// Trust & Security Report
Elastic N.V. (elasticsearch B.V.)
Elastic Security: enterprise SIEM, XDR, and SOAR platform built on Elasticsearch; includes Elastic AI Assistant for security operations, agentic threat detection, endpoint protection, and cloud security posture management. Closely integrated with Elastic Cloud (hosted) and Elastic Cloud Serverless.
Certifications held
16
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on elastic.co“Elasticsearch Service, Elastic Site Search Service, as well as Elastic Support Subscriptions have been audited by Coalfire under the SOC 2 Type 2 framework. Elastic Cloud Serverless is now audited or certified under SOC 2 Type 2.”
Verify on elastic.co“SOC 3 is listed among the named compliance certifications on the public Elastic Trust Center.”
Verify on elastic.co“An Elastic Information Security Program, which is certified on ISO 27001, including ISO 27017 and ISO 27018. Elastic Cloud Serverless has now attained a comprehensive suite of key compliance certifications including ISO 27001.”
Verify on elastic.co“Elastic Cloud Serverless is now audited or certified under SOC 2 Type 2, ISO 27001, ISO 27017, ISO 27018, PCI DSS, HIPAA, and CSA STAR.”
Verify on elastic.co“Elastic Cloud Serverless is now audited or certified under SOC 2 Type 2, ISO 27001, ISO 27017, ISO 27018, PCI DSS, HIPAA, and CSA STAR.”
Verify on elastic.co“Elastic Cloud Serverless has now attained a comprehensive suite of key compliance certifications including ISO 27701 (Privacy Information Management System) across all available cloud providers.”
Verify on elastic.co“Elastic is operating in compliance with the principles of GDPR. Elastic Cloud customers can request a Data Processing Addendum (DPA) by creating a support case or simply emailing sales@elastic.co. GDPR is a regulation, not a certification; this entry reflects compliance posture.”
Verify on elastic.co“All Elastic Cloud subscription tiers on Microsoft Azure, Google Cloud, and Amazon Web Services allow for HIPAA business associate agreements (BAAs).”
Verify on elastic.co“Elastic is certified as a PCI DSS Level 1 Service Provider.”
Verify on elastic.co“Elastic Cloud is authorized at FedRAMP Moderate Impact level, deployable on AWS GovCloud (US).”
Verify on elastic.co“Elastic Cloud Hosted has achieved FedRAMP High status on AWS GovCloud (US). Elastic Cloud Hosted is also available as FedRAMP Moderate authorized on AWS GovCloud (US). (Authorization announced March 31, 2026; also listed on the public Elastic Trust Center and the FedRAMP Marketplace.)”
Verify on elastic.co“Announcing SOC 2 Type 2 and CSA Star Level 2 Attestation across Elastic Cloud. Elastic Cloud Serverless is now audited or certified under CSA STAR.”
Verify on elastic.co“Elastic is TISAX certified as a trusted partner with the 'High' level of protection in Information Security and Data privacy domains.”
Verify on elastic.co“Cyber Essentials Plus is listed among the named compliance certifications on the public Elastic Trust Center, and the Trust FAQ states Elastic Cloud is compliant with 'Cyber Essentials+'.”
Verify on elastic.co“IRAP Assessed: Protected B is listed among the named compliance certifications on the public Elastic Trust Center.”
Verify on elastic.co“NIS2 Directive for Cloud Service Providers listed among compliance frameworks on the Elastic Trust FAQ. NIS2 is a regulation, not a certification; this entry reflects compliance posture.”
> Show 2 unconfirmed / not-held certifications
source: assurance.elastic.coNo mention of ISO/IEC 42001 on any Elastic trust, compliance, or blog pages reviewed. Not listed in the Elastic Trust Center certification list (assurance.elastic.co, reviewed June 27, 2026).
source: assurance.elastic.coNo evidence of CSA STAR AI certification on Elastic trust pages or public announcements. Not listed in the Elastic Trust Center.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Customer selects deployment region across AWS, GCP, and Microsoft Azure globally. Backups stored in the same region as the deployment by default. Data residency options available worldwide. FedRAMP deployments limited to AWS GovCloud (US).
Elastic explicitly states it does not train on customer AI interactions: 'Elastic does not store or examine prompts or results used by AI Assistant, or use this data for model training.' However, when customers configure Elastic AI Assistant with a third-party LLM provider (e.g., OpenAI, Anthropic), data submitted to that provider is governed by the provider's own terms and training policies, which Elastic cannot control. Elastic recommends customers review their LLM provider's terms before use. Anonymization controls are available to redact or obfuscate PII before data is sent to the LLM provider.
// Security controls
Encryption in transit
TLS. 'Transport Layer Security (TLS) encrypted communication from the Internet is provided in the default configuration.' Node-to-node Elasticsearch traffic also uses TLS (requires version 6.0 or later).
elastic.coThird-party audit reports
Available via Elastic Security Assurance Profile at assurance.elastic.co. SOC 2 Type 2, ISO 27001, PCI DSS, and other reports can be requested there.
assurance.elastic.coDeployment models
Elastic Cloud (hosted, multi-cloud: AWS, GCP, Azure), self-managed on-premises, private cloud, hybrid environments, and air-gapped environments supported.
elastic.coGovernment data access policy
Elastic has never created a backdoor or master key and has never allowed any government authority unfettered or direct access to servers. Will only disclose customer data if strictly required by law and publishes public authority request principles.
elastic.coSub-processors
List of external and internal sub-processors published. Sub-processors contractually bound to same data protection standards. Relevant sub-processors depend on region, services, and functionality chosen.
elastic.co// Products & data scope
data: Security telemetry: logs, endpoint events, network data, cloud events, and application traces. Ingests, detects, investigates, and responds. Customer data stays in customer-selected cloud region.
Includes Elastic AI Assistant for Security (model-agnostic; customer connects their own LLM provider). Priced on compute and storage, not per device. Native automation included with no separate SOAR license. Available on Elastic Cloud (hosted/serverless) or self-managed.
data: Customer indexes, logs, metrics, and traces hosted on AWS, GCP, or Azure in customer-selected region.
FedRAMP Moderate/High authorized on AWS GovCloud. All cloud tiers support HIPAA BAAs. SOC 2 Type 2, ISO 27001, PCI DSS, and CSA STAR Level 2 certified.
data: Same data scope as hosted; fully managed serverless deployment across AWS, Azure, and GCP.
Achieved SOC 2 Type 2, ISO 27001/27017/27018/27701, PCI DSS, HIPAA, and CSA STAR across all three cloud providers as of January 2026.
data: Customer controls all data; no data leaves the customer's own environment.
Available for air-gapped and sovereign cloud deployments. Platform-level certifications (SOC 2, ISO 27001) cover Elastic's cloud services; self-managed deployments inherit the customer's own compliance posture.
// What to watch
- Third-party LLM provider risk: When Elastic AI Assistant is configured with an external LLM provider, data submitted to that provider is governed by the provider's own terms and training policies. Elastic explicitly disclaims responsibility for third-party LLM data handling. Enterprise buyers must assess their chosen LLM provider separately.
- FedRAMP scope note: Elastic Cloud Hosted is FedRAMP authorized at both Moderate and High on AWS GovCloud (US); High authorization was announced March 31, 2026 and is verifiable on the public Elastic Trust Center and the FedRAMP Marketplace. The /cloud/security datasheet still references Moderate, so federal buyers should confirm the specific service boundary and product version that carries the High authorization before citing it in procurement.
- ISO 42001 absent: No AI-specific governance certification (ISO/IEC 42001 or CSA STAR AI) found despite Elastic's significant investment in AI-powered security features (AI Assistant, agentic operations). Organizations with formal AI governance requirements should note this gap.
- DPA not auto-included: The GDPR-compliant DPA is available but must be requested by the customer via a support case or email to sales@elastic.co. It is not automatically included in standard online subscriptions. Buyers processing personal data under GDPR should request the DPA before going live.
// At a glance
Pricing model
Compute and storage based, not per-device or per-endpoint. No separate SOAR license required. Native automation and AI Assistant included.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Elastic N.V. (elasticsearch B.V.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
elastic.co