
SailPoint Compliance & Certifications 2026
SailPoint holds SOC 1/2/3, the ISO 27001 family, CSA STAR L2 and FedRAMP Moderate for Identity Security Cloud. Evidence is access-gated and product-scoped.
SailPoint Compliance verdict
SailPoint backs a serious, externally validated compliance posture for an identity-governance platform.
The trust portal documents SOC 1, 2 and 3, ISO/IEC 27001:2022 with 27017, 27018 and 27701, each with a Statement of Applicability, Common Criteria and CSA STAR Level 2. It adds the government regimes GovRAMP, IRAP and C5, plus the EU-US Data Privacy Framework.
SailPoint sells the controls it is audited against, which makes it a strong fit. Pull the SOC 2 Type 2 report, the ISO 27001:2022 certificate with its Statement of Applicability, and the CSA STAR Level 2 attestation from the trust portal. Most require an access request. Use the CAIQ and HECVAT self-assessments to shortcut your own questionnaire. For federal work, verify that Class C, or Moderate, meets your impact level, since this is not a FedRAMP High authorization. Confirm the AWS GovCloud public-government deployment, and whether you can reuse one of the existing ATOs. Choose your hosting region at onboarding for residency, and check that the privacy certifications, 27018 and 27701, cover your transfers. Map every certificate to the specific products on your contract, such as ISC, NERM, CIEM and DAS.
- The FedRAMP authorization for Identity Security Cloud is Class C, or Moderate, not High, and is independently listed on the US FedRAMP Marketplace under FR2001938710A.
- The most useful evidence, the SOC reports, ISO certificates and pentest report, is private and released only after an access request through the trust portal.
- Certifications are product-scoped across ISC, NERM, CIEM and Data Access Security, so confirm each certificate covers the module you actually license.
- SOC
- 1 / 2 Type 2 / 3
- ISO
- 27001:2022 / 27017 / 27018 / 27701
- Cloud
- CSA STAR L2, Common Criteria
- Federal
- FedRAMP Certified, Class C (Moderate)
- Evidence
- SafeBase portal + CAIQ/HECVAT
This page covers SailPoint's compliance posture and evidence. Its general capabilities and deployment mechanics live on their own pages.
SailPoint certifications and the evidence behind them
| Framework | Status | Evidence to request |
|---|---|---|
| SOC 1 / SOC 2 Type 2 / SOC 3 | Reported | Service-org control reports, gated behind the trust portal |
| ISO/IEC 27001:2022 (+ SoA) | Certified | ISMS certificate with a published Statement of Applicability |
| ISO/IEC 27017 / 27018 / 27701 | Certified | Cloud security, cloud privacy and privacy information management |
| Common Criteria | Evaluated | Product-level security evaluation |
| CSA STAR (Level 2) | Attested | Cloud Controls Matrix attestation; CAIQ on the portal |
| FedRAMP (Certified, Class C) | Authorized | Standalone listing FR2001938710A, Moderate, 4 ATOs / 6 reuses (regulator-listed) |
| GovRAMP / IRAP / C5 / EU-US DPF | Listed | US state-local, Australian and German regimes, plus the transfer framework |
Compliance evidence to request from SailPoint
| Evidence | Type | How to get it |
|---|---|---|
| SOC 2 Type 2 report | Report | Trust portal, access request |
| ISO 27001 certificate and Statement of Applicability | Certificate | Trust portal, access request |
| CSA STAR Level 2 attestation and CAIQ | Attestation | Trust portal self-assessments |
| Penetration-test report | Report | Trust portal, access request |
| FedRAMP authorization package | Package | FedRAMP Marketplace request form, FR2001938710A |
What to verify before you rely on SailPoint
- The FedRAMP authorization is Class C (Moderate), not High, so confirm it meets the impact level your agency requires.
- The federal service runs as a Public Cloud SaaS deployment model on the Marketplace listing, which for government workloads is typically the separate AWS GovCloud environment, not the commercial tenant.
- The most valuable artifacts (SOC reports, ISO certificates, pentest report) are private and require an access request through the portal, so budget time for the security review.
- Certifications are scoped to specific products (ISC, NERM, CIEM, DAS), so map each certificate to the exact product and module you license.
SailPoint Compliance FAQ
Is SailPoint FedRAMP authorized?
Yes. SailPoint Identity Security Cloud is listed independently on the US government FedRAMP Marketplace at Class C, or Moderate, under standalone package FR2001938710A, with 4 authorizations and 6 reuses. The certified scope covers Cloud Infrastructure Entitlement Management, Data Access Security, Machine Identity Security, Non-Employee Risk Management and Password Management. The level is Moderate, not High, and the federal service is a separate public-government cloud deployment, so confirm it meets your agency's impact requirements.
Which compliance certifications does SailPoint hold?
A broad set, documented in its trust portal. The core is SOC 1, SOC 2 Type 2 and SOC 3, plus ISO/IEC 27001:2022 with 27017, 27018 and 27701, each with a Statement of Applicability. It adds Common Criteria and CSA STAR Level 2. Government and regional regimes bring FedRAMP, GovRAMP, IRAP and the German C5, with the EU-US Data Privacy Framework and a VPAT for accessibility. SailPoint has also signed the CISA Secure-by-Design Pledge.
How do I get SailPoint's compliance evidence?
Through its SafeBase trust portal, which splits documents into public and private sets. Public materials are viewable immediately. The sensitive artifacts, the SOC reports, ISO certificates and Statements of Applicability, the CSA STAR attestation and a penetration-test report, require an access request. The portal also exposes CAIQ and HECVAT Full self-assessments. The FedRAMP package is requested separately from the Marketplace listing.
Where does SailPoint host and store data?
On Amazon Web Services. The trust portal states AWS is the hosting and processing provider for the SaaS core infrastructure. Hosting occurs in the region the customer elects at onboarding, chosen from SailPoint's available regions. The disclosed subprocessor list also includes Confluent for messaging, Datadog for monitoring, Pendo for analytics and Qlik for embedded BI. Personal-data handling is covered by ISO 27018 and 27701 and the EU-US DPF.
What should I verify before relying on SailPoint for compliance?
Confirm the FedRAMP level is sufficient, since the authorization is Class C, or Moderate, rather than High, and check whether your agency can reuse an existing ATO. Pull the SOC and ISO artifacts under the portal's access request and check scope and validity dates. Map each certificate to the products you license, such as ISC, NERM, CIEM and DAS. Select your hosting region for residency, and remember that you, not SailPoint, maintain the API keys the connectors use.
Sources & verification
| Source | What was checked | Last checked |
|---|---|---|
| Sailpoint Official | Official product page | July 10, 2026 |
| FedRAMP Marketplace | FedRAMP authorization status | July 10, 2026 |
| Sailpoint Trust center | Product documentation | July 10, 2026 |
Every fact on this SailPoint page is tied to a named source and a verification date. Freshness-sensitive figures trace to the sources above; verify against the vendor before relying on them.
Explore SailPoint
Every page on SailPoint in one place, you are on compliance.
Snapshot, score and verdict
You are here
Hosting model, environments and rollout in your stack
Every tier and the entry price
Compared and ranked vs peers
Price and feature change history
Browse the full Identity & Access Management category
