SaaS Visibility Application Attributes

Table of Contents

View Usage Data for Unsanctioned SaaS Apps

How SaaS Security Inline Determines an App's Risk Score

SaaS Visibility Application Attributes

Explore attributes on which the risk score for a SaaS app is based.

Where Can I Use This?	What Do I Need?
NGFW (Managed by Panorama or Strata Cloud Manager) Prisma Access (Managed by Panorama or Strata Cloud Manager)	SaaS Security Inline license NGFW or Prisma Access license Or any of the following licenses that include the SaaS Security Inline license: CASB-X CASB-PA

Where Can I Use This?

What Do I Need?

NGFW (Managed by Panorama or Strata Cloud Manager)
Prisma Access (Managed by Panorama or Strata Cloud Manager)

SaaS Security Inline license
NGFW or Prisma Access license

Or any of the following licenses that include the SaaS Security Inline license:

CASB-X
CASB-PA

Attributes are characteristics on which the risk score is calculated. You can drill down into the Application Dictionary to evaluate the attributes for:

Vendor and product—Basic information about the vendor and its product. For example, Product URL and NPS Score.
Compliance—Adherence to regulatory standards or framework. For example, GDPR (General Data Protection Regulation) and CJIS (Criminal Justice Information Services).
Security and Privacy—Product capabilities and terms and conditions that can improve your organization’s security and privacy. For example, Data Ownership.
Identity Access Management—Information about the product's authentication and access-control capabilities.
GenAI — For GenAI apps only, information about the GenAI app. For example, whether the app vendor uses user-submitted data to train GenAI models.

Compliance program requirements change over time, so verify this information with your organization’s due diligence department before you complete your risk assessment.

Vendor and Product Attributes
Attribute	Summary Description	Detailed Description
App Name	Name of the SaaS app.	Name of the app as it’s known in the industry, preceded by a summary of the SaaS app’s capabilities as expressed by the vendor.
App Domains	Default domain of the SaaS app.	Default domain of the SaaS app.
Category	Product’s service category.	Product’s service category for filtering. For example, Google Chart Tools is categorized as Analytics with Business Intelligence Level 2 subcategory and Data Visualization Level 3 subcategory. Categories and subcategories are dynamic, changing over time as the product evolves or new industry categories become available. If you need custom categorization, use custom tags.
	L2 Subcategory—Product’s service subcategory, Level 2.
	L3 Subcategory—Product’s service subcategory, L3.
Consumer Popularity	Popularity as aggregated by social media metrics.	A value derived from social media statistics, including likes, followers, and reviews and used to gauge a product’s perceived quality.
Employee Count	Total employee count.	Total employee count as compiled by various registries. The total is an approximation.
Founded	Date company incorporated or opened for business.	Date company incorporated or opened for business and as outlined in the company’s Articles of Incorporation.
Headquarters Location	Geographic location of company’s strategic planning and executive management.	Geographic location of company’s strategic planning and executive management.
Holding (Public/Private)	Type of ownership.	Ownership shares are publicly traded vs. privately held.
How is this app detected?	Detection methods include: App-ID classification—detection method on PAN‑OS 10.1 or later. URL classification—URL-based App-ID.	You can only create recommendations for enforcement on your firewall for SaaS apps that are detected using App-ID classification. Therefore, the total number of SaaS apps in the Application Dictionary will be greater than the number displayed in Select Applications when you create a recommendation because your firewall uses App-IDs to identify traffic on your network, and a subset of the SaaS apps in the Application Dictionary don’t have App-IDs.
Linkedin URL	Company’s Linkedin profile.	Company’s Linkedin account where you can find more information about the company’s profile.
NPS Score	Indicator of future growth as measured by customer experience and loyalty with a score between <0 (weak) and 100 (strong): % of Promoters - % of Detractors = Net Promoter Score (NPS). For example, if a SaaS app has 35% Promoters and 25% Detractors, the SaaS app’s NPS score is 10.	Indicator of future growth as measured by customer experience and loyalty: % of Promoters - % of Detractors = Net Promoter Score (NPS). For example, if a SaaS app has 35% Promoters and 25% Detractors, the SaaS app’s NPS score is 10. Passives are neutral and don’t impact the score.
Opensource	Indicates whether the product is opensource.	SaaS app is opensource. Some analysts argue that there is no evidence that open source is riskier, but there is operational risk if a SaaS vendor does not have infrastructure in place to quickly apply patches to known vulnerabilities.
Privacy policy	Privacy statement disclosure is publicly available.	Privacy statement that outlines how the company’s product gathers, uses, discloses, and manages customer data is publicly available.
Product URL	Website link to get more information about the SaaS app.	Website link to get more information about the SaaS app.
Type of Service	SaaS product’s marketplace niche.	The niche that the SaaS product meets in the marketplace. For example, cloud storage and backup.
Vendor Name	Parent or subsidiary that markets, sells, and distributes the SaaS app.	The entity that markets, sells, and distributes the SaaS app. The vendor can be a subsidiary of a parent company or the parent company itself.

Security and Privacy Attributes
Attribute	Description
Audit Log	This attribute indicates whether the SaaS app can record user actions to a log file for later analysis. Based on the SaaS app's capabilities, one of the following values displays: —SaaS app can record user actions to an audit log. Unknown—The information can’t be derived from app documentation.
Data Ownership	Based on the SaaS app’s terms and conditions, one of the following values displays: Customer Ownership—Your organization has full rights over the data when using the service. For example, the terms and conditions might state, “...as between the parties, the user owns all intellectual property rights in user data and user apps....” Vendor Ownership—Your organization grants the service access to use the data. For example, the terms and conditions might state, “...You acknowledge and agree that any questions, comments, suggestions, ideas, feedback, or other information regarding the Site (“Submissions”) provided by you to us are nonconfidential and shall become our sole property....” Unknown—The information can’t be derived from app documentation. Regardless of the value that displays in the SaaS Security web interface, it’s important that you have your Legal team review the service’s terms and conditions before you onboard the SaaS app.
Data Retention	This attribute identifies the SaaS app's data-retention policies. Based on the SaaS app, one of the following values displays: 1-30 days—After the account is closed, the SaaS app retains data for less than 30 days. 1-12 months—After the account is closed, the SaaS app retains data for at least one month, and for as much as one year. > 1 year—After the account is closed, the SaaS app retains data for more than a year. For undocumented period—After the account is closed, the SaaS app retains data. However, the retention period can’t be derived from app documentation. While account is active—The SaaS app retains data only while your account is still active. Unknown—The information can’t be derived from app documentation.
Disaster Recovery	This attribute indicates whether the SaaS app has a comprehensive contingency plan for responding to disasters. Following a natural disaster or an orchestrated attack, the SaaS app provider should have an established plan for recovering data. Based on the SaaS app, one of the following values displays: —SaaS app has an established recovery plan. Unknown—The information can’t be derived from app documentation.
Encryption at Rest	Identifies whether the data that is stored in the SaaS app’s data center or in cloud storage is encrypted. Based on the SaaS app, one of the following values displays: —The data managed by the SaaS app is encrypted. Unknown—The information can’t be derived from app documentation.
Encryption in Transit	This attribute identifies the highest level of the Transport Layer Security (TLS) protocol that the SaaS app supports. Based on the SaaS app's capabilities, one of the following values displays: TLS 1.3—The SaaS app supports TLS 1.3. TLS 1.2—The highest level of TLS supported by the SaaS app is TLS 1.2. TLS 1.1—The highest level of TLS supported by the SaaS app is TLS 1.1. This older version of TLS is deprecated and has known vulnerabilities. TLS 1.0—The highest level of TLS supported by the SaaS app is TLS 1.0. This older version of TLS is deprecated and has known vulnerabilities. Unknown—We were unable to determine TLS support information.
Encryption Strength at Rest	If the data managed by the SaaS app is encrypted, this attribute identifies the encryption strength. Based on the SaaS app's capabilities, one of the following values displays: 128 bit —The app uses 128-bit encryption for data at rest. 192 bit —The app uses 192-bit encryption for data at rest. 256 bit —The app uses 256-bit encryption for data at rest. >256 bit —The app uses encryption that’s stronger than 256-bit encryption for data at rest. Encryption details not disclosed —The app encrypts data at rest, but does not disclose the encryption algorithm or key length. Unknown —The app does not support encryption at rest, or we were unable to determine the encryption strength.
File/Content Sharing	File sharing refers to the practice of enabling shared access to documents managed by the SaaS app. File sharing introduces the risk of malware and the loss or exposure of sensitive information. Based on the SaaS app's capabilities, one of the following values displays: —SaaS app supports file/content sharing, which has associated security risks. Unknown—The information can’t be derived from app documentation.
Native Data Classification	This attribute indicates whether the SaaS app provides features for classifying the data that it manages. Data classification enables you to organize data into categories, which helps you identify sensitive data. Identifying the sensitive data helps you to better protect the data and to comply with applicable laws. Based on the SaaS app's capabilities, one of the following values displays: —SaaS app provides native data classification features. Unknown—The information can’t be derived from app documentation.
HTTP Security Headers	This attribute identifies the HTTP security headers that are used by the SaaS app. HTTP security headers help protect against common cyberattacks, such as clickjacking and Cross-Site Scripting (XSS) attacks. Based on the HTTP security headers that are used, one or more of the following values display: Strict-Transport-Security—Indicates that the SaaS app uses the HTTP response header Strict-Transport-Security. This header tells the browser that the SaaS app should be accessed only through secure (HTTPS) connections. This header is designed to protect the app from man-in-the-middle (MiTM) attacks. X-Content-Type-Options—Indicates that the SaaS app uses the HTTP response header X-Content-Type-Options: nosniff. This header tells the browser that the MIME type specified in the Content-Header must be followed. This header is designed to protect the app from cross-site scripting by preventing content sniffing. X-Frame-Options—Indicates that the SaaS app uses the HTTP response header X-Frame-Options. This header is designed to prevent certain clickjacking attempts by telling the browser that app pages should not be displayed in a frame. Content-Security-Policy—Indicates that the SaaS app uses the HTTP response header Content-Security-Policy. This header is designed to protect the app from XSS and other data injection attacks by specifying policies for loading content, such as the sources from which the browser can load content. Unknown—We were unable to determine if the SaaS app uses HTTP security headers.
Privacy Policy	This attribute indicates whether the SaaS app has a published privacy policy. A privacy policy describes how the SaaS app or app provider handles user data. For example, a privacy policy might include information about how data is collected, managed, or disclosed. Based on the SaaS app, one of the following values displays: —SaaS app has a published privacy policy. Unknown—The information can’t be derived from app documentation.
Protected from Downgrade Attacks	This attribute indicates whether the SaaS app is protected from TLS downgrade attacks. A downgrade attack (also known as a version rollback attack or bidding-down attack) attempts to reduce the level of a protocol or cryptographic algorithm to an older and less-secure version. A SaaS app is vulnerable to TLS downgrade attacks if the app allows connections to fall back to deprecated versions of TLS with known vulnerabilities, such as TLS 1.1 and TLS 1.0. Based on the TSL versions that are supported by the SaaS app, one of the following values displays: —The SaaS app is protected from TLS downgrade attacks. The app does not support deprecated versions of TLS with known vulnerabilities. Unknown —We were unable to determine if the SaaS app is protected from downgrade attacks.
Session Timeout	This attribute identifies the time range in which the SaaS app's session timeout occurs. A session timeout feature will force the user to log in again if the user has not performed any actions for a set period. Based on the SaaS app's capabilities, one of the following values displays: 1-60 minutes —The SaaS app's timeout period falls within 1-60 minutes. 1-24 hours —The SaaS app's timeout period falls within 1-24 hours. 1-7 days —The SaaS app's timeout period falls within 1-7 days. > 1 week —The SaaS app's timeout period is greater than a week. For undocumented period —The SaaS app has a session timeout feature. However, the timeout period can’t be derived from app documentation. Unknown —The information can’t be derived from the app documentation.
Spoof Risk Level	This attribute identifies how well the SaaS app domain is protected from domain spoofing. To determine how well the domain is protected from domain spoofing, SaaS Security Inline examines DNS records for Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC). A SaaS app with a weak DNS configuration is prone to phishing attacks. Based on the SaaS app domain's DNS configuration, one of the following values displays: Safe —The domain has DNS records configured correctly to prevent domain spoofing. The DMARC and SPF policies for the domain are strict. Critical —The domain has weak policies for both DMARC and SPF, which allow the domain to be spoofed. The DNS records are not configured correctly to prevent domain spoofing. High —Either the DMARC or SPF policy isn’t configured correctly, which allows the domain to be spoofed. The domain DNS records are not configured correctly to prevent domain spoofing. Medium —Based on the domain DNS records, the domain can be spoofed. However, the spoofed messages will most likely be quarantined at the receiver's end. The domain's DMARC and SPF policies are both moderate. Low —Although the risk of spoofing the domain is low, further DNS records hardening could further help prevent domain spoofing. The domain's DMARC and SPF policies are strict, but might fail to prevent some spoofing attempts. Unknown —We were unable to find the domain's SPF and DMARC records.
Terms and Conditions	This attribute indicates whether the SaaS app has a published set of terms and conditions. Based on the SaaS app, one of the following values displays: —SaaS app has a published set of terms and conditions. Unknown—The information can’t be derived from app documentation.
Third Party Data Sharing	This attribute indicates whether the SaaS app can share user data with third-party apps or services. Based on the SaaS app, one of the following values displays: —SaaS app can share user data with third-party apps or services. Unknown—The information can’t be derived from app documentation.

Identity Access Management
Attribute	Description
IP Based Restriction	IP-based restriction is the ability to restrict login access to the SaaS app for specific IP addresses. Based on the SaaS app’s capabilities, one of the following values displays: —SaaS app offers the ability to configure IP-based restriction. No—SaaS app does not offer IP-based restriction. Unknown—The information can’t be derived from app documentation.
MFA	Multi‑factor Authentication (MFA) offers an additional layer of security for login access. Based on the SaaS app’s capabilities, one of the following values displays: —SaaS app offers the ability to enable MFA. No—SaaS app does not offer MFA. Unknown—The information can’t be derived from app documentation.
Password Policy	This attribute indicates whether the SaaS app supports password policies, such as rules for password complexity or an expiration period for passwords. Based on the SaaS app's capabilities, one of the following values displays: —SaaS app supports password policies. Unknown—The information can’t be derived from app documentation.
RBAC	Role-based access control (RBAC) enables you to manage user access to operations based on the user's job function. To perform administrative actions, a user must be assigned to a role with administrator permissions. Based on the SaaS app's capabilities, one of the following values displays: —SaaS app supports RBAC. Unknown—The information can’t be derived from app documentation.
SAML	Security Assertion Markup Language (SAML) is an additional security control that enables users to authenticate to the SaaS app using Single sign‑on (SSO) or company credentials. Based on the SaaS app’s capabilities, one of the following values displays: —SaaS app offers the ability to enable SAML. No—SaaS app does not offer SAML. Unknown—The information can’t be derived from app documentation.

GenAI Attributes
Attribute	Description
Allows Fine Tuning	This attribute indicates whether users can upload data to create a customized model based on a pre-trained model that the application provides. One of the following values displays: —The SaaS app allows fine tuning of its models. X—The SaaS app does not allow fine tuning of its models.
Copyright Indemnity	This attribute indicates whether the app vendor defends customers against legal claims of copyright infringement and indemnifies them. One of the following values displays: —The SaaS app provides copyright indemnity. Not mentioned—The information can’t be derived from app documentation.
Data Used In Models	This attribute indicates whether the app vendor uses user-submitted data to train GenAI models. Based on information derived from the app documentation, such as terms and conditions agreements or a data policy, one of the following values displays: — The app vendor uses input that the user submits to the GenAI app to train its models. X—The app vendor does not use input that the user submits to the GenAI app to train its models. Not mentioned—The information can’t be derived from app documentation.
Enterprise Plan	This attribute indicates whether the app vendor offers an enterprise plan and support for the GenAI app.
Features	This attribute identifies the GenAI capabilities of the app. For example, this attribute indicates whether the app provides GenAI capabilities for conversational chat, image editing, image generation, video editing, video generation, and writing assistance.
Has A Marketplace	Indicates whether the GenAI app provides a marketplace to publish, or integrate with, third-party apps. One of the following values displays: —The GenAI app has a marketplace. X—The GenAI app has a marketplace.
Input Data Types	The type of input that the GenAI model requires or accepts. Possible input formats include the following data types: Text Query—A raw text query, such as text input to conversational chat. Text File—A plain text file, such as a text file format (TXT) file or a comma-separated values (CSV) file. Image File—An image format file, such as a Portable Network Graphics (PNG) file. Audio File—An audio format file, such as a WAV file or an MP3 file. Video File—A video format file, such as an MP4 file. URL—A uniform resource locator (URL) address, such as a link to a website or to a cloud storage location. Other—Other file formats, such as IoT sensor data.
Input monitoring and review	Indicates whether input that the user submits to the GenAI app might be reviewed by humans to improve the GenAI app. One of the following values displays: —Humans at the app vendor might review input data. X—The vendor does not have humans review input data. Not mentioned—The information can’t be derived from app documentation.
Interface	The types of interfaces that are available for accessing the GenAI SaaS app. Possible interfaces include the following interfaces: Web—An official website or SaaS platform. Browser Extension—A third- party web browser extension. Mobile App—A mobile platform native app. API—A third-party API. Integration (3rd party) / Plugin—A third-party marketplace integration or plugin. Desktop App—A desktop native app.
Output Data Types	The type of output that the GenAI model returns to the user. Possible output formats include the following data types: Text Query—Text output, such as the output generated in a conversational chat. Text File—A plain text file, such as a text file format (TXT) file or a comma-separated values (CSV) file. Image File—An image format file, such as a Portable Network Graphics (PNG) file. Audio File—An audio format file, such as a WAV file or an MP3 file. Video File—A video format file, such as an MP4 file. URL—A uniform resource locator (URL) address, such as a link to a website or to a cloud storage location. Other—Other file formats, such as IoT sensor data.
Popularity	This attribute indicates how popular the GenAI app is based on our traffic statistics. The GenAI app can have low, medium, and high popularity. The GenAI risk score calculation considers both low and high popularity to represent a greater risk. The GenAI risk score calculation considers low popularity to be a greater risk because apps with fewer users are more likely to have issues related to compliance, data security, and so on. The GenAI risk score calculation considers high popularity to be a greater risk because a data breach would have a large impact.
Security Guardrails	This attribute indicates whether the GenAI app implements preventive controls for risks posed by large language models (LLMs). Some examples of possible security guardrails include the following controls. Actions to prevent harmful responses. Monitoring for abuse. Red teaming (emulating real-world cyberattacks to identify potential vulnerabilities) before deployment. Actions to prevent prompt injection attacks. One of the following values displays: Yes —The SaaS app provides security guardrails. Click the link provided to view the SaaS app's documented security guardrails. Not mentioned—The information can’t be derived from app documentation.
Terms Conditions Data Usage	This attribute indicates whether the SaaS app has a published privacy policy that describes the terms and conditions for the handling of user data. Based on the SaaS app, one of the following values displays: —The SaaS app has a published privacy policy that describes how the app handles user data. X—The SaaS app does not have a published privacy policy. Not mentioned—The SaaS app does not have a published privacy policy, or the app's privacy policy does not describe data usage.

View Usage Data for Unsanctioned SaaS Apps

How SaaS Security Inline Determines an App's Risk Score

SaaS Security Docs

SaaS Visibility Application Attributes

SaaS Security Docs

SaaS Visibility Application Attributes

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Visibility & Monitoring

Best Practices

Experts Corner

Compliance Attributes
Attribute	Summary Description	Detailed Description
C5	Germany’s Cloud Computing Compliance Controls Catalog (C5) recommendations define operational security against common cyberattacks.	When in compliance with Germany’s Cloud Computing Compliance Controls Catalog (C5) recommendations, the vendor implemented operational security controls to protect against common cyberattacks.
CJIS	US FBI’s Criminal Justice Information Services (CJIS) policy on US FBI’s Criminal Justice data security for sensitive criminal justice data.	When in compliance with the US FBI’s Criminal Justice Information Services (CJIS) policy, the SaaS app adheres to data security for sensitive criminal justice data.
COBIT	Control Objectives for Information and Related Technologies (COBIT) framework for quality, control, and reliability of information systems.	When in compliance with Control Objectives for Information and Related Technologies (COBIT), the vendor implemented a security framework to ensure quality, control, and reliability of information systems.
COPPA	US Children's Online Privacy Protection Act (COPPA) privacy law governs data collection privacy for children age 13 and under.	When in compliance with the US Children's Online Privacy Protection Act (COPPA), the SaaS app adheres to US Federal privacy law that governs what type of information online services can and can’t request from children age 13 and under without parental consent.
CSA STAR	Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) best practices for secure cloud computing environments.	When certified with Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR), indicates that the vendor implemented advanced best practices to ensure a secure cloud computing environment. Certification is based on self-assessment and a third-party audit.
FEDRAMP	Federal Risk and Authorization Management (FEDRAMP) program provides security assessment, authorization, and continuous monitoring of cloud products and services.	When in compliance with the Federal Risk and Authorization Management (FEDRAMP) program, which provides security assessment, authorization, and continuous monitoring of cloud products and services, SaaS app is authorized for Federal Agency cloud deployments.
FERPA	US Federal Education Rights and Privacy Act (FERPA) privacy law governs parental protections for children's education records.	When in compliance, with the US Federal Education Rights and Privacy Act (FERPA) privacy law, the SaaS app complies with parental protections with regard to children's education records, academic and disciplinary reports, and personal and family information.
FFIEC	The Federal Financial Institutions Examination Council (FFIEC) is an interagency body of the U.S. government made up of several financial regulatory agencies.	The FFIEC publishes guidelines for IT management, cybersecurity, and protection of consumer financial data. Failure to comply with FFIEC guidelines can result in fines and penalties for federally supervised financial institutions. When in compliance with the FFIEC, the SaaS app follows the guidelines, practices, and principles laid out by the FFIEC.
FINRA	US Federal Industry Regulatory Authority (FINRA) rules govern the integrity of the US financial system.	When in compliance with the Federal Industry Regulatory Authority (FINRA), a broker appears in the Central Registration Depository (CRD) system and is an indication of a security firm’s business integrity.
FISMA	The Federal Information Security Management Act (FISMA) describes compliance parameters for the storage and processing of government data.	FISMA requires federal agencies and their private-sector vendors to implement information security controls that ensure the data security postures of federal information systems are protected. All private-sector firms that sell services to the federal government must comply with FISMA requirements. Compliance with FISMA indicates that the vendor adheres to the FISMA requirements.
GAPP	Canadian-US Generally Accepted Privacy Principles data privacy framework for management and prevention of data privacy risks in accounting.	When in compliance with Canadian-US Generally Accepted Privacy Principles data privacy framework, which outlines how accounting professionals collect, use, retain, and disclose identifiable information (PII), indicates that the vendor adheres to principles that manage and prevent privacy risks in accounting, as defined by Canadian Institute of Chartered Accountants (CICA) and the American Institute of Certified Public Accountants (AICPA). Also included in SOC 2.
GDPR	EU’s General Data Protection Regulation (GDPR) privacy laws govern the transfer of personal data outside Europe and European Economic Area.	When in compliance with the EU’s General Data Protection Regulation (GDPR), the SaaS app complies with EU privacy laws governing the transfer of personal data outside Europe and the European Economic Area.
GLBA	US Federal Gramm-Leach Bliley Act (GLBA) privacy law governs the sharing and protection of customer data.	When in compliance with the Gramm-Leach Bliley Act (GLBA), the SaaS app complies with US Federal privacy laws that govern the sharing and protection of customer data.
HIPAA	Health Insurance Portability and Accountability Act (HIPPA) standards for protection and confidential handling of health information.	When in compliance with the Health Insurance Portability and Accountability Act (HIPPA), the SaaS app complies with laws that mandate the industry-wide standards for health care information, and protection and confidential handling of health information.
HITRUST CSF	HITRUST CSF security framework to meet multiple regulations (ISO/IEC 27000-series and HIPAA) that govern sensitive and regulated data.	When in compliance with HITRUST CSF security framework, which instructs organizations on how to efficiently meet multiple regulations (such as and HIPAA), the vendor-implemented security and privacy controls related to how the organization creates, accesses, stores, and exchanges sensitive and regulated data.
ISAE 3402	International Auditing and Assurance Standards Board (ISAE) 3402 reporting standard for auditors of SOC 1 reports.	As defined by International Auditing and Assurance Standards Board (ISAE), when in compliance, the vendor’s SOC1 report adheres to the ISAE 3402 reporting standards for auditors. This report covers internal controls for financial reporting.
ISO 27001	International Organization for Standardization (ISO) 27001 standard for controls and processes related to information security.	When adhering to this International Organization for Standardization (ISO) 27001 mandatory standard, the vendor systematically examines its controls and processes related to information security.
ISO 27002	International Organization for Standardization (ISO) 27002 best practices for security controls implementation.	When adhering to this International Organization for Standardization (ISO) 27002 optional standard, the vendor considers best practices on how to implement security controls.
ISO 27017	International Organization for Standardization (ISO) 27017 updated controls to improve cloud security.	When statement of compliance is received, vendor, updated existing controls related to International Organization for Standardization (ISO) 27001/27002 predecessors for cloud security.
ISO 27018	International Organization for Standardization (ISO) 27018 new controls to improve cloud security.	When statement of compliance is received, vendor, implemented new controls related to International Organization for Standardization (ISO) 27001/27002 predecessors for cloud security.
ISO 9000	ISO 9000 quality definitions and standards for implementation of an ISO 9001-certified quality management system.	Quality definitions and standards for implementing an ISO 9001-certified quality management system.
ISO 9001	ISO 9001 standard for implementation of a ISO-certified quality management system.	When certified, indicates that the vendor’s quality management system adheres to a specific quality standard, which is based on gap analysis and internal audits. This certification is globally recognized. Ongoing evaluation and maintenance is required to retain certification, indicating that vendor consistently provides products and services that meet customer and regulatory requirements and demonstrates continuous improvement of the organization’s products, services, and/or processes.
ITAR	US International Traffic in Arms Regulations (ITAR) export control laws that govern export of defense and military-related technologies	When in compliance with US International Traffic in Arms Regulations (ITAR) export control laws that govern export of defense and military-related technologies, indicates that the vendor has the necessary safeguards to protect US national security and foreign policy objectives. Compliance includes registration with US Directorate of Defense Trade Controls (DDTC).
Jericho Forum Commandments	(now The Open Group Security Forum) principles for cloud security.	When in agreement with Jericho Forum Commandments (now The Open Group Security Forum) principles, indicates that the vendor subscribes to the best practice that security solutions should not rely on a network as a security perimeter, but rather cloud security ("de-perimeterisation").
NIST SP 800-53	US National Institute of Standard and Technology (NIS SP 800-53) standard and guidelines for FISMA compliance govern the security and privacy of federal information systems.	When in compliance with US National Institute of Standard and Technology (NIS SP 800-53) standard and guidelines for FISMA compliance, indicates that the vendor adheres to regulations that govern security and privacy of federal information systems.
PCI	Payment Card Industry (PCI) security best practices for storing and transmitting consumer credit card data in the cloud.	When in compliance with Payment Card Industry (PCI), indicates that the provider hosting your credit card data adheres to specific security best practices for storing and transmitting your credit card data in the cloud.
Privacy Shield	EU-US and Swiss-US Privacy Shield framework for transferring personal data from the EU and Switzerland to the US.	When in compliance with EU-US and Swiss-US Privacy Shield framework, indicates that the vendor has a mechanism in place to comply with data protection requirements when transferring personal data from the EU and Switzerland to the US.
Privacy Mark (Japan)	JIPDEC award for safe and secure data standards in business operations.	When awarded this compliance mark by JIPDEC, vendor organized its business operations in accordance with safe and secure data standards.
Safe Harbor Compliance	EU-US Safe Harbor framework governs privacy of data transfered within European Economic Area (EEA).	When in compliance, SaaS app complies with the EU-US Safe Harbor framework that governs privacy of data transfered within the European Economic Area (EEA).
SSAE 18	Statement for Attestation Engagement Standards (SSAE) compliance, as defined by American Institute of Certified Public Accountants (AICPA), comprise internal controls for financial reporting compatible with globally accepted accounting principles.	As defined by American Institute of Certified Public Accountants (AICPA) for Attestation Engagement Standards (SSAE), including SSAE 18, formerly SAS70 and SSAE 16, when compliant, indicates that the vendor has effective internal controls for financial reporting compatible with globally accepted accounting principles such as ISAE 3402.
SOC 1	SOC 1 (System and Organization Controls) audit, as defined by American Institute of Certified Public Accountants (AICPA), comprises internal controls for financial reporting.	As defined by American Institute of Certified Public Accountants (AICPA), for data centers and SaaS vendors, when in compliance, indicates that an independent auditing firm verified that the vendor passed a SOC 1 audit of internal controls for financial reporting in accordance with SSAE 18 standards, which includes Type 1 (snapshot in time) and Type 2 (6-month period) reports.
SOC 2	SOC 2 (System and Organization Controls) audit, as defined by American Institute of Certified Public Accountants (AICPA), comprises including security, availability, processing integrity, and data privacy.	As defined by American Institute of Certified Public Accountants (AICPA), for data centers and SaaS vendors, when in compliance, indicates that an independent auditing firm verified that the vendor passed a SOC 2 audit in accordance with SSAE 18 standard and vendor received a SOC 2 report, which is written for a customer audience. This audit offers assurance related to: security, availability, processing integrity of provider’s system. confidentiality of the information that the provider’s system processes or maintains for users. privacy of personal information that the service organization collects, uses, retains, discloses, and disposes of for users.
SOX	Sarbanes-Oxley Act (SOX) law governs the accuracy of financial information.	When in compliance with Sarbanes-Oxley Act (SOX), vendor had an independent, annual audit whereby vendor provided proof of accurate and secure financial reporting.
TRUSTArc	TRUSTArc certification of privacy management processes.	When certified, indicates the company’s privacy management processes comply with US government laws and best practices as examined by TRUSTArc, a privacy compliance technology company.