All Products
Search

This Product

    Identity as a Service:Compliance

    Document Center

    Identity as a Service:Compliance

    Last Updated:Dec 19, 2025

    Alibaba Cloud IDaaS CIAM provides enterprises with a unified identity management solution for consumers. It prioritizes compliance in its design and implementation to ensure adherence to relevant domestic and international laws, regulations, and industry standards. This topic introduces the supported features, compliance standards, and methods to meet these requirements.

    Support for domestic compliance standards and regulations

    Personal Information Protection Law (PIPL)

    IDaaS CIAM provides comprehensive features and mechanisms to help enterprises comply with China's Personal Information Protection Law (PIPL).

    1. User privacy protection

      1. Data encryption: Sensitive fields (such as passwords and email addresses) are stored using the AES-256 encryption algorithm. Password fields are processed using the SHA256+salt hashing algorithm to prevent brute-force attacks.

      2. User consent terms management:

        1. Supports unified management of terms across multiple applications, allowing legal professionals to centrally edit and publish terms content.

        2. Provides user-side term consent recording and management functions to ensure users clearly understand and agree to the terms content.

    2. Cross-border data compliance: For enterprises involved in cross-border data transmission, IDaaS CIAM provides support for data export security assessment, helping enterprises meet the data export requirements of the national cyberspace administration.

    Level 3 Classified Protection certification

    IDaaS CIAM has obtained the Level 3 certification of the Classified Protection of Cybersecurity (CPCS) 2.0 from the Ministry of Public Security. This certification confirms that the service meets national standards for architecture security, data security, and infrastructure security.

    Security protection measures:

    • Microservice multi-zone deployment: Each microservice of IDaaS CIAM is deployed on ECS instances in different zones of Alibaba Cloud, achieving high availability load balancing through SLB.

    • Independent VPC isolation: IDaaS CIAM is deployed in an independent Virtual Private Cloud (VPC) on Alibaba Cloud, using tunnel technology to achieve data-link layer isolation, providing an independent and secure network environment.

    Support for international compliance standards and regulations

    General Data Protection Regulation (GDPR)

    IDaaS CIAM complies with the General Data Protection Regulation (GDPR) and provides global compliance support for multinational enterprises.

    1. User data access and management: Users can view and manage their data through a self-service portal. This includes viewing authorized terms and revoking authorizations.

    2. Data minimization principle: The system collects only the minimum amount of data required to achieve business objectives and restricts data access through strict access control.

    Health Insurance Portability and Accountability Act (HIPAA)

    IDaaS CIAM helps the healthcare industry meet compliance requirements and ensures the security of sensitive health information.

    Data encryption and access control: All sensitive data is encrypted and stored using the AES-256 algorithm. Strict permission management policies limit access to sensitive data to prevent data breaches.

    ISO 27001 & ISO 27018

    IDaaS CIAM has obtained ISO 27001 and ISO 27018 certifications. These certifications confirm that the system has comprehensive information security management processes and capabilities to protect personally identifiable information (PII).

    Information security management system:

    • ISO 27001: Ensures the system has comprehensive information security management processes.

    • ISO 27018: Ensures that cloud service providers' protection of personal data complies with international best practices.

    Industry-specific compliance support

    Payment Card Industry Data Security Standard (PCI DSS)

    IDaaS CIAM has obtained the Payment Card Industry Data Security Standard (PCI DSS) certification. This ensures the security of payment information.

    Payment data protection

    • Data encryption: All payment-related information is encrypted using strong encryption algorithms for storage and transmission.

    • Log audit: Records logs of all payment operations to ensure payment processes are transparent and traceable.

    SOC 2

    IDaaS CIAM has passed SOC 2 audit, meeting international standards in security, availability, and confidentiality. It also supports generating compliance reports covering user behavior, data access, and permission changes to meet regulatory requirements.

    Log audit

    IDaaS CIAM provides comprehensive log audit functions to help enterprises achieve operational transparency and compliance management.

    1. Management logs: These logs record administrator operations, including the operator, operation environment, events, and operation objects.

    2. User logs: These logs record user behaviors, such as logons, registrations, and password modifications, for subsequent tracking and analysis.

    3. Synchronization logs: These logs record information related to data synchronization to ensure that the data processing procedure is traceable.

    To learn more about IDaaS CIAM's compliance capabilities or obtain private deployment solutions, please contact the IDaaS product team for additional support.