// Trust & Security Report
LogRhythm, Inc. dba Exabeam
AI-driven SIEM and threat detection, investigation and response (TDIR) platform for enterprise security operations
Certifications held
10
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on exabeam.com“we have completed the AICPA SOC 2 Type II Audit and Exabeam is compliant without exception”
Verify on exabeam.com“The assessment certifies that the Exabeam SOC Platform's information security management system (ISMS) has been independently assessed and aligns with ISO 27001:2013 information security best practices”
Verify on exabeam.com“ISO 27017 provides additional controls to address cloud-specific information security threats and risks.”
Verify on exabeam.com“ISO 27018 establishes control objectives and guidelines for implementing measures to protect Personally Identifiable Information (PII) for public cloud computing environments.”
Verify on exabeam.com“Exabeam has implemented the technical and organizational controls required to adhere to the General Data Protection Regulation”
Verify on exabeam.com“Exabeam has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles”
Verify on exabeam.com“Exabeam complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF”
Verify on exabeam.com“Exabeam certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles”
Verify on exabeam.com“Exabeam has completed an IRAP assessment at the PROTECTED level for the Exabeam Security Operations Platform”
Verify on exabeam.com“TRUSTe Privacy Seal displayed on privacy policy page; TRUSTe listed as compliance standard in Exabeam trust center (exabeam.securitypal.com, updated 2026-06-16)”
> Show 6 unconfirmed / not-held certifications
source: exabeam.comNo public evidence of HIPAA certification or HIPAA-compliant service designation on exabeam.com/company/certifications/. HIPAA is self-declared on SecurityPal trust center (exabeam.securitypal.com) but is not corroborated by a primary exabeam.com certifications page. Exabeam maintains a Vendor Business Associate Agreement requiring its own contractors to handle PHI per HIPAA, but this is an upstream requirement for Exabeam vendors, not a certification of Exabeam's own customer-facing service. Verify directly with Exabeam before relying on HIPAA for regulated healthcare data.
source: exabeam.comNo public evidence of Exabeam holding PCI DSS certification on exabeam.com/company/certifications/. SecurityPal trust center self-declares PCI DSS (updated 2026-06-16) but this is not corroborated on the primary certifications page. Exabeam helps customers achieve PCI DSS compliance through its SIEM platform, and its Vendor Data Security Policy requires contractors to maintain PCI DSS compliance, but neither constitutes Exabeam itself holding the certification for its own services. Verify directly with Exabeam.
source: exabeam.comNo public evidence of FedRAMP authorization found on exabeam.com or the FedRAMP Marketplace.
source: exabeam.comNo public evidence of CSA STAR certification found on exabeam.com or CSA STAR registry.
source: exabeam.comNo public evidence of ISO 42001 certification found on exabeam.com despite Exabeam heavily marketing AI-agent and generative AI capabilities.
source: exabeam.comCyber Essentials is listed in SecurityPal trust center (exabeam.securitypal.com, updated 2026-06-16) but is not listed on exabeam.com/company/certifications/. Cannot independently verify from a primary exabeam.com source.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Global; customers can choose where data is hosted on Google Cloud Platform with availability zone redundancy. Data may be processed outside the EEA with Standard Contractual Clauses (SCCs) in place per the Customer Data Security Policy.
No explicit statement confirming or denying use of customer data for AI model training was found in the privacy policy, Terms and Conditions, or AI Innovation page. The Customer Data Security Policy (exabeam.com/legal/customer-data-security-policy/) states Exabeam reserves rights to use customer data 'in support of product offerings, for bug fixes, and validation of data modeling.' This clause extends beyond core service delivery but does not explicitly reference AI training. Given Exabeam Nova uses six embedded AI agents trained on security patterns, organizations sending sensitive security log data should contractually clarify whether their data is used to improve AI models and whether an opt-out is available.
// Security controls
Encryption at rest
AES-256 ciphers for tokenization and encryption; customer data encrypted both in transit and at rest
exabeam.comAccess controls
Role-based access controls with custom role options; data masking within the user interface anonymizes users and assets
exabeam.comVulnerability management
Regular vulnerability scans; Exabeam employs a third party to conduct an annual Attack and Penetration Test, sharing the results with customers
exabeam.comService availability SLA
99.9% monthly data upload availability; 99.5% product access availability
exabeam.comCloud infrastructure
Google Cloud Platform with availability zone redundancy and live data queueing during catastrophic failures; multi-tenant with tenant data isolation
exabeam.comMulti-factor authentication
MFA required for any access to protected data including remote access connections per Vendor Data Security Policy
exabeam.comBreach notification
Breach notification 'without undue delay' per Customer Data Security Policy; vendor contractors required to notify within 24 hours
exabeam.comData deletion
Customer data deleted within 90 days post-termination per Customer Data Security Policy
exabeam.comISO 27001 certificate verification
Certified by Schellman and Company LLC; certificate number 1088287-5 verifiable at schellman.com/certificate-directory
exabeam.comSub-processor transparency
Public subprocessor list maintained at community.exabeam.com/s/subprocessors with objection procedures available
exabeam.com// Products & data scope
data: Security logs, user behavior data, network telemetry, alerts and events from connected security tools; petabyte-scale ingestion
Cloud-native deployment on GCP; ISO 27001/27017/27018 and SOC 2 Type II certified; customers can select data hosting region. SOC 2 audit covers Exabeam Fusion SIEM and Fusion XDR product lines.
data: Security logs, user behavior data, network telemetry retained entirely on customer infrastructure
On-premises deployment option merged under Exabeam brand; certifications for the self-hosted product may differ from the cloud offering. Listed on demo form as 'Self-hosted' deployment preference.
data: Operates on existing SIEM log and behavioral data for automated investigation, triage, correlation rule building, and reporting
Six specialized AI agents embedded in New-Scale SIEM and Security Log Management. No separate privacy statement or AI-specific data handling policy published. AI training data use not publicly disclosed.
data: High-volume log ingestion, parsing, storage, and search
Part of the New-Scale platform; ISO and SOC 2 scope applies per trust center.
// What to watch
- AI training ambiguity: Customer Data Security Policy reserves broad rights to use customer data 'in support of product offerings, for bug fixes, and validation of data modeling' without explicit AI training disclosure or opt-out. Organizations sending sensitive security logs should clarify this contractually.
- HIPAA and PCI DSS are self-declared on the SecurityPal trust center (exabeam.securitypal.com, updated 2026-06-16) but are absent from the primary exabeam.com/company/certifications/ page. Do not represent these as confirmed until verified directly with Exabeam.
- Dual product line complexity: Exabeam merged with LogRhythm creating cloud (New-Scale) and on-premises (LogRhythm) offerings. Compliance certifications confirmed for cloud; self-hosted certifications should be independently confirmed for that deployment model.
- ISO 27001 certificate verifiable via Schellman certificate directory (number 1088287-5). Certificate renewal date not confirmed in public evidence; verify currency before relying on it.
- No ISO 42001 (AI Management System) certification found despite Exabeam marketing Agent Behavior Analytics and six embedded AI agents as core product differentiators.
- No CSA STAR certification found despite cloud-native GCP deployment and SOC 2 / ISO 27001 scope.
// At a glance
Pricing model
Enterprise subscription; pricing not publicly disclosed; contact sales required
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on LogRhythm, Inc. dba Exabeam's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
exabeam.com