B2C, AJO, CJA, and AEM Cloud Service only) [1] IRAP Assessed [10] GLBA ready [1] FERPA ready [1] TrustArc GDPR Privacy Practices Management Compliance Validation TrustArc APEC Privacy Recognition for Processors (PRP) Certification
Adobe Managed Services (Connect and Adobe Experience Manager (AEM) only)	FedRAMP Moderate [10] SOC 2–Type 2 (Security, Availability, & Confidentiality) SOC 3 (Security, Availability, & Confidentiality) ISO 27001:2013 ISO 27017:2015 ISO 27018:2019 ISO 22301:2019 Esquema Nacional de Seguridad (ENS) High (Spain) [5] IRAP Assessed [10] HIPAA ready [1] GLBA ready [1] FERPA ready [1]
Adobe Commerce Core	SOC 2-Type 2 (Security) PCI DSS 3.2.1 compliant service provider
Adobe Commerce on Cloud	SOC 2-Type 2 (Security, Availability, & Confidentiality) SOC 3 (Security, Availability, & Confidentiality) ISO 27001:2013 ISO 27017:2015 ISO 27018:2019 ISO 22301:2019 HIPAA Ready [1] GLBA ready [1] FERPA ready [1]
Adobe Marketo Engage and Measure	SOC 2-Type 2 (Security, Availability, & Confidentiality) SOC 3 (Security, Availability, & Confidentiality) ISO 27001:2013 ISO 27017:2015 ISO 27018:2019 ISO 22301:2019 HIPAA Ready (Adobe Marketo Engage only) [1]
Adobe Workfront	SOC 2-Type 2 (Security, Availability, & Confidentiality + HIPAA Security [1]) ISO 27001:2013 HIPAA Ready [1]
Adobe.com eCommerce	PCI DSS 3.2.1 compliant merchant
Adobe Learning Manager	SOC 2–Type 2 (Security, Availability, & Confidentiality) SOC 3 (Security, Availability, & Confidentiality) ISO 27001:2013 ISO 27017:2015 ISO 27018:2019 ISO 22301:2019 FedRAMP Tailored GLBA ready [1] FERPA ready [1]
Adobe Frame.io	SOC 2–Type 2 (Security, Availability, & Confidentiality) Trusted Partner Network

[1] An Adobe service that is GLBA ready, FERPA ready, FDA 21 CFR Part 11 ready, EudraLex Volume 4 Annex 11 ready, or HIPAA ready means that the service can be used in a way that enables the customer to help meet its legal obligations related to the use of service providers. Ultimately, the customer is responsible for ensuring compliance with legal obligations, that the Adobe service meet its compliance needs, and that the customer secures the service appropriately. Under FERPA guidelines, Adobe can contractually agree to act as a “school official” when it comes to handling regulated student data and therefore enable our education customers to comply with FERPA requirements.

[2] Adobe Experience Cloud includes Adobe Advertising Cloud, Adobe Analytics, Audience Manager, Adobe Campaign, Adobe Experience Manager, Adobe Primetime, Adobe Target, Adobe Connect, Real-Time Customer Data Platform (RTCDP), Adobe Journey Optimizer (AJO), Customer Journey Analytics (CJA), and Adobe Experience Manager as a Cloud Service (AEMaaCS).

[3] PCI DSS compliance excludes Adobe Send & Track service.

[4] FedRAMP Tailored applies to Adobe Analytics and Adobe Campaign only.

[5] Applies to Adobe Experience Manager (AEM) only.

[6] Acrobat enterprise offerings comprise of "PDF services," which are web-enabled PDF tools that modify electronic documents and are certified in this section, and include: "Adobe Acrobat Pro," "Adobe Acrobat Standard," and "Acrobat for web and mobile."

[7] Does not apply to Frame.io by Adobe.

[8] Applies to both User Storage and Enterprise Storage configurations.

[9] Adobe is TISAX certified for select office locations.

[10] Applies to Customer Journey Analytics (CJA) Australia at Protected Level, Adobe Acrobat Sign Australia at Official Level (Official is same as Official Sensitive), and Adobe Experience Manager (AEM) Managed Service on the Adobe GovCloud Australia environment at Official Level (Official is same as Official Sensitive) only.