HomepageOkta logo

Okta Service Certifications

Okta complies with a range of industry-standard certifications and authorizations. Note: certifications listed below are specific to Workforce Identity Cloud (WIC). See https://auth0.com/security for Customer Identity Cloud (CIC).

SOC 2 Type II

Okta has certified its systems annually to AICPA SOC 2 Type II since 2012, successfully auditing the operational and security processes of our service and our company.  Customer Okta Admins can access the full SOC 2 Type II audit report on support.okta.com.

SOC 3

Both SOC 2 and SOC 3 reports are attestations that adhere to AICPA standards. While the SOC 2 report is restricted and can only be shared under NDA, the SOC 3 is a public report that can be shared freely. Okta’s SOC 3 report can be downloaded from here.

 

ISO 27001/27018/27017

Okta is ISO 27001:2013 certified and ISO 27018:2019 compliant since 10/13/2015, and ISO 27017 compliant since 7/9/2020, proving our expertise in securely managing information technology systems.

Okta’s ISO Certification can be verified at:
https://www.schellman.com/certificate-directory
by searching for Okta as the organization.

CSA STAR Level 2

Okta's ability to secure sensitive data in the cloud is further validated by its Cloud Security Alliance (CSA) Security, Trust, & Assurance Registry (STAR) Level 2 Attestation, certified since 6/1/2017.

To learn more about CSA STAR, click here.

FedRAMP High

Okta for Government High has had an official Federal Risk and Authorization Management Program (FedRAMP) High Authorization to Operate since 3/25/2023.

To learn more about FedRAMP, click here.

FedRAMP Moderate

Okta for Government Moderate has had an official Federal Risk and Authorization Management Program (FedRAMP) Moderate Authorization to Operate (ATO) since 4/26/2017.

To learn more about FedRAMP, click here.

Impact Level 4 (IL4) conditional Provisional Authorization (PA)

Okta for US Military obtained a conditional Provisional Authorization (PA) at Impact Level 4 (IL4) in May 2021 from the United States Defense Information Systems Agency (DISA) under the Department of Defense’s Cloud Computing Security Requirements Guide (CC SRG).

Okta’s DoD Impact Level 4 authorization permits Okta for US Military to be used as an on-demand identity and access management services for DoD authorized IL5 environments. Any IL5 boundary utilizing Okta for US Military is still required to comply with the IL5 isolation requirements associated with their authorization boundary.

To learn more about Okta for US Military, click here.

IRAP (Protected)

The Information Security Registered Assessor Program (IRAP) allows customers a robust process for the independent assessment of a system's security against Australian government policies and guidelines.

Okta achieved IRAP protected certification status in February 2024. To learn more about IRAP, click here.

APEC PRP

Okta's Asia-Pacific Economic Cooperation (APEC) Privacy Recognition for Processors (PRP) certification, valid since 7/23/2020, puts Okta among a small group of organizations that have demonstrated their ability to support cross-border data transfers for data controllers in Asia, Australia, and the Americas.

Okta’s APEC PRP Certification can be verified at:
https://www.schellman.com/apec-certificate-directory
by searching for Okta as the organization.

EU Cloud Code of Conduct Level 2

Okta’s covered services have been verified to be adherent to the European Union Cloud Code of Conduct (Cloud Code) for cloud service providers. Okta’s last assessment was performed in July 2023 by SCOPE Europe, an independent monitoring body. The Cloud Code is a mechanism for service providers to demonstrate their adherence to the requirements of Article 28 of the General Data Protection Regulation (as well as all relevant other Articles) for the cloud market.

Okta’s covered services are verified compliant with the EU Cloud CoC, Verification-ID: 2022LVL02SCOPE3112. For further information please visit https://eucoc.cloud/en/public-register.

To learn more about the Cloud Code, click here.

ENS High

The Esquema Nacional de Seguridad (ENS) High is a framework established by the Spanish government to ensure the security of information systems in public administrations and organizations dealing with sensitive data. It sets rigorous standards and guidelines for implementing robust security measures, encompassing aspects such as risk management, security policies, and technical controls. ENS High certification signifies that an organization has met the highest level of security requirements defined by the framework, demonstrating its commitment to protecting sensitive information and mitigating cybersecurity risks effectively.

Okta achieved ENS High certification status in March 2024. To learn more about ENS High, click here.

Helping you meet your compliance requirements

While Okta can’t solve every regulatory challenge, the Okta Cloud Service can help you work in accordance with the following compliance requirements:

HIPAA

Our HIPAA Compliant Service instance serves customers in the highly-regulated and security-conscious healthcare industry.

To learn more about HIPAA, click here.

EPCS

Since 3/22/2019, Okta Verify is certified for healthcare institutions who require MFA for Electronic Prescription of Controlled Substances (EPCS) per United States Drug Enforcement Administration (DEA) regulations 21 CFR 1311.

 

PCI-DSS 3.2.1

Okta has a PCI Attestation of Compliance, and Okta MFA qualifies as a compliant multi-factor solution under current PCI-DSS requirements. This enables customers to use Okta as a supporting system for PCI compliance.

To learn more about PCI, click here.

GDPR

Okta’s IAM system provides a strong foundation for GDPR compliance and can help reduce your risk. You can learn more and download Okta’s GDPR-compliant DPA at https://www.okta.com/gdpr.

 

 

Sarbanes Oxley (SOX)

Okta’s tools help ensure that your SOX controls are in place and generating evidence for auditors. Our service gives your IT team a single location for all application provisioning and deprovisioning. We can also help you enforce password complexity requirements and provide single sign-on access, streamlining downstream audits.

NYDFS

Our IAM solutions can help you to comply with the access requirements specified in the constantly-evolving New York Department of Financial Services security regulations.

To learn more about NYDFS, click here.