// Trust & Security Report

    Splunk LLC (a Cisco company) logo

    Splunk LLC (a Cisco company)

    Unified security and observability platform; key sub-products: Splunk Cloud Platform (SaaS SIEM/analytics), Splunk Enterprise (on-prem), Splunk Enterprise Security (SIEM), Splunk Observability Cloud (APM/DevOps), Splunk SOAR (orchestration/automation), and cross-cutting Splunk AI capabilities (AI Assistant for SPL, AI Assistant in Security, AI Assistant in Observability Cloud)

    Certifications held

    17

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Badges listed: SOC 2 Type II. Compliance page: 'Semi-annual assessments of security, availability, and confidentiality controls for specified products.' Annual SOC 2 Type 2 audit report issued.

    Verify on customertrust.splunk.com
    SOC 1 Type II
    HELD

    Compliance page: 'SOC 1 - Semi-annual reviews of critical financial reporting systems by independent auditors (AICPA-governed).'

    Verify on splunk.com
    ISO 27001
    HELD

    Trust Center badge: ISO 27001. Compliance page: 'On an annual basis, specified Splunk products are reviewed and certified by an independent third-party assessor against the ISO 27001 requirements (surveillance audits) and certifications are reissued every 3 years.' Certificate PDF published on splunk.com.

    Verify on customertrust.splunk.com
    ISO 27017
    HELD

    Trust Center badge: ISO 27017. Compliance page: 'Annual basis, specified Splunk products are reviewed and certified by an independent third-party assessor against ISO 27017 requirements; certifications reissued every 3 years.'

    Verify on customertrust.splunk.com
    ISO 27018
    HELD

    Trust Center badge: ISO 27018. Compliance page: 'On an annual basis, specified Splunk products are reviewed and certified by an independent third-party assessor against the ISO 27018 requirements and certifications are reissued every 3 years.'

    Verify on customertrust.splunk.com
    ISO 9001
    HELD

    Compliance page: 'ISO 9001 - Quality management system. Annual reviews, 3-year renewals for specified products.'

    Verify on splunk.com
    HIPAA
    HELD

    Trust Center badge: HIPAA. Compliance page: 'Annual evaluations of specified products. Customers must accept Splunk's Business Associate Agreement for PHI processing.' Splunk Cloud Security Addendum benchmarked against HIPAA.

    Verify on customertrust.splunk.com
    PCI DSS Level 1 Service Provider
    HELD

    Trust Center badge: PCI. Compliance page: 'Level 1 service provider status requires Annual Compliance Report (ROC) by Qualified Security Assessor and quarterly network scanning.' Also confirmed in Splunk Cloud Security Addendum (CSA).

    Verify on customertrust.splunk.com
    FedRAMP Moderate
    HELD

    Trust Center badge: FedRAMP Moderate. FedRAMP marketplace listing active. Compliance page: 'Annual assessments with authorized documentation access through Customer Trust Portal.'

    Verify on customertrust.splunk.com
    FedRAMP High
    HELD

    Splunk Cloud Platform FedRAMP High authorized by the General Services Administration FedRAMP PMO at the High Impact level in September 2024. FedRAMP marketplace listing active. Covers 400+ security controls.

    Verify on fedramp.gov
    CSA STAR Level 2
    HELD

    Trust Center badge: CSA STAR 2. Compliance page: 'Annual third-party audits leveraging ISO 27001:2013 standards with public registry listing.' Leverages CSA CCM criteria with independent assessor review.

    Verify on customertrust.splunk.com
    GDPR (compliance posture and DPA)
    HELD

    Trust Center badge: GDPR. DPA available at splunk.com/en_us/legal/splunk-dpa.html (updated December 2024/February 2025). EU-US Data Privacy Framework certified: 'Splunk is proud to be among the first organizations to obtain certification under the EU-U.S. Data Privacy Framework.' SCCs in place for EU-to-US transfers.

    Verify on customertrust.splunk.com
    FIPS 140-2
    HELD

    Compliance page: 'FIPS 140-2 - Cryptographic module validation for Splunk Enterprise and FedRAMP/IL5 Cloud Platform variants.'

    Verify on splunk.com
    Common Criteria (NIAP)
    HELD

    Compliance page: 'Common Criteria - Splunk Enterprise certified by NIAP for government agency procurement.'

    Verify on splunk.com
    DoD CC SRG IL5
    HELD

    Compliance page: 'DoD CC SRG IL5 - Limited scope (on-premises to cloud only). Annual third-party audits for high-sensitivity controlled unclassified information.'

    Verify on splunk.com
    IRAP (Australia, Protected level)
    HELD

    Compliance page: 'IRAP (Australia) - Protected level assessments; 2-year validity.' Also confirmed in Cloud Platform service details.

    Verify on splunk.com
    ISMAP (Japan)
    HELD

    Compliance page: 'ISMAP (Japan) - Annual assessments required for government agency procurement eligibility.'

    Verify on splunk.com
    > Show 2 unconfirmed / not-held certifications
    ISO 27701
    NOT CONFIRMED

    Not listed in the Splunk compliance overview, Trust Center badges, or any splunk.com domain page reviewed. No public evidence of ISO 27701 certification.

    source: splunk.com
    ISO/IEC 42001 (AI Management System)
    NOT CONFIRMED

    Splunk has published educational blog content about ISO 42001 (What Is ISO 42001 for AI?) but no evidence of Splunk holding this certification was found on any splunk.com page or the Trust Center.

    source: splunk.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Multi-region: US (AWS Oregon, Virginia; GCP; Azure), EU (Dublin, Frankfurt, Milan, Paris), UK (London), APAC (Singapore, Sydney, Tokyo, Mumbai, Seoul, Indonesia), Middle East (UAE), Canada, South America (Brazil). GovCloud regions available for FedRAMP workloads. Data remains in the customer's chosen region with no automatic cross-region transfers.

    Splunk trains on customer data by default across AI products but provides opt-out mechanisms. Security AI Assistant: 'Splunk might leverage customer prompts, responses, underlying logs and feedback to train Splunk-hosted models unless customers opt out of this data sharing in the Splunk Enterprise Security settings.' SPL AI Assistant: customer interactions may be used for model improvement with opt-out available; vendor claims 'your data is not sent to or used with any third-party genAI service.' Observability AI: customer query data IS sent to third-party LLM services for response generation (distinct from training but relevant for data handling). The per-product variation in third-party LLM data sharing is an unresolved inconsistency across the product family.

    // Security controls

    Encryption in transit

    TLS 1.2+ for all data in motion to and from the platform

    help.splunk.com

    Encryption at rest

    AES-256 available for Splunk Cloud Platform; keys rotated regularly and monitored continuously. Note: may require additional configuration or cost tier for cloud deployments.

    help.splunk.com

    Penetration testing

    Annual third-party penetration testing

    customertrust.splunk.com

    Disaster recovery

    Disaster recovery plan in place

    customertrust.splunk.com

    Cyber insurance

    Cyber insurance maintained

    customertrust.splunk.com

    Vulnerability disclosure / bug bounty

    Bug bounty and vulnerability disclosure program; submissions via advisory.splunk.com

    customertrust.splunk.com

    Identity and access management

    Centralized IAM with SSO for employee access

    customertrust.splunk.com

    Status page

    Public status page available

    customertrust.splunk.com

    Data deletion on request

    Deletes customer data on request

    customertrust.splunk.com

    Third-party audits

    One or more annual third-party audits covering SOC 2, ISO 27001, FedRAMP, PCI DSS, and others

    customertrust.splunk.com

    Sub-processor list

    Published and maintained; email subscription available for change notifications

    splunk.com

    Shared responsibility model

    Documented Splunk Cloud Platform shared responsibility model published

    splunk.com

    // Products & data scope

    Splunk Cloud PlatformSaaS SIEM / data analytics

    data: Security logs, machine data, traces, metrics ingested at petabyte scale. Full SOC 2 Type II, ISO 27001/17/18, HIPAA, PCI DSS, FedRAMP Moderate and High scope.

    Primary SaaS offering. Multi-region deployment across AWS, GCP, and Azure. Runs on shared infrastructure with logical tenant isolation. AI Assistant for SPL included.

    Splunk EnterpriseOn-premises SIEM / data analytics

    data: Customer-managed on-prem deployment. Data never leaves customer environment by default.

    Self-hostable. ISO 27001 scope includes Enterprise. FIPS 140-2 and Common Criteria (NIAP) certified for government use. Customer responsible for hosting security controls.

    Splunk Enterprise SecuritySIEM / threat detection and response

    data: Security events, threat intelligence (Cisco Talos), incident data. Runs on Splunk Cloud Platform or on-premises.

    AI Assistant in Security trains on customer prompts and logs by default; opt-out available in product settings. Integrates Cisco Talos threat intel.

    Splunk Observability CloudSaaS APM / DevOps observability

    data: Application traces (8M+ per deployment), spans (50M+), metrics, logs from owned and unowned networks.

    Separate security addendum (Splunk Observability Cloud Security Addendum). AI Assistant in Observability Cloud sends query-relevant data to third-party LLM services for response generation. SOC 2, ISO, HIPAA coverage.

    Splunk SOARSecurity orchestration, automation, and response

    data: Security alerts, playbook execution data, case management data.

    Available as SaaS (cloud) or on-premises. Separate service description; security addendum for cloud variant.

    Splunk AI (cross-cutting capabilities)AI / agentic SOC and observability

    data: Customer prompts, tool call results, security events, SPL queries, observability metrics.

    Umbrella for AI Assistant for SPL, AI Assistant in Security, AI Assistant in Observability Cloud, and agentic capabilities. Training data use and third-party LLM involvement varies per sub-product. ISO 42001 not yet held.

    // What to watch

    • AI training default-on: Splunk trains on customer prompts, responses, underlying logs, and feedback by default across AI Assistant products. Opt-out is available per product (e.g., via Enterprise Security settings) but is not the default. Procurement teams should confirm opt-out is enabled before deploying AI features in sensitive environments.
    • Inter-product AI data handling inconsistency: SPL AI Assistant states 'your data is not sent to or used with any third-party genAI service,' but Observability AI explicitly sends query-relevant data to third-party LLM services for response generation. The boundary between products is not unified, which may create compliance surprises for teams assuming a single consistent AI data policy.
    • Privacy policy redirect post-acquisition: splunk.com/en_us/legal/privacy/privacy-policy.html now redirects (HTTP 301) to Cisco's corporate privacy page (cisco.com). Splunk-specific data handling practices should be confirmed against the current Cisco/Splunk privacy documentation and the Splunk DPA.
    • Encryption at rest: Splunk Cloud Platform offers AES-256 at rest, but implementation details suggest this may require explicit configuration or incur additional cost for some deployment tiers. Default posture should be confirmed in contract or security addendum.
    • DPA exclusion for trials and free licenses: The Splunk DPA explicitly does not apply to trials, evaluations, beta, free, donated, test, or development licenses. Teams running PoC evaluations have no DPA coverage.

    // At a glance

    Pricing model

    Enterprise subscription (by data ingest volume and product tier); SaaS and perpetual on-premises licensing options; free trials available (DPA does not apply to trials)

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Splunk LLC (a Cisco company)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    customertrust.splunk.com

    > Browse all vendor trust reports