Certifications and compliance resources

ISO/IEC 27001:2013 is an industry-wide accepted information security certification that focuses on the implementation of an Information Security Management System (ISMS) and security risk management processes. Cloudflare has been ISO 27001 certified since 2019 and the certificate is available to download from the Cloudflare dashboard.

ISO/IEC 27701:2019 is a new ISO privacy certification, implementing a comprehensive Privacy Information Management System (PIMS) aligned with various privacy regulations including the GDPR. Cloudflare has been ISO 27701 certified as a PII Processor and PII Controller since 2021 — read our blog below to learn more.

ISO/IEC 27018:2019 is an international privacy certification that extends an Information Security Management System (ISMS) to protect personal data when being processed in a public cloud. Cloudflare has been ISO 27018 certified since 2022 and the certificate is available to download from the Cloudflare dashboard.

Cloudflare maintains FedRAMP Moderate Agency authorization, allowing federal agencies to adopt Cloudflare's performance, security and Zero Trust solutions. Cloudflare for Government has been FedRAMP Authorized since 2022. For more information on Cloudflare's FedRAMP authorization, visit the FedRAMP marketplace

Cloudflare has undertaken the AICPA SOC 2 Type II certification to attest to Security, Confidentiality, and Availability controls in place in accordance to the AICPA Trust Service Criteria. Cloudflare's SOC 2 Type II report covers security, confidentiality, and availability controls to protect customer data and is available to download from the Cloudflare dashboard.

Cloudflare maintains PCI DSS Level 1 compliance and has been PCI compliant since 2014. Cloudflare's Web Application Firewall (WAF), Cloudflare Access, Content Delivery Network (CDN), Time Service, Workers, and Workers KV are PCI compliant solutions. Cloudflare is audited annually by a third-party Qualified Security Assessor QSA. Cloudflare's Attestation of Compliance is available to download from the Cloudflare dashboard.

Cloudflare's dashboard completes Voluntary Product Accessibility Template (VPAT) in compliance with international standards set forth by the Web Content Accessibility Guidelines (WCAG) 2.1 AA and in conformance with legal standards set forth by Section 508 of the Rehabilitation Act.

Cloud Computing Compliance Criteria Catalogue (C5:2020) is an auditing standard created by Germany's Federal Office for Information Security (BSI). The C5 standard ensures cloud service providers adhere to a baseline of information security criteria. The C5 report covers security controls to protect customer data and is available to download from the Cloudflare dashboard.

The EU Cloud Code of Conduct is an officially approved GDPR Article 40 Code of Conduct. Adherence to the code means that Cloudflare commits to implementing data protection policies and security measures that align to the GDPR. Cloudflare services are verified compliant with the EU Cloud CoC, Verification-ID: 2023LVL02SCOPE4316. For further information, please visit https://eucoc.cloud/en/public-register.

On April 1, 2018, we took a big step toward improving Internet privacy and security with the launch of the 1.1.1.1 public DNS resolver - the Internet's fastest, privacy-first public DNS resolver. Cloudflare conducted a first-of-its-kind privacy examination by a Big Four accounting firm to determine whether the 1.1.1.1 resolver was effectively configured to meet Cloudflare’s privacy commitments. See below for more information.

Cloudflare has been recognized by the German government's Federal Office for Information Security as an qualified provider of DDoS mitigation services. Download this qualification to learn more.