CyberArk compliance
★★★★★ 4.5 CE

CyberArk Compliance & Certifications 2026

CyberArk publishes SOC 2, SOC 3 and a deep ISO set, plus FedRAMP High for its government EPM agents. The strongest reports sit behind a trust-center NDA.

CyberArk Compliance verdict

Verified today·3 sources checked

CyberArk's compliance file is deep, as you would expect from a privileged-access vendor.

The SafeBase trust center publishes SOC 2 and SOC 3, plus the ISO 27001, 27017 and 27018 family. Alongside them sit ISO 42001 for AI, ISO 9001 and 22301, PCI DSS v4.0.1, HIPAA, CSA STAR, Common Criteria, IRAP, Cyber Essentials Plus, plus a DoDIN APL listing for defense.

What it means for your security review

CyberArk brings privileged-access-grade assurance: the certifications most security teams ask for, plus an independently verifiable FedRAMP High authorization for its government endpoint offering. Start by confirming which module you are actually buying. FedRAMP covers the government EPM offering, while the broad SOC 2 and ISO set covers the commercial SaaS. Then open a trust-center review and download the SOC 2 report and ISO certificates under NDA. One procurement trap is easy to miss. The government listing now sits under Palo Alto Networks and Idira branding, so verify the contracting entity before you sign. Map the subprocessor list and DPA to your residency needs, and request the DoDIN APL and Common Criteria evidence for defense use.

Honest limits
  • FedRAMP authorization is independently listed, but it applies to the Endpoint Privilege Manager for Government offering and its named agents, not automatically every CyberArk SaaS module.
  • The government FedRAMP listing names the vendor as Palo Alto Networks and the product as Idira, with the product site at cyberark.com, so confirm the contracting entity.
  • The strongest SOC 2 and ISO reports are gated behind a trust-center security review and NDA, so plan to request them during evaluation.
FedRAMP
High (Class D), EPM for Gov
Federal
3 ATOs / 5 reuses
Core reports
SOC 2/3, ISO 27001/17/18
AI + DoD
ISO 42001, DoDIN APL, Common Criteria
Evidence
SOC 2 + ISO under NDA
View sources

This page covers CyberArk's compliance posture and evidence. Its general PAM capabilities and deployment mechanics live on their own pages.

CyberArk certifications and the evidence behind them

FrameworkStatusEvidence to request
SOC 2 / SOC 3Reports availableSOC 2 report downloadable under NDA via the trust center
ISO/IEC 27001:2022 / 27017 / 27018CertifiedISMS, cloud-security and cloud-privacy certificates
FedRAMP (EPM for Government)Authorized, Class D (High)Regulator-listed: Rev5, 3 ATOs / 5 reuses; Windows, macOS and Linux agents
ISO 42001:2023 / ISO 9001 / ISO 22301CertifiedAI management, quality and business-continuity certificates
PCI DSS v4.0.1 / HIPAACompliantLatest PCI standard and healthcare data handling
Common Criteria / DoDIN APLCertifiedProduct assurance plus the US DoD approved-product list
CSA STAR / IRAP / Cyber Essentials PlusCertifiedCloud-assurance registry plus AU IRAP and UK regimes

Compliance evidence to request from CyberArk

EvidenceTypeHow to get it
SOC 2 reportReportTrust center, security review and NDA
ISO certificates (27001, 27017, 27018, 42001, 9001, 22301)CertificateTrust center, downloadable
FedRAMP authorization packagePackageFedRAMP Marketplace request form, .gov or .mil email
DoDIN APL documentListingTrust center, defense buyers
DPA and subprocessor listDocumentTrust center, data-privacy section

What to verify before you rely on CyberArk

  • FedRAMP authorization is for the specific Endpoint Privilege Manager for Government offering and its named agents, not automatically every CyberArk SaaS module, so confirm which product carries the authorization you need.
  • The government FedRAMP listing names the vendor as Palo Alto Networks and the product as Idira Endpoint Privilege Manager, with the product website still at cyberark.com, so verify the contracting entity for procurement.
  • The strongest evidence is gated: start a review and download the SOC 2 report and ISO certificates under NDA rather than relying on the badge list.
  • For defense use, confirm the DoDIN APL listing and Common Criteria evaluation cover the specific product version you intend to deploy, and map the subprocessor list and DPA to your residency obligations.

CyberArk Compliance FAQ

Is CyberArk FedRAMP authorized?

Yes, for its government endpoint offering. The US-government FedRAMP Marketplace independently lists Endpoint Privilege Manager for Government as Certified at Class D, or High, on Rev5. It has been authorized since 14 March 2024, with 3 authorizations and 5 reuses covering the Windows, macOS, Linux agents. The listing now appears under Palo Alto Networks and Idira branding, and FedRAMP applies to that specific government offering rather than every CyberArk SaaS module.

Which compliance certifications does CyberArk hold?

A broad set, published on its trust center. The core reports are SOC 2 and SOC 3, plus the ISO/IEC 27001:2022, 27017:2015 and 27018:2019 family. On top of that sit ISO/IEC 42001:2023 for AI management, ISO 9001:2015 and ISO 22301, PCI DSS v4.0.1, HIPAA, CSA STAR, Common Criteria, IRAP, Cyber Essentials Plus. It also carries a DoDIN APL document, with CCPA and GDPR alignment.

How do I get CyberArk's SOC 2 report and other evidence?

Through the CyberArk Trust Center, powered by SafeBase. You start a security review and request access, then view and download the sensitive documents under NDA, including the SOC 2 report and the ISO certificates. Federal buyers can request the FedRAMP package for Endpoint Privilege Manager for Government directly from the FedRAMP Marketplace, and defense buyers can request the DoDIN APL document.

How does CyberArk handle data and where is it hosted?

It runs on Amazon Web Services with documented business continuity and disaster recovery. It maintains a published Data Processing Agreement and subprocessor list, documents data backups and erasure, and aligns with CCPA and GDPR. The FedRAMP-listed government offering is classified as SaaS on a public-cloud deployment model.

What should I verify before approving CyberArk?

Confirm which module carries the certification you need, since FedRAMP applies to the government EPM offering rather than every SaaS module. Because the government listing sits under Palo Alto Networks and Idira branding, verify the contracting entity. Download the actual SOC 2 and ISO reports under NDA rather than trusting the badge list. Map the subprocessor list and DPA to your obligations, and request the DoDIN APL and Common Criteria evidence for defense deployments.

Sources & verification

Verified by ComparEdgeMethod: Vendor docs, official pages, and selected independent sources
SourceWhat was checkedLast checked
Cyberark OfficialOfficial product pageJuly 10, 2026
Cyberark Trust centerProduct documentationJuly 10, 2026
FedRAMP MarketplaceFedRAMP authorization statusJuly 10, 2026

Every fact on this CyberArk page is tied to a named source and a verification date. Freshness-sensitive figures trace to the sources above; verify against the vendor before relying on them.