ISO is the International Organization for Standardization, an independent organization that publishes best-practice standards covering a broad range of industries. Nutanix is committed to maintaining robust security and privacy management systems aligned with the following ISO Standards:
- ISO/IEC 27001:2013 Requirements for information security management systems
- ISO/IEC 27017:2015 Code of practice for information security controls based on ISO/IEC 27002 for cloud services
- ISO/IEC 27018:2019 Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
- ISO/IEC 27701:2019 Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management
- ISO 28000:2007 Specification for security management systems for the supply chain
SOC is a commonly-understood criteria developed by the American Institute of Certified Public Accountants (AICPA) for providing standard reporting on security controls at a service organization. Nutanix maintains SOC certifications which provide independent attestation of the security controls in place to protect sensitive data within our product environments.
|Product / Service / Applicability||SOC 2 Type 1||SOC 2 Type 2||SOC 3|
|Nutanix Cloud Manager (NCM) – Cost Governance (formerly Beam)|
|Nutanix Cloud Clusters on AWS (NC2)
|Nutanix Disaster Recovery-as-a-Service (DRaaS) (formerly Xi Leap)
|Nutanix Cloud Manager (NCM) – Security Central (formerly Flow Security Central)|
|Availability Zone: Oakland, CA, USA (West 1b)|
|Availability Zone: Reno, NV, USA (West 1c)|
|Availability Zone: Ashburn, VA, USA (East 1a)|
|Availability Zone: Ashburn, VA, USA (East 1b)|
|Availability Zone: Ashburn, VA, USA (East 1c)|
|Availability Zone: London, England, UK|
|Availability Zone, Frankfurt, Germany|
Common Criteria is an international security certification that is recognized by many countries around the world. When a product achieves certification in one country, the product is recognized as CC certified in all 31 participating nations that participate in the Common Criteria Recognition Agreement (CCRA) and recognized across Europe through the SOG-IS agreement. The Common Criteria standard is also an ISO standard, ISO 15408.
Nutanix AOS and AHV are Common Criteria EAL2+ certified. The full Common Criteria certification listing can be viewed on the international Common Criteria Portal (listed under "Other Devices and Systems").
The Cryptographic Module Validation Program (CMVP) is a joint effort between NIST in the United States and the Canadian Centre for Cyber Security (CCCS), a branch of the Communications Security Establishment (CSE). The CMVP validates cryptographic modules to Federal Information Processing Standards (FIPS) 140-2, Security Requirements for Cryptographic Modules, and other FIPS cryptography-based standards.
Federal Agencies in the United States and Canada may acquire active FIPS 140-2 cryptographic modules listed in the CMVP database of validated modules for the protection of sensitive information. FIPS 140-2 certification is required or recommended by many other nations as well as several industries, including Healthcare and Financial industries.
SEC Rule 17a-4(f), FINRA Rule 4511, and
CFTC Rule 1.31(c)-(d)
The US Securities Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA), and the Commodity Futures Trading Commission (CFTC) have defined explicit requirements for regulated entities that choose to retain electronic regulatory records. To meet these regulatory requirements, customers can utilize Nutanix Objects or Nutanix Files for the storage and retention of electronic records.
Nutanix retained Cohasset Associates, an independent assessment firm that specializes in records management and information governance, to assess Nutanix Objects and Nutanix Files compliance with the following electronic records storage and retention regulatory rules:
- The five requirements of SEC Rule 17a-4(f) that relate directly to the recording, storage, and retention of electronic records
- FINRA Rule 4511
- The principles-based requirements of CFTC Rule 1.31(c)-(d)