Service Organization Control (SOC) reports, also called System and Organization Controls reports, are independent, third-party reports issued by assessors certified by the American Institute of Certified Public Accountants (AICPA) to address the risk associated with an outsourced service. The AICPA has established Trust Services Criteria (TSC) for security, availability, processing integrity, confidentiality and privacy, against which service organizations may be assessed.
A SOC 3 report evaluates the internal controls that an organization has put in place to protect customer-owned data and provides details about the nature of those internal controls. It has the same focus as the SOC 2 report but does not include confidential information or reveal details about internal controls. SOC 3 reports are intended for users who don't need the specificity of the SOC 2 report and can be distributed publicly.
Reports and other documentation
An SOC 3 report may be provided for IBM services that have implemented controls in accordance with their selected Trust Service Principles. The SOC 3 report demonstrates that IBM designed controls for the selected Trust Service Principles appropriately and that the controls operated effectively for the report period.
The services listed below have a SOC 3 report available, representing a period of time during which controls were assessed. IBM Service Descriptions (SDs) indicate if a given offering maintains a SOC 3 report. Services below issue SOC 3 reports at least once each year.
Services
IBM Cloud® services with SOC 3 reports:
- IBM Cloud App ID
- IBM Cloud App Configuration
- IBM Cloud Backup for VPC
- IBM Cloud Bare Metal Servers for VPC
- IBM Cloud Block Storage for Virtual Private Cloud
- IBM Cloud Block Storage Snapshots for VPC
- IBM Cloud Code Engine
- IBM Cloud Continuous Delivery
- IBM Cloud Container Registry
- IBM Cloud Databases for DataStax
- IBM Cloud Databases for Elasticsearch
- IBM Cloud Databases for EnterpriseDB
- IBM Cloud Databases for etcd
- IBM Cloud Databases for MongoDB
- IBM Cloud Databases for MySQL
- IBM Cloud Databases for PostgreSQL
- IBM Cloud Databases for Redis
- IBM Cloud Direct Link Connect (2.0)
- IBM Cloud Direct Link Dedicated (2.0)
- IBM Cloud DNS Services
- IBM Cloud Event Notifications
- IBM Cloud File Storage for Virtual Private Cloud
- IBM Cloud Flow Logs for VPC
- IBM Cloud for VMware Solutions (Dedicated)
- IBM Cloud for VMware Solutions Shared
- IBM Cloud Functions
- IBM Cloud Kubernetes Service and Red Hat® OpenShift® on IBM Cloud
- IBM Cloud Messages for RabbitMQ
- IBM Cloud Object Storage
- IBM Cloud Platform – Core Services: IBM Cloud Account Management and Billing, IBM Cloud Catalog, IBM Cloud Console, IBM Cloud Global Search and Tagging, IBM Cloud Identity and Access Management, and IBM Cloud Shell
- IBM Cloud Satellite
- IBM Cloud Schematics
- IBM Cloud Secrets Manager
- IBM Cloud Security and Compliance Center
- IBM Cloud Transit Gateway
- IBM Cloud Virtual Private Cloud
- IBM Cloud Virtual Private Cloud - Load Balancer for VPC: Application Load Balancer and Network Load Balancer
- IBM Cloud Virtual Private Cloud - VPN for VPC: Client-to-Site Server and Site-to-Site Gateway
- IBM Cloud Virtual Private Endpoint for VPC
- IBM Cloud Virtual Server for VPC
- IBM Cloud Virtual Server for VPC - Auto Scale for VPC
- IBM Cloud Virtual Server for VPC - Dedicated Host for VPC
- IBM Event Streams for IBM Cloud (Enterprise)
- IBM Event Streams for IBM Cloud (Standard)
- IBM Key Protect for IBM Cloud
- IBM Cloud Backup
- IBM Cloud Bare Metal
- IBM Cloud Block Storage
- IBM Cloud Direct Link (1.0; Connect, Dedicated, Dedicated Hosting, Exchange)
- IBM Cloud File Storage
- IBM Cloud Hardware Security Module
- IBM Cloud Load Balancer
- IBM Cloud Object Storage (IaaS)
- IBM Cloud Virtual Servers
- IPSec VPN
- SAP-Certified Cloud Infrastructure