Skip to main content

Compliance is baked into Appian's cloud security

Organizations are increasingly challenged to balance compliance and competitive innovation. Appian Cloud makes it easy with a comprehensive security and compliance program.

Appian Cloud Compliance Program

Meets the toughest global industry standards

Undergoes frequent security audits

Validates controls are protecting your data

Delivers advanced governance capabilities

The Air Force is committed to modernizing our legacy business systems in a cost-effective manner… implementing extensible, scalable cloud technologies like the business process management capabilities provided by industry partners like Appian.

Richard T. Aldridge
Program Executive Officer for Business and Enterprise Systems and a member of the Senior Executive Service, U.S. Air Force

SOC 1 / ISAE 3402

Service Organization Controls (SOC) reports (formerly SAS 70 reports) are designed to help information systems operators and providers build trust and confidence in their service processes and controls.

Appian publishes a SOC 1 Type II report and an International Standards for Assurance Engagements (ISAE) 3402 report. Performed by an independent Certified Public Accountant, this audit engagement examines a service organization’s internal controls over a period of time that could impact the financial reporting of a customer that utilizes the services under audit. These reports are often important components of customer evaluations of their internal controls over financial reporting for purposes of supporting customers’ financial statement audit and compliance needs.

A Type II engagement provides an opinion on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period, rather than just for a point in time.

SOC 2

SOC 2 reports are intended to meet the needs of a broad range of users that need to understand internal control at a service organization as it relates to applicable Trust Services Principles and Criteria which include security, availability, processing integrity, confidentiality and privacy trust principles.

A Type II reports on the fairness of presentation of management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls over a period of time, not just a point in time.

The SOC 2 Type II report provides a detailed review, by an independent audit firm, of Appian Cloud’s security, availability, and confidentiality controls.

SOC 3

Appian Cloud’s SOC 3 report is publicly available and provides a summary of the Appian Cloud SOC 2 report. The SOC 3 provides assurance about Appian Cloud’s security, availability, and confidentiality controls in alignment with the AICPA’s Trust Services Principles. This includes an external auditor opinion on the effectiveness of operation of controls.

Read the Report

PCI-DSS

The Payment Card Industry (PCI) Security Standards Council offers standards to enhance payment card data security. The PCI Data Security Standard (PCI DSS) provides a framework for developing a robust payment card data security process; including prevention, detection, and appropriate handling of security incidents. Customers can leverage Appian Cloud’s PCI-DSS certification to reduce their own PCI compliance complexity after agreeing to the Appian Cloud PCI-DSS terms.

Appian Cloud has been assessed by an external independent auditor and is compliant with PCI DSS.

HIPAA

The United States Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates the security and privacy of Protected Health Information (PHI).

Appian Cloud is compliant with the HIPAA security requirements. With HIPAA compliance, customers can securely process and store protected health information (PHI) in Appian Cloud after executing a Business Associate Agreement.

FEDRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is a United States government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Being FedRAMP Compliant means a cloud system has an established and highly secure environment that has withstood comprehensive audit review before federal agencies are authorized to engage the system.

Appian Cloud is FedRAMP compliant and has received an Agency Authorization to Operate (ATO) at the Moderate level.

By achieving FedRAMP compliance, Appian Cloud has been deemed a viable solution to provide significant time and cost savings, improved security risk management, and enhanced program transparency for mission-critical federal operations. This authorization can be re-used by other Federal agencies to save both time and staff over working with non-FedRAMP systems.

Access the Appian Cloud FedRAMP Compliant Package

DISA Impact Level 2 (IL2)

Using FedRAMP as a foundation, the U.S. Department of Defense (DoD) defined additional requirements in their DoD Cloud Computing Security Requirements Guide (SRG). The authorization program is managed by the Defense Information Systems Agency (DISA).

Appian has Provisional Authorization (PA) for IL2 deployments in the Appian Government Cloud.

For additional information on DoD Cloud Security Impact Levels please visit the DoD Cloud Security portal.

DISA Impact Level 4 (IL4)

Using FedRAMP as a foundation, the U.S. Department of Defense (DoD) defined additional requirements in their DoD Cloud Computing Security Requirements Guide (SRG). The authorization program is managed by the Defense Information Systems Agency (DISA).

Appian has Provisional Authorization (PA) for IL4 deployments in the Appian Government Cloud.

For additional information on DoD Cloud Security Impact Levels please visit the DoD Cloud Security portal.

DISA Impact Level 5 (IL5)

Using FedRAMP as a foundation, the U.S. Department of Defense (DoD) defined additional requirements in their DoD Cloud Computing Security Requirements Guide (SRG). The authorization program is managed by the Defense Information Systems Agency (DISA).

Appian has received Provisional Authorization (PA) for IL5 deployments in the Appian Government Cloud.

For additional information on DoD Cloud Security Impact Levels please visit the DoD Cloud Security portal.

FISMA

The Federal Information Security Management Act (FISMA), enacted in 2002 and amended in 2014, provides a comprehensive framework for ensuring the effectiveness of information security controls for United States federal government IT systems. Together the Office of Management and Budget (OMB), Department of Homeland Security (DHS), and the National Institute of Standards and Technology (NIST) have put a program in place to set the standards and oversee compliance.

Appian Cloud has a security framework with a robust security control structure in place that enables federal organizations to achieve Authorization to Operate (ATO).

GxP

Pharmaceutical and Life Sciences companies are required by law to meet Validation and Good Practice Standards (GxP) when building systems that touch or implicate predicate records. These include records and processes associated with clinical trials, laboratory work, quality assurance, regulatory information management, manufacturing, and electronic health records.

Appian Cloud is in alignment with GxP computer system validation requirements and standards. Appian supports GxP compliance and diligence efforts. 

FDA

The Food and Drug Administration (FDA) introduced 21 CFR Part 11 as a requirement for commercial life science companies that maintain FDA-required records and signatures in electronic format to meet specific standards and comply with good clinical, laboratory, and manufacturing practices. The primary goals of this regulation are to ensure data integrity; that changes made to the system are documented, reasoned, and non-repudiated; computer systems used are trustworthy; and applications are validated to intended use.

Appian Cloud supports the necessary capabilities and technology to allow customers to build applications that are compliant with 21 CFR Part 11.

UK G-Cloud

G-Cloud 13 is a digital marketplace that enables the UK public sector to find people and technology for projects across the government. The G-Cloud Framework is made possible by the Crown Commercial Service (CCS) which is focused on providing commercial services to the public sector and saving money for the taxpayer. They are able to do this by combining policy, offering advice, pre-vetting quality offerings and allowing organizations to conduct direct buying.

The Crown Commercial Service (CCS) works with both departments and organisations across the whole of the public sector to ensure maximum value is extracted from every commercial relationship and improve the quality of service delivery.

Appian Cloud is compliant with the G-Cloud Framework. Appian Cloud’s  G-Cloud certification can be found in the gov.uk Digital Marketplace.

508 / VPAT

The Rehabilitation Act of 1973, Section 508, requires that Federal agencies’ electronic and information technology is accessible to people with disabilities.

The Voluntary Product Accessibility Template (VPAT) is a tool used to document a product’s conformance with the accessibility standards under Section 508 of the Rehabilitation Act.

Appian has completed the VPAT and the Appian product is compliant with Section 508.

Learn more

Cloud Security Alliance

The Cloud Security Alliance’s (CSA) Security, Trust and Assurance Registry (STAR) Program provides a comprehensive framework for cloud provider trust and assurance. The CSA STAR Program is a publicly accessible registry designed to recognize the varying assurance requirements and maturity levels of providers and consumers, and is used by customers, providers, industries and governments around the world. The STAR program allows cloud providers to assess their controls against the CSA Cloud Controls Matrix.

Appian Cloud is registered in the CSA Security, Trust and Assurance Registry, having completed the Consensus Assessments Initiative Questionnaire (CAIQ) covering 133 controls across 16 domains.

View Appian Cloud’s STAR Submission

Qualys SSL Labs

Qualys SSL Labs provides deep analysis of the security configuration of web servers on the Internet, specifically the SSL/TLS configuration. Appian Cloud’s web-tier is rated as an A+ by SSL Labs.

Health Information Trust Alliance (HITRUST)

Organizations rely on prescriptive guidance from the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF)for managing security requirements inherent in HIPAA.

To protect highly sensitive information, healthcare organizations—including health insurance companies, hospitals, medical practices and SaaS providers—require a HITRUST CSF (Common Security Framework) certified infrastructure.

HITRUST CSF uses nationally and internationally accepted standards including ISO, NIST, PCI, and HIPAA to ensure a comprehensive set of baseline security controls.

CoalFire

ISO/IEC 27001:2013

An international standard for information security and risk management, ISO/IEC 27001:2013 protects organizations in all industries and sectors across the globe.

The ISO 27001:2013 standard call for organizations to implement an appropriate Information Security Management System (ISMS), which ensures management, operational, and technical security controls are operating effectively.

By becoming certified in ISO 27001:2013, Appian Cloud demonstrates it has reached a high level of security maturity. With a goal of providing the most robust security possible, Appian has put controls in place to manage or eliminate security risks, enabling customers to trust that their confidential data is protected.

ISO 27017:2015

The ISO 27017:2015 standard establishes additional control requirements specifically for cloud service providers including the management of cloud infrastructure.

By becoming certified in ISO 27017:2015, Appian Cloud demonstrates it has reached a high level of security maturity. With a goal of providing the most robust security possible, Appian has put the necessary controls in place to manage or eliminate security risks, enabling customers to trust that their data is protected.This ISO certification applies to all Appian Cloud customers worldwide as it expands on our existing ISO 27001 certification framework

ISO 27018:2019

The ISO 27018:2019 standard provides additional requirements for effective security and management of personally identifiable information (PII) within cloud environments.

By becoming certified in ISO 27018:202019, Appian Cloud demonstrates it has reached a high level of security and PII protection maturity. Appian has put the necessary controls in place to manage or eliminate security risks, enabling customers to trust that their personally identifiable information is protected.This ISO certification applies to all Appian Cloud customers worldwide as it expands on our existing ISO 27001 certification framework.

ISO 9001:2015    

An international standard for quality management, ISO 9001:2015 helps ensure that customers receive consistent, quality products and services.

The ISO 9001:2015 standard calls for organizations to implement an appropriate Quality Management System (QMS), which ensures customer focus, the motivation and implication of top management, the process approach and continual improvement.

By becoming certified in ISO 9001:2015, Appian Engineering demonstrates it has reached a high level of quality maturity. With a commitment to customer satisfaction and quality, Appian has put processes in place to ensure that customers get consistent, good-quality products and services.

Cyber Essentials

The UK National Cyber Security Centre's Cyber Essentials program is designed to ensure that organizations guard against the most common cyber threats and demonstrate their commitment to cyber security, backed by the UK Government. Appian Cloud has achieved certification with Cyber Essentials. For more information related to this certification, please refer to ncsc.gov.uk/cyberessentials

Cyber Essentials Plus

The Cyber Essentials Plus certification is backed by the UK National Cyber Security Centre to help organizations demonstrate operational security against common cyber attacks. It verifies security levels for enterprises and government agencies. Appian Cloud has achieved both the Cyber Essentials and Cyber Essentials Plus certifications. For more information, please refer to ncsc.gov.uk/cyberessentials.

Esquema Nacional de Seguridad (ENS)

The Esquema Nacional de Seguridad (ENS) is Spain's national security framework based on laws related to information security. Appian Cloud has achieved certification with ENS. For more information related to this certification, please refer to ens.ccn.cni.es/en/

StateRAMP


StateRAMP is a United States program for States that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Being StateRAMP Compliant means a cloud system has an established and highly secure environment that has withstood comprehensive audit review before States are authorized to engage the system.

Appian Cloud is StateRAMP compliant and has received an Authorization at the Moderate level.

By achieving StateRAMP compliance, Appian Cloud has been deemed a viable solution to provide significant time and cost savings, improved security risk management, and enhanced program transparency for mission-critical State operations. This authorization can be re-used by States to save both time and staff over working with non-StateRAMP systems.

Please refer https://stateramp.org/about-us/

Canada Protected B


The Government of Canada (GC) Protected B security level for sensitive government information and assets applies to information or assets that, if compromised, could cause serious injury to an individual, organization, or government. Based on the Information Technology Security Guidance (ITSG) 33 on IT security risk management published by the Canadian Centre for Cybersecurity (CCCS), GC developed the Guidance on the Security Categorization of Cloud-Based Services (ITSP.50.103) and the Government of Canada Security Control Profile for Cloud-based GC Services (GC Security Control Profile), which identifies the baseline security controls applicable to the processing of information having a security category of Protected B, medium integrity, and medium availability (PBMM).

Infosec Registered Assessors Program (IRAP)


The Information Security Registered Assessor Program (IRAP) provides a comprehensive process for the assessment of a security system against the requirements laid out by the Australian Government Information Security Manual (ISM) produced by the Australian Cyber Security Centre (ACSC). IRAP enables Australian Government customers to help ensure that Appian has been assessed against the requirements laid out by the Australian Government Information Security Manual (ISM) up to the Protected level. Appians IRAP assessment demonstrates our commitment to the Australian public sector and provides additional confidence in using the Appian platform for their most critical business processes. 

The Cloud Computing Compliance Criteria Catalogue (C5)

The Cloud Computing Compliance Criteria Catalogue (C5) developed by the German Federal Office for Information (BSI) helps organizations demonstrate operational security against common cyber-attacks when using cloud services. C5 enables German Government and German commercial customers to help ensure that Appian has been assessed against the criteria outlined by the German Federal Office for Information (BSI).

The SOC 2 C5 Type II report provides a detailed review of Appian Cloud, by and independent audit firm against the applicable criteria set forth in Section 3.4.4.1 of C5:2020. 

Ready to talk?

See how the world’s fastest-growing organizations use Appian for process automation.