IBM Cloud® compliance: SOC 3
Illustration showing a person interacting with a computer interface, around which are a security shield and a globe on a pedestal
What is SOC 3?

Service Organization Control (SOC) reports, also called System and Organization Controls reports, are independent, third-party reports issued by assessors certified by the American Institute of Certified Public Accountants (AICPA) to address the risk associated with an outsourced service. The AICPA has established Trust Services Criteria (TSC) for security, availability, processing integrity, confidentiality and privacy, against which service organizations may be assessed.

A SOC 3 report evaluates the internal controls that an organization has put in place to protect customer-owned data and provides details about the nature of those internal controls. It has the same focus as the SOC 2 report but does not include confidential information or reveal details about internal controls. SOC 3 reports are intended for users who don't need the specificity of the SOC 2 report and can be distributed publicly.

Reports and other documentation

IBM position

An SOC 3 report may be provided for IBM services that have implemented controls in accordance with their selected Trust Service Principles. The SOC 3 report demonstrates that IBM designed controls for the selected Trust Service Principles appropriately and that the controls operated effectively for the report period.

The services listed below have a SOC 3 report available, representing a period of time during which controls were assessed. IBM Service Descriptions (SDs) indicate if a given offering maintains a SOC 3 report. Services below issue SOC 3 reports at least once each year.

See the IBM Cloud infrastructure system description


IBM Cloud® services with SOC 3 reports:

IBM Cloud Foundry Public

Take the next step

Questions about a compliance program? Need a protected compliance report? We can help.

See more compliance programs