Security of our products and services

Elastic's hosted and self-managed products are built with security in mind and include many features designed to keep customer information safe. Elastic products also meet and help ensure compliance with data protection laws and regulations.

  • Privacy

    Learn how to use Elastic products to help your organization achieve GDPR compliance.

    See the Privacy section below for information on how we collect, use, share, and otherwise process personal data.

  • Elastic Cloud

    We're entrusted with securing thousands of customers' valuable data in every region of the world and in every industry vertical.

  • Products

    Elastic Security combines SIEM, endpoint security, cloud security, and more in a unified protection platform. Learn more about the built-in data security functionalities of the Elastic Stack.

Compliance standards

Elastic operates in compliance with key information security standards and global regulations. Security and compliance is a shared responsibility between Elastic and the customer.

Our services are independently audited and certified to meet various privacy and compliance standards.

  • PCI DSS

    PCI DSS

    Elastic has achieved certification as a Level 1 Service Provider for Elastic Cloud.

  • FedRAMP

    Elastic Cloud is authorized at the Moderate Impact level for the Federal Risk and Authorization Management Program.

  • CSA STAR

    Elastic Cloud is certified in the Cloud Security Alliance Security Trust Assurance and Risk (STAR) Program

  • ISO/IEC 27001

    Information Security Management System (ISMS)

  • ISO/IEC 27017

    Security Controls for the Provision and Use of Cloud Services

  • ISO/IEC 27018

    Protection of Personally Identifiable Information (PII)

  • HIPAA

    Health Insurance Portability and Accountability Act

  • SOC 2

    Service Organization Control

  • SOC 3

    Elastic Cloud and Elastic Support are compliant with SOC 3 requirements.

  • TISAX

    Trusted Information Security Assessment Exchange: rated high protection level (AL 2)

    Log in to ENX portal to retrieve assessment results Assessment ID: AKZT2N-2 and/or Scope ID: S8ZT2N

  • UK Cyber Essentials Plus

    UK Government security certification

  • CyberGRX

    Independently validated report on Elastic cybersecurity risk posture

    Please contact your account representative to receive a copy of our CyberGRX report

Security at Elastic

We are dedicated to Elastic Security's mission of protecting the world's data from attack, and the security of our products and services is a top priority. Elastic maintains a comprehensive information security program that includes appropriate technical and organizational measures designed to protect our customers.

Elastic has an experienced team of security practitioners who work across multiple disciplines, including security engineering, threat detection, incident response, security assurance, and risk and compliance. The Information Security teams work throughout our entire organization, particularly with engineering teams, to ensure world-class security for our technology and company.

Visit Elastic Cloud Security for more information.

Resiliency

Elastic Cloud clusters are globally available across major cloud service providers to meet our customers’ hosting and data sovereignty needs. Customers can enable high availability for their clusters through availability zone or region failover. View uptime data and subscribe to alerts on the Elastic Cloud status page.

Vulnerability management

Elastic is committed to rapidly addressing security vulnerabilities affecting our customers and providing clear guidance on impact, severity, and mitigation. Working with members of the security community and our customers, we ensure that security vulnerabilities affecting our products are communicated and that solutions are released in a responsible and timely manner. Elastic source code and issue tracking is publicly available, and we encourage you to report vulnerabilities through HackerOne bug bounty program to help keep Elastic products and services secure!

Customer Zero Program

Elastic is an enthusiastic Customer Zero for all of our solutions — particularly Elastic Security. We are committed to providing our customers with products and services that have been tested in a real production environment before they are distributed broadly. We use our products everywhere we can — and for more than just logs. Elastic’s InfoSec team uses the many features of Elastic Stack to create, monitor, detect, and respond to security events on a daily basis.

Visit Elastic on Elastic and Elastic Security to learn more.

Supply chain security

We carefully assess each of our vendors to ensure they meet Elastic’s security and compliance standards . Elastic partners with major Infrastructure as a Service (IaaS) providers to deliver the Elastic Cloud. Each of our IaaS providers regularly undergo independent third-party audits, including SOC 2 audit and ISO 27001 certification at a minimum, to demonstrate the security of their services. Elastic reviews these audit reports and certifications as part of our third-party risk management program.

Elastic also reviews third-party code and publishes listings of third-party open-source dependencies of Elastic products.

To report a security concern, please reach out to [email protected].

Visit the Elastic Security Issues page for our PGP key and for more information.