This topic describes the security and compliance certifications for MaxCompute and provides links to download the compliance documents.
Alibaba Cloud MaxComputeactively upholds internal and external standards for product quality, technical services, stability, security, and compliance. It undergoes assessments and verifications by authoritative third-party organizations on the cloud platform. The resulting security and compliance certifications provide strong support to help cloud customers and organizations efficiently meet regional and industry-specific security and compliance requirements.
The following are the key security and compliance certifications for this product:
Certification | Description |
This standard defines the requirements for developing, implementing, monitoring, maintaining, and improving an IT service management system. It covers areas such as service level management, incident and problem management, change management, availability management, relationship management, and configuration and release management. Alibaba Cloud has obtained this certification to ensure our technical services and support meet business needs and to improve service quality, customer satisfaction, and operational efficiency through standardized processes. | |
The core principle of this standard is customer focus, emphasizing the identification, management, and optimization of key business processes to improve efficiency and effectiveness. It covers planning, implementation, monitoring, correction, and improvement activities throughout the entire product lifecycle, from requirement confirmation, design, R&D, and testing to sales and pre-delivery. Alibaba Cloud obtained this certification to establish a systematic quality management process for its products and services. Through continuous improvement, this process ensures the full product lifecycle meets requirements, reduces defects, and increases customer satisfaction. | |
As one of the most widely recognized information security management frameworks globally, this standard helps organizations design and implement a management system and control measures covering security organization, personnel security, physical security, and security technology. Alibaba Cloud has obtained this certification to effectively manage risks related to physical security, network security, application security, data security, and supply chain security. This protects information assets and improves business security and compliance. | |
This standard provides a management framework for establishing, implementing, maintaining, and continuously improving a business continuity management system to respond to disruptive incidents and ensure that critical business functions can be recovered quickly. Alibaba Cloud has achieved this certification to apply a systematic approach to identifying potential threats, developing preventive and responsive measures, and refining plans for handling technical failures, cyberattacks, or other incidents. Through effective business continuity management, we can rapidly restore critical business capabilities during emergencies and fulfill our responsibilities to customers and stakeholders. | |
This standard provides a systematic framework for cloud service security management. Based on the ISO/IEC 27001 Information Security Management System and ISO/IEC 27002 code of practice for information security controls, it offers additional controls and guidance for both cloud service providers and cloud service users. Alibaba Cloud has obtained this certification to strengthen controls specific to the cloud environment, such as virtual machine security, data isolation, and data protection after service termination, thereby effectively managing information security risks in the cloud. | |
CSA STAR is a global cloud security certification and assessment program launched by the Cloud Security Alliance (CSA). It combines the ISO/IEC 27001 Information Security Management System standard with the CSA Cloud Controls Matrix to provide a transparent and trustworthy cloud security assessment framework for cloud service providers and cloud service users. Alibaba Cloud has achieved this certification to assess, improve, and certify the security and compliance of our cloud products and services across multiple domains, including infrastructure security, network security, application security, data security, privacy protection, compliance, and risk management. | |
ISO 27701 is a privacy extension to ISO 27001 Information Security Management and ISO 27002 Security Controls. It integrates privacy protection principles, concepts, and methods into the information security framework, covering privacy risk management, data subject rights, data sharing and transfer, privacy by design, transparency requirements, and incident response and handling. Alibaba Cloud has obtained this certification to establish, implement, maintain, and continuously improve its privacy information management system and controls, thereby enhancing the compliance of its privacy information processing activities. | |
ISO 27018 Public Cloud Personal Information Protection Management System | This standard specifically addresses the privacy protection requirements for a cloud service provider (CSP) when processing Personally Identifiable Information (PII), enhancing data security and customer trust in public cloud environments. Building on the ISO 27002 code of practice for information security controls, Alibaba Cloud has implemented an additional set of personal information protection controls. These controls emphasize principles such as data minimization, user control, and data subject consent, ensuring we strictly adhere to privacy protection principles when processing customer PII. |
This standard provides a best-practice framework for a personal information management system, referencing the principles of the EU's General Data Protection Regulation (GDPR). It is an important tool for achieving privacy protection goals, helping organizations implement compliant and reliable management measures throughout the entire lifecycle of personal information, including collection, storage, processing, sharing, and destruction. Alibaba Cloud has obtained this certification to establish a standardized management system that reduces the risk of data breaches and misuse. This improves our privacy management capabilities, enhances customer trust, and helps meet compliance requirements. | |
This is a certification standard for compliance management systems. It involves identifying and assessing compliance risks and establishing, implementing, maintaining, and improving a compliance management system and its processes. This ensures that an organization adheres to applicable laws, regulations, industry standards, and internal policies during its operations. Alibaba Cloud has achieved this certification to improve the efficiency and transparency of our internal compliance management, foster a culture of compliance, and promote compliance awareness and participation among internal and external stakeholders. | |
The Payment Card Industry Data Security Standard (PCI DSS), developed and maintained by the PCI Security Standards Council (PCI SSC), provides a unified baseline and specific control requirements for protecting account data. It covers multiple aspects, including security management systems, network security, physical security, and data encryption. As a cloud service provider, Alibaba Cloud adheres to this standard by taking responsibility for the security of the cloud platform and helping customers build secure environments on it. | |
China implements the Multi-Level Protection Scheme (MLPS) for cybersecurity. Under this system, network operators must fulfill security protection obligations to safeguard their networks from interference, disruption, or unauthorized access, and to prevent data breaches, theft, or tampering. Adhering to the principles of focusing on key areas, proactive defense, and comprehensive control, Alibaba Cloud has established a robust cybersecurity protection system. Each year, our Public Cloud Data and Development Service Platform (PaaS) undergoes an MLPS assessment by an authoritative third-party organization. We perform security enhancements and improvements to fulfill our security responsibilities and meet national cybersecurity requirements. | |
Trusted Cloud - Cloud Service User Data Protection Capability Test | The Trusted Cloud assessment is a professional evaluation system in China for cloud computing services and software, organized by the China Academy of Information and Communications Technology (CAICT). Its core goal is to establish an evaluation system for cloud service providers to help users select secure and reliable cloud services, thereby improving service quality and integrity. By passing the Cloud Service User Data Protection Capability Test, Alibaba Cloud has demonstrated compliance with evaluation requirements across pre-incident prevention, in-incident protection, and post-incident traceability. This includes meeting standards for data durability, data privacy, data migration security, intrusion prevention, and service auditability. |
Trusted Cloud - Cloud Computing Security Shared Responsibility Capability Test | The Trusted Cloud assessment is a professional evaluation system in China for cloud computing services and software, organized by the China Academy of Information and Communications Technology (CAICT). By passing the Cloud Computing Security Shared Responsibility Capability Test, Alibaba Cloud has demonstrated compliance with the 'Cloud Computing Security Shared Responsibility Capability Requirements' standard. This assessment covers multiple dimensions, including the shared responsibility model, security capability support, and service agreement transparency. |
System and Organization Controls (SOC) reports are a series of auditing standards developed by the American Institute of Certified Public Accountants (AICPA). They are designed to evaluate the effectiveness of controls at service organizations such as cloud service providers, data centers, and IT service companies. Alibaba Cloud's SOC reports are independent audits that provide customers and their auditors with detailed information about the effectiveness of our internal controls. There are three types of SOC reports:
|