SailPoint compliance
★★★★★ 4.6 CE

SailPoint Compliance & Certifications 2026

SailPoint holds SOC 1/2/3, the ISO 27001 family, CSA STAR L2 and FedRAMP Moderate for Identity Security Cloud. Evidence is access-gated and product-scoped.

SailPoint Compliance verdict

Verified today·3 sources checked

SailPoint backs a serious, externally validated compliance posture for an identity-governance platform.

The trust portal documents SOC 1, 2 and 3, ISO/IEC 27001:2022 with 27017, 27018 and 27701, each with a Statement of Applicability, Common Criteria and CSA STAR Level 2. It adds the government regimes GovRAMP, IRAP and C5, plus the EU-US Data Privacy Framework.

What it means for your security review

SailPoint sells the controls it is audited against, which makes it a strong fit. Pull the SOC 2 Type 2 report, the ISO 27001:2022 certificate with its Statement of Applicability, and the CSA STAR Level 2 attestation from the trust portal. Most require an access request. Use the CAIQ and HECVAT self-assessments to shortcut your own questionnaire. For federal work, verify that Class C, or Moderate, meets your impact level, since this is not a FedRAMP High authorization. Confirm the AWS GovCloud public-government deployment, and whether you can reuse one of the existing ATOs. Choose your hosting region at onboarding for residency, and check that the privacy certifications, 27018 and 27701, cover your transfers. Map every certificate to the specific products on your contract, such as ISC, NERM, CIEM and DAS.

Honest limits
  • The FedRAMP authorization for Identity Security Cloud is Class C, or Moderate, not High, and is independently listed on the US FedRAMP Marketplace under FR2001938710A.
  • The most useful evidence, the SOC reports, ISO certificates and pentest report, is private and released only after an access request through the trust portal.
  • Certifications are product-scoped across ISC, NERM, CIEM and Data Access Security, so confirm each certificate covers the module you actually license.
SOC
1 / 2 Type 2 / 3
ISO
27001:2022 / 27017 / 27018 / 27701
Cloud
CSA STAR L2, Common Criteria
Federal
FedRAMP Certified, Class C (Moderate)
Evidence
SafeBase portal + CAIQ/HECVAT
View sources

This page covers SailPoint's compliance posture and evidence. Its general capabilities and deployment mechanics live on their own pages.

SailPoint certifications and the evidence behind them

FrameworkStatusEvidence to request
SOC 1 / SOC 2 Type 2 / SOC 3ReportedService-org control reports, gated behind the trust portal
ISO/IEC 27001:2022 (+ SoA)CertifiedISMS certificate with a published Statement of Applicability
ISO/IEC 27017 / 27018 / 27701CertifiedCloud security, cloud privacy and privacy information management
Common CriteriaEvaluatedProduct-level security evaluation
CSA STAR (Level 2)AttestedCloud Controls Matrix attestation; CAIQ on the portal
FedRAMP (Certified, Class C)AuthorizedStandalone listing FR2001938710A, Moderate, 4 ATOs / 6 reuses (regulator-listed)
GovRAMP / IRAP / C5 / EU-US DPFListedUS state-local, Australian and German regimes, plus the transfer framework

Compliance evidence to request from SailPoint

EvidenceTypeHow to get it
SOC 2 Type 2 reportReportTrust portal, access request
ISO 27001 certificate and Statement of ApplicabilityCertificateTrust portal, access request
CSA STAR Level 2 attestation and CAIQAttestationTrust portal self-assessments
Penetration-test reportReportTrust portal, access request
FedRAMP authorization packagePackageFedRAMP Marketplace request form, FR2001938710A

What to verify before you rely on SailPoint

  • The FedRAMP authorization is Class C (Moderate), not High, so confirm it meets the impact level your agency requires.
  • The federal service runs as a Public Cloud SaaS deployment model on the Marketplace listing, which for government workloads is typically the separate AWS GovCloud environment, not the commercial tenant.
  • The most valuable artifacts (SOC reports, ISO certificates, pentest report) are private and require an access request through the portal, so budget time for the security review.
  • Certifications are scoped to specific products (ISC, NERM, CIEM, DAS), so map each certificate to the exact product and module you license.

SailPoint Compliance FAQ

Is SailPoint FedRAMP authorized?

Yes. SailPoint Identity Security Cloud is listed independently on the US government FedRAMP Marketplace at Class C, or Moderate, under standalone package FR2001938710A, with 4 authorizations and 6 reuses. The certified scope covers Cloud Infrastructure Entitlement Management, Data Access Security, Machine Identity Security, Non-Employee Risk Management and Password Management. The level is Moderate, not High, and the federal service is a separate public-government cloud deployment, so confirm it meets your agency's impact requirements.

Which compliance certifications does SailPoint hold?

A broad set, documented in its trust portal. The core is SOC 1, SOC 2 Type 2 and SOC 3, plus ISO/IEC 27001:2022 with 27017, 27018 and 27701, each with a Statement of Applicability. It adds Common Criteria and CSA STAR Level 2. Government and regional regimes bring FedRAMP, GovRAMP, IRAP and the German C5, with the EU-US Data Privacy Framework and a VPAT for accessibility. SailPoint has also signed the CISA Secure-by-Design Pledge.

How do I get SailPoint's compliance evidence?

Through its SafeBase trust portal, which splits documents into public and private sets. Public materials are viewable immediately. The sensitive artifacts, the SOC reports, ISO certificates and Statements of Applicability, the CSA STAR attestation and a penetration-test report, require an access request. The portal also exposes CAIQ and HECVAT Full self-assessments. The FedRAMP package is requested separately from the Marketplace listing.

Where does SailPoint host and store data?

On Amazon Web Services. The trust portal states AWS is the hosting and processing provider for the SaaS core infrastructure. Hosting occurs in the region the customer elects at onboarding, chosen from SailPoint's available regions. The disclosed subprocessor list also includes Confluent for messaging, Datadog for monitoring, Pendo for analytics and Qlik for embedded BI. Personal-data handling is covered by ISO 27018 and 27701 and the EU-US DPF.

What should I verify before relying on SailPoint for compliance?

Confirm the FedRAMP level is sufficient, since the authorization is Class C, or Moderate, rather than High, and check whether your agency can reuse an existing ATO. Pull the SOC and ISO artifacts under the portal's access request and check scope and validity dates. Map each certificate to the products you license, such as ISC, NERM, CIEM and DAS. Select your hosting region for residency, and remember that you, not SailPoint, maintain the API keys the connectors use.

Sources & verification

Verified by ComparEdgeMethod: Vendor docs, official pages, and selected independent sources
SourceWhat was checkedLast checked
Sailpoint OfficialOfficial product pageJuly 10, 2026
FedRAMP MarketplaceFedRAMP authorization statusJuly 10, 2026
Sailpoint Trust centerProduct documentationJuly 10, 2026

Every fact on this SailPoint page is tied to a named source and a verification date. Freshness-sensitive figures trace to the sources above; verify against the vendor before relying on them.