Compliance and Certifications


ISO is the International Organization for Standardization, an independent organization that publishes best-practice standards covering a broad range of industries. Nutanix is committed to maintaining robust security and privacy management systems aligned with the following ISO Standards:


  • ISO/IEC 27001:2013 Requirements for information security management systems
  • ISO/IEC 27017:2015 Code of practice for information security controls based on ISO/IEC 27002 for cloud services
  • ISO/IEC 27018:2019 Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
  • ISO/IEC 27701:2019 Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management
  • ISO 28000:2007 Specification for security management systems for the supply chain


SOC is a commonly-understood criteria developed by the American Institute of Certified Public Accountants (AICPA) for providing standard reporting on security controls at a service organization.  Nutanix maintains SOC certifications which provide independent attestation of the security controls in place to protect sensitive data within our product environments.

Product / Service / Applicability SOC 2 Type 1 SOC 2 Type 2 SOC 3
Xi Beam      
Xi Frame      
Nutanix Clusters      
Xi Leap      
Availability Zone: Santa Clara, CA, USA (West 1a)      
Availability Zone: Oakland, CA, USA (West 1b)      
Availability Zone: Reno, NV, USA (West 1c)      
Availability Zone: Ashburn, VA, USA (East 1a)      
Availability Zone: Ashburn, VA, USA (East 1b)      
Availability Zone: Ashburn, VA, USA (East 1c)      
Availability Zone: London, England, UK      
Availability Zone, Catania, Italy      
Availability Zone, Frankfurt, Germany      
Availability Zone, Osaka, Japan      

FIPS Certifications

The Cryptographic Module Validation Program (CMVP) is a joint effort between NIST in the United States and the Canadian Centre for Cyber Security (CCCS), a branch of the Communications Security Establishment (CSE). The CMVP validates cryptographic modules to Federal Information Processing Standards (FIPS) 140-2, Security Requirements for Cryptographic Modules, and other FIPS cryptography-based standards.

Federal Agencies in the United States and Canada may acquire active FIPS 140-2 cryptographic modules listed in the CMVP database of validated modules for the protection of sensitive information. FIPS 140-2 certification is required or recommended by many other nations as well as several industries, including Healthcare and Financial industries.

Common Criteria

Common Criteria is an international security certification that is recognized by many countries around the world.  When a product achieves certification in one country, the product is recognized as CC certified in all 31 participating nations that participate in the Common Criteria Recognition Agreement (CCRA) and recognized across Europe through the SOG-IS agreement. The Common Criteria standard is also an ISO standard, ISO 15408.

Nutanix AOS and AHV are Common Criteria EAL2+ certified. The full Common Criteria certification listing can be viewed on the international Common Criteria Portal (listed under "Other Devices and Systems").

Xi Government Cloud is FedRAMP Authorized

Xi Government Cloud currently holds an Agency Authorization at a moderate security impact level. Nutanix Xi Government Cloud provides US Government agencies and supporting customers a single point of management and analysis across all of their clouds. Nutanix Government Cloud provides a suite of PaaS and SaaS services to enable streamlined cloud management, application delivery, and governance. Nutanix Government Cloud provides solutions to enable customers to adhere to U.S. International Traffic in Arms Regulations (ITAR) regulations.

Nutanix Xi Government Cloud consists of the following services: Xi Frame and Xi Beam. More information can be found on the FedRAMP Marketplace.


SEC Rule 17a-4(f), FINRA Rule 4511, and
CFTC Rule 1.31(c)-(d)

The US Securities Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA), and the Commodity Futures Trading Commission (CFTC) have defined explicit requirements for regulated entities that choose to retain electronic regulatory records. To meet these regulatory requirements, customers can utilize Nutanix Objects for the storage and retention of electronic records.


Nutanix retained Cohasset Associates, an independent assessment firm that specializes in records management and information governance, to assess Nutanix Objects compliance with the following electronic records storage and retention regulatory rules:

  • The five requirements of SEC Rule 17a-4(f) that relate directly to the recording, storage, and retention of electronic records
  • FINRA Rule 4511
  • The principles-based requirements of CFTC Rule 1.31(c)-(d)

If you have any questions regarding compliance, please reach out to us.