Okta Service Certifications
Okta complies with a range of industry-standard certifications and authorizations. Note: certifications listed below are specific to Workforce Identity Cloud (WIC). See https://auth0.com/security for Customer Identity Cloud (CIC).
SOC 2 Type II
Okta has certified its systems annually to AICPA SOC 2 Type II since 2012, successfully auditing the operational and security processes of our service and our company. Customer Okta Admins can access the full SOC 2 Type II audit report on support.okta.com.
Both SOC 2 and SOC 3 reports are attestations that adhere to AICPA standards. While the SOC 2 report is restricted and can only be shared under NDA, the SOC 3 is a public report that can be shared freely. Okta’s SOC3 report can be downloaded from here.
Okta is ISO 27001:2013 certified and ISO 27018:2019 compliant since 10/13/2015, and ISO 27017 compliant since 7/9/2020, proving our expertise in securely managing information technology systems.
Okta’s ISO Certification can be verified at:
by searching for Okta as the organization.
Impact Level 4 (IL4) conditional Provisional Authorization (PA)
Okta for US Military obtained a conditional Provisional Authorization (PA) at Impact Level 4 (IL4) in May 2021 from the United States Defense Information Systems Agency (DISA) under the Department of Defense’s Cloud Computing Security Requirements Guide (CC SRG).
Okta’s DoD Impact Level 4 authorization permits Okta for US Military to be used as an on-demand identity and access management services for DoD authorized IL5 environments. Any IL5 boundary utilizing Okta for US Military is still required to comply with the IL5 isolation requirements associated with their authorization boundary.
To learn more about Okta for US Military, click here.
Okta’s covered services have been verified to be adherent to the European Union Cloud Code of Conduct (Cloud Code) for cloud service providers. Okta’s last assessment was performed in July 2023 by SCOPE Europe, an independent monitoring body. The Cloud Code is a mechanism for service providers to demonstrate their adherence to the requirements of Article 28 of the General Data Protection Regulation (as well as all relevant other Articles) for the cloud market.
Okta’s covered services are verified compliant with the EU Cloud CoC, Verification-ID: 2022LVL02SCOPE3112. For further information please visit https://eucoc.cloud/en/public-register.
To learn more about the Cloud Code, click here.
Okta's Asia-Pacific Economic Cooperation (APEC) Privacy Recognition for Processors (PRP) certification, valid since 7/23/2020, puts Okta among a small group of organizations that have demonstrated their ability to support cross-border data transfers for data controllers in Asia, Australia, and the Americas.
Okta’s APEC PRP Certification can be verified at:
by searching for Okta as the organization.
Helping you meet your compliance requirements
While Okta can’t solve every regulatory challenge, the Okta Cloud Service can help you work in accordance with the following compliance requirements:
Our HIPAA Compliant Service instance serves customers in the highly-regulated and security-conscious healthcare industry.
To learn more about HIPAA, click here.
Since 3/22/2019, Okta Verify is certified for healthcare institutions who require MFA for Electronic Prescription of Controlled Substances (EPCS) per United States Drug Enforcement Administration (DEA) regulations 21 CFR 1311.
Okta has a PCI Attestation of Compliance, and Okta MFA qualifies as a compliant multi-factor solution under current PCI-DSS requirements. This enables customers to use Okta as a supporting system for PCI compliance.
To learn more about PCI, click here.
Okta’s IAM system provides a strong foundation for GDPR compliance and can help reduce your risk. You can learn more and download Okta’s GDPR-compliant DPA at https://www.okta.com/gdpr.
Sarbanes Oxley (SOX)
Okta’s tools help ensure that your SOX controls are in place and generating evidence for auditors. Our service gives your IT team a single location for all application provisioning and deprovisioning. We can also help you enforce password complexity requirements and provide single sign-on access, streamlining downstream audits.
Our IAM solutions can help you to comply with the access requirements specified in the constantly-evolving New York Department of Financial Services security regulations.
To learn more about NYDFS, click here.