IBM SaaS security

Select a different country:

IBM SaaS security

Back to top

Select product certifications


From start-ups to global enterprises, the number of SaaS adopters continues to grow. Strong security and privacy are among the top criteria for enterprise decision makers selecting cloud vendors. Equally important is the ability to scale and adapt quickly to changing needs without compromising security, privacy or risk levels. IBM has earned the trust of enterprises around the world with our continuous focus on security and privacy.

Contact tab
Hide [x]

Frequently asked questions about IBM SaaS security


Is the IBM SaaS offering model using public, private or hybrid clouds?

All IBM SaaS offerings are public service models accessed via the Internet or a virtual private network (VPN) connection. IBM also does support some of the SaaS offerings in private service and hybrid models.

If public, is it single or multi-tenant?

IBM SaaS offerings are a mix of multi-tenant and single-tenant deployment models.

Are the IBM SaaS offerings designed to handle personal information?

Yes, IBM SaaS offerings are designed to process data compliant with industry privacy standards for Personal Information (PI) and Sensitive Personal Information (SPI).

Many SaaS offerings are EU-US Safe Harbor certified and align with other regulations that address processing of Personal Information (PI) and Sensitive Personal Information (SPI).

What additional regulated information standards are the IBM SaaS offerings designed to handle?

Most IBM SaaS offerings are designed to process data in ways that align with the following information standards: ISO27000, SSAE16, and select NIST standards such as FIPS 140-2. Some SaaS offerings also support PCI, FFIEC and FISMA/FedRAMP.

Where is the staff located who have access to the service and its associated data?

Supporting staff with access to the service includes IT Operations, DevOps, SaaS Support, and SaaS offerings like customization and onboarding.

When private or regulated information is stored, where are the servers located?

IBM SaaS offerings can store information on servers located across North America (NA), Europe, Middle East, and Africa (EMEA), and in certain instances, in Japan, Hong Kong, Singapore and Australia. IBM also has limited SaaS operations in China that serve Chinese clients, and are in line with local regulatory requirements.

Will private or regulated information be accessible to third-party subcontractors?

IBM does use third-party subcontractors for staff augmentation. If the service supports private or regulated data, third-party subcontractors may have access to the information.


Do the IBM SaaS offerings have an information security policy?

Yes. IBM has security policies in place that align with, or are more stringent than, privacy standards from SSAE and ISO. Enveloping multiple standards drives an overall more stringent policy

Is there a policy for content encryption and encryption key management?

Yes. Encryption and key management is a part of the IBM security policy. Encryption attributes can in most cases be negotiated for each deal.

Has a third-party security attestation been completed? Is a report available?

Many of the services have completed, or have plans to complete, third-party attestations with a report available upon request to clients who are using the service.

What standard international certifications are either already in place or part of a roadmap?

At least SAS70 / SSAE16 and ISO27000.

Is there an information security incident management process in place? Does it include customer notification?

Yes, a security incident management system is in place, which includes notification to IBM customers. This process is managed by the IBM CIO’s office.

Is there a policy to manage user access and passwords that has documented and auditable procedures?

Yes, a policy is in place and audited by IBM and by external third parties for IBM system admin access. The policy and auditing includes the processes for granting and revoking access, validating business need, etc. IBM applies the same password management and compliance policies to its SaaS business that it applies to the protection of its internal business systems, source code and intellectual property networks. Application-level user access management is the responsibility of the client, including any application-level client system admin authorities and password management.

What happens to the client data when the service ends?

Client data can either be returned to the client or it can be securely destroyed.

Is there a non-disclosure policy for third-party subcontractors to gain access to client data? Is there a process to notify clients of the subcontractor names?

Not all services use third-party subcontractors for staff augmentation. If IBM were to use subcontractors to help deliver the service, the subcontractors are held to the same security policy requirements as regular IBM employees. Companies who supply subcontractor employees to IBM go through a rigorous screening and qualification process and are required to have each subcontractor supplied to IBM sign a confidential disclosure agreement. Companies who supply subcontract employees to IBM are required to meet the local, regional, national employment checks prior to supplying employees to IBM. Hiring of IBM subcontractors is managed by the IBM Human Resources and IBM Procurement organization.


Are log files / audit trails available to clients to monitor who accesses their information?

IBM monitors and manages log files and audit trails to identify unauthorized access to the environments and to the actual data server. We do not supply access logs or audit trails to clients.

Are policies and procedures in place to protect personal information from the risks from mobile and remote access?

Yes. Mobile and remote access is covered under the IBM Security policy. When remote access is required for debugging purposes, IBM employees are required to access the service through encrypted, private VPNs, which meet industry standards including NIST.

Do the IBM SaaS offerings include the ability for clients to retrieve a copy of the personal data in the format originally submitted? In other formats?

This capability would be a service attribute described in the terms of use for each SaaS offering. The transmission of personal data would only be performed using secured transmission protocols or other secure transmission means specified by the client and in compliance with regulations regarding transmission of personal information across borders.

Is there a process to support IBM’s clients in support of their clients (e.g. end consumer) to access, correct, delete their information?

IBM processes personal information in SaaS offerings at the direction of its customer, which is the data controller, and is responsible for providing notices to and obtaining required consents from data subjects. IBM does not control this data, but will work with clients to process changes at their request.

What measures are in place to exclude or limit access to IBM personnel during production, maintenance, disaster recovery, etc.?

Access, whether physical or logical, is controlled in accordance with IBM Security policy. These controls include tiered levels of badge control, cameras, physical logging/sign in, logical logging within the service, employment continuity checks, etc.


Is there an information back-up process in place? Are there procedures in place to restore personal information from back-ups in the event of a disaster?

Yes, all IBM SaaS offerings have business continuity plans, including backup and restoration policies. SPI and regulated data are backed up using methods consistent with the regular means of storage of data-at-rest for those data types, which depending on the service, may be via encrypted tape or encrypted off-line disk.

Is there a specifically defined scheduled maintenance plan?

Each SaaS offering has a scheduled maintenance plan that is either described in the Terms of Use for the offering and /or is published in a Client Success Support Portal for the offering.

Are there specifically defined service levels?

Each SaaS offering has service levels defined in the Terms of Use.


EU and US-Swiss Safe Harbor certified?

At least the following IBM SaaS Cloud offerings are Safe Harbor certified:

Product support services: