All Products
Document Center

Object Storage Service:Compliance certifications

Last Updated:Dec 18, 2023

Object Storage Service (OSS) has obtained certifications for compliance with local and international certification programs and standards, helping customers meet various compliance requirements. The following table describes the compliance certification programs with which OSS complies:

Compliance certifications


Cohasset Associates compliance assessment

Cohasset Associates has certified OSS as a service that meets electronic record keeping requirements and is compliant with Securities and Exchange Commission (SEC) 17a-4(f), FINRA 4511(c), and CFTC 1.31(c)-(d).

For more information, see OSS Cohasset Assessment Report.


ISO9001 is a series of quality management requirements that apply to the following scenarios:

  • Organizations that want to provide products and services that meet customer expectations and comply with applicable laws and relevant regulations.

  • Organizations that want to strengthen customer recognition by using a quality management system, including management system optimization and consistency with applicable laws and relevant norms.


ISO20000 is a service management system (SMS) standard that specifies requirements for service providers to plan, establish, implement, operate, monitor, review, maintain, and improve a service management system.


ISO 22301 is a business continuity standard that helps enterprises establish an integrated management procedure.

This standard helps enterprises identify and protect against potential business disruptions and establish an effective management mechanism to prevent or offset consequences when disruptions occur.

ISO/IEC 27001

ISO/IEC 27701 is a privacy protection extension to ISO 27001 and provides guidance for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) to strengthen privacy information management and mitigate privacy information threats.


ISO27017 provides guidelines for information security controls that are applicable to the use of cloud services by providing:

  • Additional implementation guidance for controls that are specified in ISO/IEC 27002

  • Additional controls with implementation guidance that is specifically related to cloud services.


ISO27018 is a Personally Identifiable Information (PII) standard that establishes commonly accepted control objectives, controls, and guidelines for implementing measures to protect PII. ISO27018 specifies applicable PII requirements based on the information security risks that are described in ISOIEC 27002.


ISO29151 provides many practical guidelines for enterprises to secure personal privacy and mitigate compliance risks to meet the requirements for PII protection and security assessment.


The BS 10012 standard demonstrates compliance with the General Data Protection Regulation (GDPR). BS 10012 specifies the requirements for a personal information management system that is aligned to recognized best practices and helps organizations appropriately use personal information while respecting personal privacy and securing personal records related to individuals.

For more information, visit the BS 10012 Personal Information Management website.


The Cloud Security Alliance Security, Trust, Assurance, and Risk (CSA STAR) is based on ISO/IEC 27001 certification and uses the maturity model and evaluation method provided by BSI to comprehensively evaluate cloud security management and technical capabilities. The CSA STAR certification program is a third-party attestation.

For more information, visit the CSA STAR official website.


The Payment Card Industry Data Security Standard (PCI DSS) specifies security requirements for assessing payment card data, including credit card numbers and Card Verification Value 2 (CVV2) codes. This standard also specifies requirements for securing accounts and storing and transmitting passwords.

The PCI DSS helps secure payment card and account data. The PCI DSS sets business and technical guidelines for organizations to accept or process payment card information. The standard is intended for software developers as well as applications and device manufacturers involved in payment transactions.

For more information, see PCI DDS.


Alibaba Cloud follows the Cloud Computing Compliance Controls Catalog (C5) standard to achieve strict compliance in terms of cloud computing control and security.

C5 is primarily intended for professional cloud service providers, their auditors, and customers of the cloud service providers. This standard specifies control requirements across 17 fields and requires cloud service providers to adhere to or meet the defined minimum baseline. C5 compliance is necessary for cooperation with German public service sectors and is increasingly adopted by private service sectors. C5 aims to unify the currently fragmented cloud computing certification.

For more information, see the C5 document.


Alibaba Cloud achieved the Multi-Tier Cloud Security (MTCS) T3 certification issued by SOCOTEC Certification International. MTCS is a cloud security standard that is initiated by Infocomm Development Authority of Singapore (IDA) and launched by Standards, Productivity and Innovation Board (SPRING Singapore). The MTCS standard specifies three tiers of security certification, of which T3 is the highest tier with the most stringent security requirements.


GxP is a collection of guidelines and regulations for the life sciences industry, including Good Manufacturing Practices (GMP), Good Safety Practices (GSP), and Good Laboratory Practices (GLP). OSS has achieved third-party validation for compliance with standards such as ISO9001, ISO27017, ISO27001, and ISO27018 to meet GxP compliance requirements.


The Trusted Partner Network (TPN) is a joint venture between the Motion Picture Association of America (MPAA) and the Content Delivery & Security Association (CDSA). TPN aims to build a single, global network of trusted partners to help ensure content security and prevent leaks, breaches and hacks of films and television shows prior to their intended release.

TPN certifies that service providers adopt the industry best practices and meet the security requirements by assessing the facilities, staff, and workflows based on the industry best practices and by experienced auditors.

For more information, visit the TPN official website.

Trusted Cloud Service Assessment

Trusted Cloud Service Assessment is cloud computing evaluation program launched by the China Academy of Information and Communications Technology (CAICT) in the supervision of the Department of Telecommunication Development of the Ministry of Industry and Information Technology. Trusted Cloud Service Evaluation helps establish an evaluation system for cloud services, provide support for users to choose trusted and secure cloud services, and facilitate the healthy and orderly development of the cloud computing market. Alibaba Cloud became one of the first cloud service providers to pass the trusted cloud service evaluation.

SOC 1, SOC 2, and SOC 3

Alibaba Cloud has been issued a Cloud Service Organization Controls (SOC) report by an independent third-party auditor after the inspection and assessment of cloud services provided by Alibaba Cloud. The report explains the key controls and control objectives of Alibaba Cloud to Alibaba Cloud customers and their auditors to help customers better assess the internal control mechanisms of Alibaba Cloud and effectively manage outsourcing risks.