// Trust & Security Report

    LogRhythm, Inc. dba Exabeam logo

    LogRhythm, Inc. dba Exabeam

    AI-driven SIEM and threat detection, investigation and response (TDIR) platform for enterprise security operations

    Certifications held

    10

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    we have completed the AICPA SOC 2 Type II Audit and Exabeam is compliant without exception

    Verify on exabeam.com
    ISO 27001
    HELD

    The assessment certifies that the Exabeam SOC Platform's information security management system (ISMS) has been independently assessed and aligns with ISO 27001:2013 information security best practices

    Verify on exabeam.com
    ISO 27017
    HELD

    ISO 27017 provides additional controls to address cloud-specific information security threats and risks.

    Verify on exabeam.com
    ISO 27018
    HELD

    ISO 27018 establishes control objectives and guidelines for implementing measures to protect Personally Identifiable Information (PII) for public cloud computing environments.

    Verify on exabeam.com
    GDPR Compliance
    HELD

    Exabeam has implemented the technical and organizational controls required to adhere to the General Data Protection Regulation

    Verify on exabeam.com
    EU-U.S. Data Privacy Framework
    HELD

    Exabeam has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles

    Verify on exabeam.com
    UK Extension to EU-U.S. Data Privacy Framework
    HELD

    Exabeam complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF

    Verify on exabeam.com
    Swiss-U.S. Data Privacy Framework
    HELD

    Exabeam certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles

    Verify on exabeam.com
    IRAP (Australian PROTECTED level)
    HELD

    Exabeam has completed an IRAP assessment at the PROTECTED level for the Exabeam Security Operations Platform

    Verify on exabeam.com
    TRUSTe Privacy Certification
    HELD

    TRUSTe Privacy Seal displayed on privacy policy page; TRUSTe listed as compliance standard in Exabeam trust center (exabeam.securitypal.com, updated 2026-06-16)

    Verify on exabeam.com
    > Show 6 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA certification or HIPAA-compliant service designation on exabeam.com/company/certifications/. HIPAA is self-declared on SecurityPal trust center (exabeam.securitypal.com) but is not corroborated by a primary exabeam.com certifications page. Exabeam maintains a Vendor Business Associate Agreement requiring its own contractors to handle PHI per HIPAA, but this is an upstream requirement for Exabeam vendors, not a certification of Exabeam's own customer-facing service. Verify directly with Exabeam before relying on HIPAA for regulated healthcare data.

    source: exabeam.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of Exabeam holding PCI DSS certification on exabeam.com/company/certifications/. SecurityPal trust center self-declares PCI DSS (updated 2026-06-16) but this is not corroborated on the primary certifications page. Exabeam helps customers achieve PCI DSS compliance through its SIEM platform, and its Vendor Data Security Policy requires contractors to maintain PCI DSS compliance, but neither constitutes Exabeam itself holding the certification for its own services. Verify directly with Exabeam.

    source: exabeam.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found on exabeam.com or the FedRAMP Marketplace.

    source: exabeam.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR certification found on exabeam.com or CSA STAR registry.

    source: exabeam.com
    ISO 42001 (AI Management System)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification found on exabeam.com despite Exabeam heavily marketing AI-agent and generative AI capabilities.

    source: exabeam.com
    Cyber Essentials
    NOT CONFIRMED

    Cyber Essentials is listed in SecurityPal trust center (exabeam.securitypal.com, updated 2026-06-16) but is not listed on exabeam.com/company/certifications/. Cannot independently verify from a primary exabeam.com source.

    source: exabeam.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Global; customers can choose where data is hosted on Google Cloud Platform with availability zone redundancy. Data may be processed outside the EEA with Standard Contractual Clauses (SCCs) in place per the Customer Data Security Policy.

    No explicit statement confirming or denying use of customer data for AI model training was found in the privacy policy, Terms and Conditions, or AI Innovation page. The Customer Data Security Policy (exabeam.com/legal/customer-data-security-policy/) states Exabeam reserves rights to use customer data 'in support of product offerings, for bug fixes, and validation of data modeling.' This clause extends beyond core service delivery but does not explicitly reference AI training. Given Exabeam Nova uses six embedded AI agents trained on security patterns, organizations sending sensitive security log data should contractually clarify whether their data is used to improve AI models and whether an opt-out is available.

    // Security controls

    Encryption in transit

    TLS encryption when transferring data from all collectors

    exabeam.com

    Encryption at rest

    AES-256 ciphers for tokenization and encryption; customer data encrypted both in transit and at rest

    exabeam.com

    Access controls

    Role-based access controls with custom role options; data masking within the user interface anonymizes users and assets

    exabeam.com

    Security architecture

    Zero-trust internal policy and defense-in-depth methodology

    exabeam.com

    Vulnerability management

    Regular vulnerability scans; Exabeam employs a third party to conduct an annual Attack and Penetration Test, sharing the results with customers

    exabeam.com

    Service availability SLA

    99.9% monthly data upload availability; 99.5% product access availability

    exabeam.com

    Cloud infrastructure

    Google Cloud Platform with availability zone redundancy and live data queueing during catastrophic failures; multi-tenant with tenant data isolation

    exabeam.com

    Multi-factor authentication

    MFA required for any access to protected data including remote access connections per Vendor Data Security Policy

    exabeam.com

    Breach notification

    Breach notification 'without undue delay' per Customer Data Security Policy; vendor contractors required to notify within 24 hours

    exabeam.com

    Data deletion

    Customer data deleted within 90 days post-termination per Customer Data Security Policy

    exabeam.com

    ISO 27001 certificate verification

    Certified by Schellman and Company LLC; certificate number 1088287-5 verifiable at schellman.com/certificate-directory

    exabeam.com

    Sub-processor transparency

    Public subprocessor list maintained at community.exabeam.com/s/subprocessors with objection procedures available

    exabeam.com

    // Products & data scope

    Exabeam New-Scale SIEM (Cloud)SIEM / Security Operations Platform

    data: Security logs, user behavior data, network telemetry, alerts and events from connected security tools; petabyte-scale ingestion

    Cloud-native deployment on GCP; ISO 27001/27017/27018 and SOC 2 Type II certified; customers can select data hosting region. SOC 2 audit covers Exabeam Fusion SIEM and Fusion XDR product lines.

    LogRhythm (Self-Hosted / On-Premises)SIEM / Log Management

    data: Security logs, user behavior data, network telemetry retained entirely on customer infrastructure

    On-premises deployment option merged under Exabeam brand; certifications for the self-hosted product may differ from the cloud offering. Listed on demo form as 'Self-hosted' deployment preference.

    Exabeam Nova AI AgentsAI-Powered Security Operations Automation

    data: Operates on existing SIEM log and behavioral data for automated investigation, triage, correlation rule building, and reporting

    Six specialized AI agents embedded in New-Scale SIEM and Security Log Management. No separate privacy statement or AI-specific data handling policy published. AI training data use not publicly disclosed.

    Security Log Management (Cloud SaaS)Log Management

    data: High-volume log ingestion, parsing, storage, and search

    Part of the New-Scale platform; ISO and SOC 2 scope applies per trust center.

    // What to watch

    • AI training ambiguity: Customer Data Security Policy reserves broad rights to use customer data 'in support of product offerings, for bug fixes, and validation of data modeling' without explicit AI training disclosure or opt-out. Organizations sending sensitive security logs should clarify this contractually.
    • HIPAA and PCI DSS are self-declared on the SecurityPal trust center (exabeam.securitypal.com, updated 2026-06-16) but are absent from the primary exabeam.com/company/certifications/ page. Do not represent these as confirmed until verified directly with Exabeam.
    • Dual product line complexity: Exabeam merged with LogRhythm creating cloud (New-Scale) and on-premises (LogRhythm) offerings. Compliance certifications confirmed for cloud; self-hosted certifications should be independently confirmed for that deployment model.
    • ISO 27001 certificate verifiable via Schellman certificate directory (number 1088287-5). Certificate renewal date not confirmed in public evidence; verify currency before relying on it.
    • No ISO 42001 (AI Management System) certification found despite Exabeam marketing Agent Behavior Analytics and six embedded AI agents as core product differentiators.
    • No CSA STAR certification found despite cloud-native GCP deployment and SOC 2 / ISO 27001 scope.

    // At a glance

    Pricing model

    Enterprise subscription; pricing not publicly disclosed; contact sales required

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on LogRhythm, Inc. dba Exabeam's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    exabeam.com

    > Browse all vendor trust reports