Adobe Compliance Certifications, Standards, and Regulations

[Last Updated: January 2025]

Adobe Service Offering	Completed certifications and attestations
Adobe-wide Security [7]**	Assessed by TruSight Registered, Trusted Information Security Assessment Exchange (TISAX) [6] [7]
Adobe-wide Privacy	General Data Protection Regulation (GDPR) California Consumer Privacy Act (CCPA)
Adobe-wide Accessibility	WCAG 2.1 level AA European Accessibility Act EN 301 549 V3.2.1 (2021-03) (Harmonized European Accessibility Standard) Section 508 of the Rehabilitation Act of 1973 (United States only) ISO 32000-2:2020 (PDF Standard) ISO 14289-1:2014 (PDF/UA) (PDF standard enhancement for accessibility)
Adobe Creative Cloud for enterprise	SOC 2–Type 2 (Security, Availability, & Confidentiality) SOC 3 (Security, Availability, & Confidentiality) ISO 9001:2015 ISO 27001:2022 ISO 27017:2015 ISO 27018:2019 ISO 22301:2019 FedRAMP Tailored GLBA ready [1] FERPA ready [1] CSA Star Level 2
Adobe Document Cloud - Acrobat Sign Solutions for enterprise	SOC 2– Type 2 (Security, Availability, & Confidentiality) SOC 3 (Security, Availability, & Confidentiality) ISO 9001:2015 ISO 27001:2022 ISO 27017:2015 ISO 27018:2019 ISO 22301:2019 C5 Certified (Germany) IRAP Assessed [8] (Australia) ISMAP Registered (Japan) HIPAA ready [1]* FDA 21 CFR Part 11 ready [1] EudraLex Volume 4 Annex 11 ready [1] PCI DSS V3.2.1 compliant merchant and service provider [3] Qualified Trust Service Provider (QTSP) for time stamps GLBA ready [1] FERPA ready [1] CSA Star Level 2
Adobe Document Cloud - Acrobat Web, Acrobat Services (PDF Services API), Acrobat AI Assistant	SOC 2–Type 2 (Security, Availability, & Confidentiality) SOC 3 (Security, Availability, & Confidentiality) ISO 9001:2015 ISO 27001:2022 ISO 27017:2015 ISO 27018:2019 ISO 22301:2019 C5 Certified (Germany) FedRAMP Tailored ISMAP Registered [10] (Japan) GLBA ready [1] FERPA ready [1] CSA Star Level 2
Adobe Acrobat Sign for Government	FedRAMP Moderate HIPAA Ready [1]* SOC 2–Type 2 (Security, Availability, & Confidentiality) ISO 9001:2015 ISO 27001:2022 ISO 27017:2015 ISO 27018:2019 ISO 22301:2019
Adobe Experience Cloud [2]	FedRAMP Tailored [4] SOC 2–Type 2 (Security, Availability, & Confidentiality) SOC 3 (Security, Availability, & Confidentiality) ISO 9001:2015 ISO 27001:2022 ISO 27017:2015 ISO 27018:2019 ISO 22301:2019 HIPAA ready [1]* IRAP Assessed [8] (Australia) GLBA ready [1] FERPA ready [1] TrustArc GDPR Privacy Practices Management Compliance Validation TrustArc APEC Privacy Recognition for Processors (PRP) Certification
Adobe Managed Services (Connect and Adobe Experience Manager (AEM) only)	FedRAMP Moderate [11] SOC 2–Type 2 (Security, Availability, & Confidentiality) SOC 3 (Security, Availability, & Confidentiality) ISO 9001:2015 ISO 27001:2022 ISO 27017:2015 ISO 27018:2019 ISO 22301:2019 Esquema Nacional de Seguridad (ENS) High (Spain) [5] PCI 4.0 Compliant Service Provider [9] IRAP Assessed [8] (Australia) HIPAA ready [1]* GLBA ready [1] FERPA ready [1] CSA Star Level 2
Adobe Commerce on Cloud	SOC 2-Type 2 (Security) PCI DSS 4.0 compliant service provider HIPAA Ready [1]* CSA Star Level 2
Adobe.com eCommerce	PCI DSS 4.0 compliant merchant
Adobe Learning Manager	SOC 2–Type 2 (Security, Availability, & Confidentiality) SOC 3 (Security, Availability, & Confidentiality) ISO 9001:2015 ISO 27001:2022 ISO 27017:2015 ISO 27018:2019 ISO 22301:2019 FedRAMP Tailored GLBA ready [1] FERPA ready [1] CSA Star Level 2
Adobe Frame.io	SOC 2–Type 2 (Security, Availability, & Confidentiality) SOC 3 (Security, Availability, & Confidentiality) ISO 9001:2015 ISO 27001:2022 ISO 27017:2015 ISO 27018:2019 ISO 22301:2019 Trusted Partner Network (TPN) Gold Shield CSA Star Level 2

* For more information about HIPAA-ready Adobe solutions, please refer to our "HIPAA and Adobe Products and Services" information page.

** For more information about available attestations for Adobe products and services as part of Cybersecurity Infrastructure & Security Agency (CISA) Secure Software Development Framework (SSDF) requirements, please refer to our "SSDF and Adobe Products and Services" information page.

[1] An Adobe service that is GLBA ready, FERPA ready, FDA 21 CFR Part 11 ready, EudraLex Volume 4 Annex 11 ready, or HIPAA ready means that the service can be used in a way that enables the customer to help meet its legal obligations related to the use of service providers. Ultimately, the customer is responsible for ensuring compliance with legal obligations, that the Adobe service meet its compliance needs, and that the customer secures the service appropriately. Under FERPA guidelines, Adobe can contractually agree to act as a “school official” when it comes to handling regulated student data and therefore enable our education customers to comply with FERPA requirements.

[2] Adobe Experience Cloud includes Adobe Advertising Cloud, Adobe Analytics, Adobe Audience Manager, Adobe Campaign, Adobe Commerce Other Services & Data Services, Adobe Connect, Adobe Core Services, Adobe Customer Journey Analytics, Adobe Experience Manager Cloud Service, Adobe Experience Manager, Adobe Experience Platform, Adobe Journey Optimizer, Adobe Marketo (Engage, Sales Connect & Measure), Adobe MixModeler and AI, Adobe Primetime, Adobe Real Time Customer Data Platform, Adobe Target, and Adobe Workfront.

[3] PCI DSS compliance excludes Adobe Send & Track service.

[4] FedRAMP Tailored applies to Adobe Analytics and Adobe Campaign only.

[5] Applies to Adobe Experience Manager (AEM) - Managed Services only.

[6] Does not apply to Frame.io, Workfront, Commerce on Cloud, Adobe Acrobat Sign for Government.

[7] Adobe is TISAX certified for San Jose and Dublin office locations only.

[8] Applies to Customer Journey Analytics (CJA) Australia at Protected Level, Adobe Acrobat Sign Australia at Official Level (Official is same as Official Sensitive), and Adobe Experience Manager (AEM) Gov Cloud Australia at Protected Level.

[9] Applies to Adobe Experience Manager - Managed Services for Enhanced Security Offering only.

[10] Acrobat AI Assistant is currently not ISMAP Registered, however it's in scope for the FY24 Document Cloud ISMAP audit.

[11] FedRAMP Moderate is only applicable for Adobe Experience Manager (AEM) Gov Cloud and Adobe Connect Gov Cloud offerings.