OSS holds certifications across global security standards, financial regulations, and region-specific frameworks. Use the tables below to identify which certifications apply to your industry or region, then contact Alibaba Cloud to obtain the corresponding audit reports or certificates.
To request audit reports and certificates, contact Alibaba Cloud support or visit the Alibaba Cloud Compliance Center.
Global security and privacy
| Certification | What it covers |
|---|
| ISO 9001 | Quality management system (QMS) requirements for organizations delivering products and services that meet customer expectations and applicable regulations. |
| ISO 20000 | Service management system (SMS) standard specifying requirements for planning, establishing, operating, monitoring, and improving a service management system. |
| ISO 22301 | Business continuity standard for establishing integrated management procedures to identify, protect against, and recover from business disruptions. |
| ISO/IEC 27001 | Framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) to protect privacy information and reduce threats. |
| ISO/IEC 27017 | Cloud-specific extension to ISO/IEC 27002, providing additional information security controls and implementation guidance for cloud services. |
| ISO/IEC 27018 | Personally identifiable information (PII) standard establishing control objectives, controls, and guidelines for protecting PII in cloud environments, based on ISO/IEC 27002. |
| ISO/IEC 29151 | Practical guidelines for securing personal privacy, mitigating compliance risks, and meeting PII protection and security assessment requirements. |
| CSA STAR | Cloud Security Alliance Security, Trust, Assurance, and Risk (CSA STAR) certification, built on ISO/IEC 27001 and evaluated using the BSI maturity model. Provides third-party attestation of cloud security management and technical capabilities. See the CSA STAR website. |
| SOC 1, SOC 2, and SOC 3 | Cloud Service Organization Controls (SOC) reports issued by an independent third-party auditor. The reports document key controls and control objectives, helping you assess Alibaba Cloud's internal control mechanisms and manage outsourcing risks. |
| BS 10012 | Personal information management system standard aligned to General Data Protection Regulation (GDPR) best practices, specifying requirements for using personal information appropriately while protecting individual privacy. |
Financial industry
| Certification | What it covers |
|---|
| Cohasset Associates compliance assessment | Independent certification that OSS meets electronic record-keeping requirements for financial services, including Securities and Exchange Commission (SEC) 17a-4(f), Financial Industry Regulatory Authority (FINRA) 4511(c), and Commodity Futures Trading Commission (CFTC) 1.31(c)-(d). See the OSS Cohasset Assessment Report. |
| PCI DSS | Payment Card Industry Data Security Standard (PCI DSS) covering security requirements for payment card data — including credit card numbers and Card Verification Value 2 (CVV2) codes — and for storing and transmitting account credentials. Intended for software developers and application or device manufacturers involved in payment transactions. See the PCI Security Standards Council. |
Industry-specific
| Certification | What it covers |
|---|
| GxP | Life sciences industry guidelines and regulations, including Good Manufacturing Practices (GMP), Good Safety Practices (GSP), and Good Laboratory Practices (GLP). OSS has achieved third-party validation for ISO 9001, ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27018 to meet GxP requirements. |
| Trusted Partner Network (TPN) | Joint venture between the Motion Picture Association of America (MPAA) and the Content Delivery & Security Association (CDSA) to prevent leaks, breaches, and hacks of films and television shows before release. TPN certification confirms that service providers follow industry best practices for content security across facilities, staff, and workflows. See the TPN website. |
Region-specific
| Certification | What it covers |
|---|
| Cloud Computing Compliance Controls Catalog (C5) | German federal cloud security standard specifying control requirements across 17 fields. Required for cooperation with German public sector organizations and increasingly adopted in the private sector. See the C5 document. |
| Multi-Tier Cloud Security (MTCS) T3 | Singapore cloud security standard initiated by the Infocomm Development Authority of Singapore (IDA) and launched by Standards, Productivity and Innovation Board (SPRING Singapore). T3 is the highest tier, with the most stringent security requirements. Alibaba Cloud achieved MTCS T3 certification issued by SOCOTEC Certification International. |
| Trusted Cloud Service Assessment | Cloud computing evaluation program launched by the China Academy of Information and Communications Technology (CAICT) under the supervision of the Department of Telecommunication Development of the Ministry of Industry and Information Technology. Alibaba Cloud was among the first cloud service providers to pass this assessment. |