SOC 2 Type II

Okta has certified its systems annually to AICPA SOC 2 Type II since 2012, successfully auditing the operational and security processes of our service and our company.  Customer Okta Admins can access the full SOC 2 Type II audit report on support.okta.com.

SOC 3

Both SOC 2 and SOC 3 reports are attestations that adhere to AICPA standards. While the SOC 2 report is restricted and can only be shared under NDA, the SOC 3 is a public report that can be shared freely. Okta’s SOC3 report can be downloaded from here.

 

ISO 27001/27018/27017

Okta is ISO 27001:2013 certified and ISO 27018:2019 compliant since 10/13/2015, and ISO 27017 compliant since 7/9/2020, proving our expertise in securely managing information technology systems.

Okta’s ISO Certification can be verified at:
https://www.schellman.com/certificate-directory
by searching for Okta as the organization.

CSA STAR Level 2

Okta's ability to secure sensitive data in the cloud is further validated by its Cloud Security Alliance (CSA) Security, Trust, & Assurance Registry (STAR) Level 2 Attestation, certified since 6/1/2017.

To learn more about CSA STAR, click here.

FedRAMP Moderate

Okta has had an official authorized status with the Federal Risk and Authorization Management Program (FedRAMP) Moderate since 4/26/2017.

To learn more about FedRAMP, click here.

Impact Level 4 (IL4) conditional Provisional Authorization (PA)

Okta for US Military obtained a conditional Provisional Authorization (PA) at Impact Level 4 (IL4) in May 2021 from the United States Defense Information Systems Agency (DISA) under the Department of Defense’s Cloud Computing Security Requirements Guide (CC SRG).

To learn more about Okta for US Military, click here.

EU Cloud Code of Conduct Level 2

Okta’s covered services have been verified to be adherent to the European Union Cloud Code of Conduct (Cloud Code) for cloud service providers. Okta’s last assessment was performed in July 2022 by SCOPE Europe, an independent monitoring body. The Cloud Code is a mechanism for service providers to demonstrate their adherence to the requirements of Article 28 of the General Data Protection Regulation (as well as all relevant other Articles) for the cloud market.

Okta’s Cloud Code adherence can be verified through SCOPE Europe’s Public Register, available at: https://eucoc.cloud/en/public-register/list-of-adherent-services

To learn more about the Cloud Code, click here.

APEC PRP

Okta's Asia-Pacific Economic Cooperation (APEC) Privacy Recognition for Processors (PRP) certification, valid since 7/23/2020, puts Okta among a small group of organizations that have demonstrated their ability to support cross-border data transfers for data controllers in Asia, Australia, and the Americas.

Okta’s APEC PRP Certification can be verified at:
https://www.schellman.com/apec-certificate-directory
by searching for Okta as the organization.

HIPAA

Our HIPAA Compliant Service instance serves customers in the highly-regulated and security-conscious healthcare industry.

To learn more about HIPAA, click here.

EPCS

Since 3/22/2019, Okta Verify is certified for healthcare institutions who require MFA for Electronic Prescription of Controlled Substances (EPCS) per United States Drug Enforcement Administration (DEA) regulations 21 CFR 1311.

 

PCI-DSS 3.2.1

Okta has a PCI Attestation of Compliance, and Okta MFA qualifies as a compliant multi-factor solution under current PCI-DSS requirements. This enables customers to use Okta as a supporting system for PCI compliance.

To learn more about PCI, click here.

GDPR

Okta’s IAM system provides a strong foundation for GDPR compliance and can help reduce your risk. You can learn more and download Okta’s GDPR-compliant DPA at https://www.okta.com/gdpr.

 

 

Sarbanes Oxley (SOX)

Okta’s tools help ensure that your SOX controls are in place and generating evidence for auditors. Our service gives your IT team a single location for all application provisioning and deprovisioning. We can also help you enforce password complexity requirements and provide single sign-on access, streamlining downstream audits.

NYDFS

Our IAM solutions can help you to comply with the access requirements specified in the constantly-evolving New York Department of Financial Services security regulations.

To learn more about NYDFS, click here.