IDaaS CIAM supports domestic regulations, international data protection laws, and industry-specific security standards. This topic describes the compliance certifications IDaaS CIAM has obtained and the features that support each standard.
Supported compliance standards
| Standard | Category | Coverage |
|---|---|---|
| Personal Information Protection Law (PIPL) | Domestic | Data privacy, cross-border data transfer |
| Level 3 Classified Protection (CPCS 2.0) | Domestic | Architecture, data, and infrastructure security |
| General Data Protection Regulation (GDPR) | International | EU data protection and individual rights |
| Health Insurance Portability and Accountability Act (HIPAA) | International | Healthcare sensitive data protection |
| ISO 27001 | International | Information security management |
| ISO 27018 | International | Cloud PII protection |
| Payment Card Industry Data Security Standard (PCI DSS) | Industry-specific | Payment data security |
| SOC 2 | Industry-specific | Security, availability, and confidentiality |
Domestic compliance
Personal Information Protection Law (PIPL)
IDaaS CIAM provides the following features to help enterprises comply with PIPL.
User privacy protection
Data encryption: Sensitive fields — including passwords and email addresses — are encrypted using AES-256. Password fields use SHA256+salt to prevent brute-force attacks.
Consent terms management: Supports unified management of consent terms across multiple applications. Legal teams can centrally edit and publish terms content. The system records each user's consent for auditing and compliance purposes.
Cross-border data transfer
For enterprises that transfer data outside China, IDaaS CIAM supports data export security assessments to help meet the requirements of the national cyberspace administration.
Level 3 Classified Protection (CPCS 2.0)
IDaaS CIAM holds the Level 3 certification under the Classified Protection of Cybersecurity (CPCS) 2.0 framework, issued by the Ministry of Public Security. This certification confirms that the service meets national standards for architecture security, data security, and infrastructure security.
The following measures underpin this certification:
Microservices multi-zone deployment: Each microservice is deployed on ECS instances across different zones, with high availability load balancing provided by SLB.
Independent VPC isolation: IDaaS CIAM runs in a dedicated Virtual Private Cloud (VPC) using tunnel technology to achieve data-link layer isolation, providing a secure and isolated network environment.
International compliance
General Data Protection Regulation (GDPR)
IDaaS CIAM provides features to help multinational enterprises meet GDPR requirements.
Self-service data management: Users can view their data, review authorized terms, and revoke authorizations through a self-service portal.
Data minimization: The system collects only the minimum data required for business objectives and enforces strict access controls to restrict unauthorized data access.
Health Insurance Portability and Accountability Act (HIPAA)
IDaaS CIAM provides the following features to help healthcare enterprises meet HIPAA requirements.
Data encryption: All sensitive health data is encrypted and stored using AES-256.
Access control: Strict permission management policies limit access to sensitive data to prevent data breaches.
ISO 27001 and ISO 27018
IDaaS CIAM has obtained ISO 27001 and ISO 27018 certifications. These certifications confirm that the system has comprehensive information security management processes and the capabilities to protect personally identifiable information (PII).
| Certification | Scope |
|---|---|
| ISO 27001 | Comprehensive information security management processes |
| ISO 27018 | Cloud service providers' protection of personal data per international best practices |
Industry-specific compliance
Payment Card Industry Data Security Standard (PCI DSS)
IDaaS CIAM holds PCI DSS certification, ensuring the security of payment-related data.
Data encryption: All payment data is encrypted for both storage and transmission.
Log audit: All payment operations are logged to maintain a transparent and traceable payment process.
SOC 2
IDaaS CIAM has passed the SOC 2 audit, meeting international standards for security, availability, and confidentiality. The system supports generating compliance reports covering user behavior, data access, and permission changes to satisfy regulatory and audit requirements.
Log audit
IDaaS CIAM provides log audit functions to support operational transparency and compliance management.
| Log type | Records |
|---|---|
| Management logs | Administrator operations, including the operator, operation environment, events, and operation objects |
| User logs | User behaviors, including logons, registrations, and password modifications |
| Synchronization logs | Data synchronization information to ensure data processing is traceable |
What's next
To learn more about IDaaS CIAM compliance capabilities or obtain private deployment solutions, contact the IDaaS product team.