// Trust & Security Report

    Elastic N.V. (elasticsearch B.V.) logo

    Elastic N.V. (elasticsearch B.V.)

    Elastic Security: enterprise SIEM, XDR, and SOAR platform built on Elasticsearch; includes Elastic AI Assistant for security operations, agentic threat detection, endpoint protection, and cloud security posture management. Closely integrated with Elastic Cloud (hosted) and Elastic Cloud Serverless.

    Certifications held

    16

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Elasticsearch Service, Elastic Site Search Service, as well as Elastic Support Subscriptions have been audited by Coalfire under the SOC 2 Type 2 framework. Elastic Cloud Serverless is now audited or certified under SOC 2 Type 2.

    Verify on elastic.co
    SOC 3
    HELD

    SOC 3 is listed among the named compliance certifications on the public Elastic Trust Center.

    Verify on elastic.co
    ISO/IEC 27001
    HELD

    An Elastic Information Security Program, which is certified on ISO 27001, including ISO 27017 and ISO 27018. Elastic Cloud Serverless has now attained a comprehensive suite of key compliance certifications including ISO 27001.

    Verify on elastic.co
    ISO/IEC 27017
    HELD

    Elastic Cloud Serverless is now audited or certified under SOC 2 Type 2, ISO 27001, ISO 27017, ISO 27018, PCI DSS, HIPAA, and CSA STAR.

    Verify on elastic.co
    ISO/IEC 27018
    HELD

    Elastic Cloud Serverless is now audited or certified under SOC 2 Type 2, ISO 27001, ISO 27017, ISO 27018, PCI DSS, HIPAA, and CSA STAR.

    Verify on elastic.co
    ISO/IEC 27701
    HELD

    Elastic Cloud Serverless has now attained a comprehensive suite of key compliance certifications including ISO 27701 (Privacy Information Management System) across all available cloud providers.

    Verify on elastic.co
    GDPR (compliance posture)
    HELD

    Elastic is operating in compliance with the principles of GDPR. Elastic Cloud customers can request a Data Processing Addendum (DPA) by creating a support case or simply emailing sales@elastic.co. GDPR is a regulation, not a certification; this entry reflects compliance posture.

    Verify on elastic.co
    HIPAA
    HELD

    All Elastic Cloud subscription tiers on Microsoft Azure, Google Cloud, and Amazon Web Services allow for HIPAA business associate agreements (BAAs).

    Verify on elastic.co
    PCI DSS Level 1 Service Provider
    HELD

    Elastic is certified as a PCI DSS Level 1 Service Provider.

    Verify on elastic.co
    FedRAMP Moderate
    HELD

    Elastic Cloud is authorized at FedRAMP Moderate Impact level, deployable on AWS GovCloud (US).

    Verify on elastic.co
    FedRAMP High
    HELD

    Elastic Cloud Hosted has achieved FedRAMP High status on AWS GovCloud (US). Elastic Cloud Hosted is also available as FedRAMP Moderate authorized on AWS GovCloud (US). (Authorization announced March 31, 2026; also listed on the public Elastic Trust Center and the FedRAMP Marketplace.)

    Verify on elastic.co
    CSA STAR Level 2
    HELD

    Announcing SOC 2 Type 2 and CSA Star Level 2 Attestation across Elastic Cloud. Elastic Cloud Serverless is now audited or certified under CSA STAR.

    Verify on elastic.co
    TISAX (High)
    HELD

    Elastic is TISAX certified as a trusted partner with the 'High' level of protection in Information Security and Data privacy domains.

    Verify on elastic.co
    Cyber Essentials Plus
    HELD

    Cyber Essentials Plus is listed among the named compliance certifications on the public Elastic Trust Center, and the Trust FAQ states Elastic Cloud is compliant with 'Cyber Essentials+'.

    Verify on elastic.co
    IRAP Assessed (Protected B)
    HELD

    IRAP Assessed: Protected B is listed among the named compliance certifications on the public Elastic Trust Center.

    Verify on elastic.co
    NIS2 Directive (Cloud Service Provider compliance)
    HELD

    NIS2 Directive for Cloud Service Providers listed among compliance frameworks on the Elastic Trust FAQ. NIS2 is a regulation, not a certification; this entry reflects compliance posture.

    Verify on elastic.co
    > Show 2 unconfirmed / not-held certifications
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No mention of ISO/IEC 42001 on any Elastic trust, compliance, or blog pages reviewed. Not listed in the Elastic Trust Center certification list (assurance.elastic.co, reviewed June 27, 2026).

    source: assurance.elastic.co
    CSA STAR AI
    NOT CONFIRMED

    No evidence of CSA STAR AI certification on Elastic trust pages or public announcements. Not listed in the Elastic Trust Center.

    source: assurance.elastic.co

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Customer selects deployment region across AWS, GCP, and Microsoft Azure globally. Backups stored in the same region as the deployment by default. Data residency options available worldwide. FedRAMP deployments limited to AWS GovCloud (US).

    Elastic explicitly states it does not train on customer AI interactions: 'Elastic does not store or examine prompts or results used by AI Assistant, or use this data for model training.' However, when customers configure Elastic AI Assistant with a third-party LLM provider (e.g., OpenAI, Anthropic), data submitted to that provider is governed by the provider's own terms and training policies, which Elastic cannot control. Elastic recommends customers review their LLM provider's terms before use. Anonymization controls are available to redact or obfuscate PII before data is sent to the LLM provider.

    // Security controls

    Encryption in transit

    TLS. 'Transport Layer Security (TLS) encrypted communication from the Internet is provided in the default configuration.' Node-to-node Elasticsearch traffic also uses TLS (requires version 6.0 or later).

    elastic.co

    Encryption at rest

    Yes. 'Cluster data is encrypted at rest.'

    elastic.co

    Third-party audit reports

    Available via Elastic Security Assurance Profile at assurance.elastic.co. SOC 2 Type 2, ISO 27001, PCI DSS, and other reports can be requested there.

    assurance.elastic.co

    Deployment models

    Elastic Cloud (hosted, multi-cloud: AWS, GCP, Azure), self-managed on-premises, private cloud, hybrid environments, and air-gapped environments supported.

    elastic.co

    Government data access policy

    Elastic has never created a backdoor or master key and has never allowed any government authority unfettered or direct access to servers. Will only disclose customer data if strictly required by law and publishes public authority request principles.

    elastic.co

    Sub-processors

    List of external and internal sub-processors published. Sub-processors contractually bound to same data protection standards. Relevant sub-processors depend on region, services, and functionality chosen.

    elastic.co

    Vulnerability disclosure

    Security concerns contact: security@elastic.co

    elastic.co

    // Products & data scope

    Elastic Security (SIEM + XDR + SOAR)Security Operations Platform

    data: Security telemetry: logs, endpoint events, network data, cloud events, and application traces. Ingests, detects, investigates, and responds. Customer data stays in customer-selected cloud region.

    Includes Elastic AI Assistant for Security (model-agnostic; customer connects their own LLM provider). Priced on compute and storage, not per device. Native automation included with no separate SOAR license. Available on Elastic Cloud (hosted/serverless) or self-managed.

    Elastic Cloud Hosted (Elasticsearch Service)Managed Cloud Service

    data: Customer indexes, logs, metrics, and traces hosted on AWS, GCP, or Azure in customer-selected region.

    FedRAMP Moderate/High authorized on AWS GovCloud. All cloud tiers support HIPAA BAAs. SOC 2 Type 2, ISO 27001, PCI DSS, and CSA STAR Level 2 certified.

    Elastic Cloud ServerlessManaged Serverless Cloud Service

    data: Same data scope as hosted; fully managed serverless deployment across AWS, Azure, and GCP.

    Achieved SOC 2 Type 2, ISO 27001/27017/27018/27701, PCI DSS, HIPAA, and CSA STAR across all three cloud providers as of January 2026.

    Elastic Self-Managed / On-PremisesSelf-Hosted Software

    data: Customer controls all data; no data leaves the customer's own environment.

    Available for air-gapped and sovereign cloud deployments. Platform-level certifications (SOC 2, ISO 27001) cover Elastic's cloud services; self-managed deployments inherit the customer's own compliance posture.

    // What to watch

    • Third-party LLM provider risk: When Elastic AI Assistant is configured with an external LLM provider, data submitted to that provider is governed by the provider's own terms and training policies. Elastic explicitly disclaims responsibility for third-party LLM data handling. Enterprise buyers must assess their chosen LLM provider separately.
    • FedRAMP scope note: Elastic Cloud Hosted is FedRAMP authorized at both Moderate and High on AWS GovCloud (US); High authorization was announced March 31, 2026 and is verifiable on the public Elastic Trust Center and the FedRAMP Marketplace. The /cloud/security datasheet still references Moderate, so federal buyers should confirm the specific service boundary and product version that carries the High authorization before citing it in procurement.
    • ISO 42001 absent: No AI-specific governance certification (ISO/IEC 42001 or CSA STAR AI) found despite Elastic's significant investment in AI-powered security features (AI Assistant, agentic operations). Organizations with formal AI governance requirements should note this gap.
    • DPA not auto-included: The GDPR-compliant DPA is available but must be requested by the customer via a support case or email to sales@elastic.co. It is not automatically included in standard online subscriptions. Buyers processing personal data under GDPR should request the DPA before going live.

    // At a glance

    Pricing model

    Compute and storage based, not per-device or per-endpoint. No separate SOAR license required. Native automation and AI Assistant included.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Elastic N.V. (elasticsearch B.V.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    elastic.co

    > Browse all vendor trust reports