This topic describes the security and compliance certifications for MaxCompute and provides links to download compliance documents.
Alibaba Cloud MaxCompute adheres to internal and external standards for product quality, technical services, stability, security, and compliance. Independent third-party authorities assess and validate the service. These certifications help customers meet the security and compliance requirements of their regions and industries.
The following table lists the main security and compliance certifications that apply to this product:
Certification | Description |
This standard defines the requirements for developing, implementing, monitoring, maintaining, and improving an IT service management system. It covers areas such as service level management, incident and problem management, change management, availability management, relationship management, and configuration and release management. Alibaba Cloud uses this certification to ensure that its technical services and support meet business needs and to improve service quality, customer satisfaction, and operational efficiency through standardized processes. | |
This standard centers on the customer, emphasizing the identification, management, and optimization of key business processes to improve efficiency and effectiveness. It covers planning, implementation, monitoring, correction, and improvement activities throughout the entire product lifecycle, from requirement confirmation, design, development, and testing to sales and pre-delivery activities. Alibaba Cloud leverages this certification to establish systematic and standardized quality management processes for its products and services, as well as a model for continuous improvement. This ensures that the full product lifecycle management meets all requirements, reduces defects and errors, and enhances customer satisfaction. | |
This is one of the most widely recognized international frameworks for an information security management system. It helps organizations design and implement a management system and control measures covering security organization, personnel security, physical security, and security technology. Alibaba Cloud uses this certification to effectively manage risks related to physical, network, application, data, and supply chain security. This protects information assets and improves the security and compliance of its services. | |
This standard provides a management framework for establishing, implementing, maintaining, and continually improving a business continuity management system to respond to disruptive incidents and ensure that critical business functions can be recovered quickly. Alibaba Cloud uses this certification to apply a systematic approach to identify potential threats, develop response measures, and refine recovery plans. This allows Alibaba Cloud to rapidly restore critical business capabilities during emergencies, fulfilling its responsibilities to customers and stakeholders. | |
This standard provides a systematic framework for cloud security. Based on ISO/IEC 27001 and ISO/IEC 27002, it offers additional security controls and implementation guidance for cloud service providers (CSPs) and cloud service customers. Alibaba Cloud uses this certification to enhance cloud-specific controls, such as virtual machine security and data isolation, and to effectively manage information security risks. | |
CSA STAR is a global cloud security certification and assessment program launched by the Cloud Security Alliance. It combines the ISO/IEC 27001 information security management system standard and the CSA Cloud Controls Matrix to provide a transparent and trustworthy cloud security assessment framework for cloud service providers (CSPs) and cloud service users. Alibaba Cloud uses this certification to assess, improve, and certify the security and compliance of its cloud products and services across multiple domains, including infrastructure security, network security, application security, data security, privacy protection, compliance, and risk management. | |
ISO 27701 is a privacy extension to the ISO 27001 and ISO 27002 standards. It integrates privacy protection principles into the information security framework, covering requirements for privacy risk management, data subject rights, data sharing and transfer, privacy by design, transparency, and incident response. Alibaba Cloud uses this certification to establish, implement, maintain, and continually improve its privacy management system and controls, thereby improving its privacy compliance. | |
ISO 27018 Public Cloud Personal Information Protection Management System | This standard addresses privacy protection requirements for a cloud service provider (CSP) when processing personally identifiable information (PII), enhancing data security and customer trust in public cloud environments. Based on the ISO 27002 code of practice, Alibaba Cloud implements an additional set of controls for protecting personal information. These controls emphasize principles such as data minimization, user control, and data subject consent, ensuring strict adherence to privacy principles when handling customer PII. |
This standard provides a best-practice framework for a personal information management system, referencing the principles of the EU's GDPR. It helps organizations implement compliant and reliable management measures throughout the entire lifecycle of personal information, including collection, storage, processing, sharing, and disposal. Alibaba Cloud uses this certification to establish a standardized management system that reduces the risk of a data breach or misuse. This system plays a significant role in improving privacy management, enhancing customer trust, and meeting compliance requirements. | |
This is a certification standard for a compliance management system. It ensures an organization adheres to applicable laws, regulations, industry standards, and internal policies by establishing processes to identify, assess, and manage compliance risks. Alibaba Cloud uses this certification to improve the efficiency and transparency of its internal compliance management, foster a culture of compliance, and encourage commitment from both internal and external stakeholders. | |
The Payment Card Industry Data Security Standard (PCI DSS), developed and maintained by the PCI Security Standards Council (PCI SSC), provides a unified baseline and specific control requirements for protecting account data. It covers multiple aspects, including security management systems, network security, physical security, and data encryption. As a cloud service provider (CSP), Alibaba Cloud adheres to this standard. It assumes security responsibilities for the cloud platform and helps customers build secure data environments through its products and services. | |
China implements the Multi-Level Protection Scheme (MLPS), which requires a network operator to fulfill security obligations to protect networks from interference, damage, or unauthorized access, and prevent network data from being leaked, stolen, or tampered with. Alibaba Cloud establishes a robust cybersecurity protection system based on the principles of proactive defense and comprehensive control. Each year, an independent third-party authority assesses the Alibaba Cloud public cloud data and development service platform (PaaS) against MLPS standards to ensure it meets national cybersecurity protection requirements. | |
Trusted Cloud - Cloud Service User Data Protection Capability Test | The Trusted Cloud assessment is a professional evaluation system in China for cloud services, administered by the China Academy of Information and Communications Technology (CAICT). Its core objective is to establish an evaluation system for cloud service providers to help users select secure and trustworthy providers. Alibaba Cloud has passed the Cloud Service User Data Protection Capability Test, meeting assessment requirements across three phases: pre-incident prevention, in-incident protection, and post-incident traceability. This includes compliance with standards for data persistence, data privacy, data migration security, intrusion prevention, and service auditability. |
Trusted Cloud - Cloud Computing Security Shared Responsibility Capability Test | The Trusted Cloud assessment is a professional evaluation system in China for cloud services, administered by the China Academy of Information and Communications Technology (CAICT). Alibaba Cloud has passed the assessment for its capabilities regarding the shared responsibility model. Based on the "Requirements for Shared Responsibility Capability in Cloud Computing Security" standard, this assessment verifies that Alibaba Cloud meets criteria in areas such as its responsibility allocation model, security capability support, and service agreement transparency. |
System and Organization Controls (SOC) reports are a series of auditing standards established by the American Institute of Certified Public Accountants (AICPA). They are designed to assess the effectiveness of controls at service organizations, such as cloud service providers and data centers. Alibaba Cloud SOC reports are independent audit reports issued by third-party auditors, providing customers and their auditors with detailed information on the effectiveness of Alibaba Cloud's internal controls. There are three types of SOC reports:
|