Free Trial

Security & Compliance of our Platform

The Sumo Logic Cloud Platform meets rigorous privacy and compliance standards that test for data security and privacy

Sumo Logic Assurance Programs

Previous Next
PCI DSS 3.2 Service Provider Level 1 Certified

Sumo Logic is Service Provider Level 1 compliant under the Payment Card Industry (PCI) Data Security Standard (DSS). Customers can run applications on our PCI-compliant technology infrastructure for storing, processing, and transmitting credit card information in the cloud. In February 2013, the PCI Security Standards Council released PCI DSS Cloud Computing Guidelines. These guidelines provide customers who are managing a cardholder data environment with considerations for maintaining PCI DSS controls in the cloud. Sumo Logic has incorporated the PCI DSS Cloud Computing Guidelines into the Sumo Logic PCI Compliance platform.

For more information on PCI DSS compliance, please visit PCI SSC Data Security Standards Overview.

Previous Next
ISO 27001 Certification

Sumo Logic is ISO 27001 certified under the International Organization for Standardization (ISO) 27001 standard. ISO 27001 is a widely adopted global security standard that outlines the requirements for information security management systems. It provides a systematic approach to managing company and customer information that’s based on periodic risk assessments. In order to achieve the certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information.

Sumo Logic has established a formal program to maintain the certification. This certification reinforces our commitment to providing transparency into our security controls and practices. For more information on ISO 27001 compliance, please visit ISO/IEC 27001 – Information security management

Previous Next
HIPAA Compliant

Sumo Logic enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA) to leverage the secure Sumo Logic environment to process, maintain, and store protected health information. Additionally, Sumo Logic is able to sign business associate agreements (BAA) with such customers.

For more information on the HIPAA compliance, please visit Summary of the HIPAA Security Rule

Previous Next
SOC 2, Type II Attestation

Similar to the SOC 1 in the evaluation of controls, the SOC 2 report is an attestation report that expands the evaluation of controls to the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. These principles define leading practice controls relevant to security, availability, processing integrity, confidentiality, and privacy applicable to service organizations such as Sumo Logic.

The Sumo Logic SOC 2 attestation is an evaluation of the design and operating effectiveness of controls that meet the criteria for the security principle set forth in the AICPA’s Trust Services Principles criteria. This report provides additional transparency into Sumo Logic security and availability based on a defined industry standard and further demonstrates Sumo Logic’s commitment to protecting customer data.

For more information on SOC 2, Type II, please visit AICPA SOC 2

Previous Next
FIPS 140 level 2 Compliant

The Federal Information Processing Standard (FIPS) Publication 140-2 is a US government security standard that specifies the security requirements for cryptographic modules protecting sensitive information.

To support customers with FIPS 140-2 requirements, TLS terminations in the Sumo Logic platform operate using FIPS 140-2 validated hardware and software.

For more information on FIPS 140-2, Type II, please visit FIPS 140-2

Previous Next
E.U. Cookie Compliance

European Union websites must follow the Commission’s guidelines on privacy and data protection and inform users that cookies are not being used to gather information unnecessarily.

The ePrivacy directive – more specifically Article 5(3) – requires prior informed consent for storage of/or access to information stored on a user’s terminal equipment. In other words, you must ask users if they agree to most cookies and similar technologies (e.g. web beacons, Flash cookies, etc.) before the site starts to use them.

Sumo Logic complies with the E.U. Commissions guidelines regarding the use of cookies. For more information, please visit the European Commission Information Providers Guide on Cookies.

Previous Next
U.S.-EU & U.S.-Swiss Safe Harbor Certifications

The European Commission’s Directive on Data Protection went into effect in October 1998, and would prohibit the transfer of personal data to non-European Union countries that do not meet the European Union (EU) “adequacy” standard for privacy protection.

Sumo Logic is certified against the U.S.-EU & U.S.-Swiss Safe Harbor Frameworks. These frameworks and certifications are an important way for Sumo Logic customers to satisfy the Directive’s “adequacy” requirement for privacy protection and avoid experiencing interruptions in their business dealings with the EU or facing prosecution by EU member state authorities under EU member state privacy laws.

For more information, on the U.S.-EU & U.S.-Swiss Safe Harbor Frameworks, please visit the Export.Gov Safe Harbor.

Previous Next
CSA STAR Certification

Sumo Logic’s Cloud Security Management System is CSA STAR certified by BrightLine CPA.

The CSA Star is a rigorous assessment of cloud specific security controls and processes. The certification leverages the requirements of the ISO/IEC 27001 management system standard together with the CSA Cloud Controls Matrix specific to cloud security controls, mapped to leading standards, best practices and regulations.

CSA STAR is the industry’s most powerful program for security assurance in the cloud. STAR encompasses key principles of transparency, rigorous auditing, harmonization of standards, with continuous monitoring also available in late 2015. STAR certification provides multiple benefits, including indications of best practices and validation of security posture of cloud offerings.

For more information on C-Star, please visit CSA Security, Trust & Assurance Registry (STAR).

Previous Next
EU-US Privacy Shield

The European Commission’s Directive on Data Protection went into effect in October 1998, and would prohibit the transfer of personal data to non-European Union countries that do not meet the European Union (EU) “adequacy” standard for privacy protection.

In 2016, the European Commission and the US Government agreed on a new framework called the EU-US Privacy Shield, and on July 12, 2016, the European Commission formally adopted it. The EU-US Privacy Shield replaces Safe Harbor. Sumo Logic welcomes this new framework for transatlantic data flow.

Previous Next

Sumo Logic has been certified against TRUSTe’s Enterprise Privacy Certification Standards. These certification standards apply to businesses who collect or process personal information, and set a standard for responsible data collection practices.

These Certification Standards are based on foundational privacy frameworks including the Fair Information Practice Principles, OECD Privacy Guidelines, APEC Privacy Framework, and the EU­U.S. Privacy Shield Principles.

Sumo Logic Cloud Platform enables our customers to understand the robust controls Sumo Logic has in place to maintain security and data protection in the cloud. Customer security is essential to our business.
CISO, Leading Life Sciences Company

See Who’s Running Securely on the Sumo Logic Cloud Platform


Download free analyst reports, white papers, data sheets and videos to learn how Sumo Logic Cloud Platform maintains security and compliance in the cloud

Cloud Enlightenment

A journey down the path of enlightenment and leveraging the power of automation.

Sumo Logic Security Model

The Sumo Logic security model is an end-to-end process, focused on keeping customers’ information safe.

All-In With AWS

Assessing the Risk: Can the Cloud Can Be More Secure Than Your On-Premise Environments?



What certifications do you currently have and what is on your roadmap?

Sumo Logic currently achieved the following attestations/certifications:

  • PCI DSS 3.2 Service Provider Level 1
  • SOC 2 Type II
  • ISO 27001
  • CSA Star
  • US-EU Privacy Shield
  • TRUSTe Certified Privacy
Do you rely on AWS compliance?

While many other SaaS providers rely on AWS certifications, Sumo Logic implemented its own security controls, completed audits with a third party independent audit firm, BrightLine CPA, and obtained attestations/certifications for its log management service.

Who has access to my data?

Only customers have access to their data, unless they enable access to their data to Sumo Logic’s Customer Success team. Even then authorized Sumo Logic employees will access a customer data only in response to a specific support request. All access to customer data is logged and auditable. Moreover, Sumo Logic has read only access to customer data.

How do you handle data deletion?

Data ingested by Sumo Logic is split into two streams, an Index stream and a Raw stream. Each of these streams is encrypted using customer specific encryption keys rotated every 24 hours. In addition to the encryption keys, the disks are themselves encrypted. When data expires per the retention period, the indexes and customer specific keys are deleted. This accomplishes two things,

  • The indexes cannot be located and thus recovered
  • The raw data cannot be decrypted

This unrecoverable data will remain on additionally encrypted disks until Sumo Logic runs a periodic disk cleanup, which is done using a DoD 5220.22-M scrub.

If the customer wants to pull out any of their unexpired data in the event they choose to cancel their Sumo contract, the data can be pulled down from the API, exported to CSV or placed in an S3 bucket owned by the customer. This must be done before the contract/subscription expires or is cancelled.

How do you monitor your environment for security events?

We use Sumo Logic for logging and alerting on security events. All security events are addressed in accordance with our incident response policy:

  • Critical Issues: Remediation efforts will begin immediately
  • High Severity Issues: Remediation efforts will begin within 5 days
  • Medium Severity Issues: Remediation efforts will begin within 60 days
  • Low Severity Issues: Remediation efforts begin in accordance with their business and customer impact

To report any disruptions or suspected security incidents to the Sumo Logic platform or service, please contact us at

Get Started Today!

Sign up for your FREE Sumo Logic Trial.

Sumo Free
Sign up for your
30 day free trial
Sign up for
Sumo Logic Free
  • No credit card required to sign-up
  • Create your account in minutes
  • No expiration date
  • After 30 day trial period, reverts to Sumo Logic Free
    View All Pricing Options Privacy Policy