// Trust & Security Report
Splunk LLC (a Cisco company)
Unified security and observability platform; key sub-products: Splunk Cloud Platform (SaaS SIEM/analytics), Splunk Enterprise (on-prem), Splunk Enterprise Security (SIEM), Splunk Observability Cloud (APM/DevOps), Splunk SOAR (orchestration/automation), and cross-cutting Splunk AI capabilities (AI Assistant for SPL, AI Assistant in Security, AI Assistant in Observability Cloud)
Certifications held
17
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on customertrust.splunk.com“Badges listed: SOC 2 Type II. Compliance page: 'Semi-annual assessments of security, availability, and confidentiality controls for specified products.' Annual SOC 2 Type 2 audit report issued.”
Verify on splunk.com“Compliance page: 'SOC 1 - Semi-annual reviews of critical financial reporting systems by independent auditors (AICPA-governed).'”
Verify on customertrust.splunk.com“Trust Center badge: ISO 27001. Compliance page: 'On an annual basis, specified Splunk products are reviewed and certified by an independent third-party assessor against the ISO 27001 requirements (surveillance audits) and certifications are reissued every 3 years.' Certificate PDF published on splunk.com.”
Verify on customertrust.splunk.com“Trust Center badge: ISO 27017. Compliance page: 'Annual basis, specified Splunk products are reviewed and certified by an independent third-party assessor against ISO 27017 requirements; certifications reissued every 3 years.'”
Verify on customertrust.splunk.com“Trust Center badge: ISO 27018. Compliance page: 'On an annual basis, specified Splunk products are reviewed and certified by an independent third-party assessor against the ISO 27018 requirements and certifications are reissued every 3 years.'”
Verify on splunk.com“Compliance page: 'ISO 9001 - Quality management system. Annual reviews, 3-year renewals for specified products.'”
Verify on customertrust.splunk.com“Trust Center badge: HIPAA. Compliance page: 'Annual evaluations of specified products. Customers must accept Splunk's Business Associate Agreement for PHI processing.' Splunk Cloud Security Addendum benchmarked against HIPAA.”
Verify on customertrust.splunk.com“Trust Center badge: PCI. Compliance page: 'Level 1 service provider status requires Annual Compliance Report (ROC) by Qualified Security Assessor and quarterly network scanning.' Also confirmed in Splunk Cloud Security Addendum (CSA).”
Verify on customertrust.splunk.com“Trust Center badge: FedRAMP Moderate. FedRAMP marketplace listing active. Compliance page: 'Annual assessments with authorized documentation access through Customer Trust Portal.'”
Verify on fedramp.gov“Splunk Cloud Platform FedRAMP High authorized by the General Services Administration FedRAMP PMO at the High Impact level in September 2024. FedRAMP marketplace listing active. Covers 400+ security controls.”
Verify on customertrust.splunk.com“Trust Center badge: CSA STAR 2. Compliance page: 'Annual third-party audits leveraging ISO 27001:2013 standards with public registry listing.' Leverages CSA CCM criteria with independent assessor review.”
Verify on customertrust.splunk.com“Trust Center badge: GDPR. DPA available at splunk.com/en_us/legal/splunk-dpa.html (updated December 2024/February 2025). EU-US Data Privacy Framework certified: 'Splunk is proud to be among the first organizations to obtain certification under the EU-U.S. Data Privacy Framework.' SCCs in place for EU-to-US transfers.”
Verify on splunk.com“Compliance page: 'FIPS 140-2 - Cryptographic module validation for Splunk Enterprise and FedRAMP/IL5 Cloud Platform variants.'”
Verify on splunk.com“Compliance page: 'Common Criteria - Splunk Enterprise certified by NIAP for government agency procurement.'”
Verify on splunk.com“Compliance page: 'DoD CC SRG IL5 - Limited scope (on-premises to cloud only). Annual third-party audits for high-sensitivity controlled unclassified information.'”
Verify on splunk.com“Compliance page: 'IRAP (Australia) - Protected level assessments; 2-year validity.' Also confirmed in Cloud Platform service details.”
Verify on splunk.com“Compliance page: 'ISMAP (Japan) - Annual assessments required for government agency procurement eligibility.'”
> Show 2 unconfirmed / not-held certifications
source: splunk.comNot listed in the Splunk compliance overview, Trust Center badges, or any splunk.com domain page reviewed. No public evidence of ISO 27701 certification.
source: splunk.comSplunk has published educational blog content about ISO 42001 (What Is ISO 42001 for AI?) but no evidence of Splunk holding this certification was found on any splunk.com page or the Trust Center.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Multi-region: US (AWS Oregon, Virginia; GCP; Azure), EU (Dublin, Frankfurt, Milan, Paris), UK (London), APAC (Singapore, Sydney, Tokyo, Mumbai, Seoul, Indonesia), Middle East (UAE), Canada, South America (Brazil). GovCloud regions available for FedRAMP workloads. Data remains in the customer's chosen region with no automatic cross-region transfers.
Splunk trains on customer data by default across AI products but provides opt-out mechanisms. Security AI Assistant: 'Splunk might leverage customer prompts, responses, underlying logs and feedback to train Splunk-hosted models unless customers opt out of this data sharing in the Splunk Enterprise Security settings.' SPL AI Assistant: customer interactions may be used for model improvement with opt-out available; vendor claims 'your data is not sent to or used with any third-party genAI service.' Observability AI: customer query data IS sent to third-party LLM services for response generation (distinct from training but relevant for data handling). The per-product variation in third-party LLM data sharing is an unresolved inconsistency across the product family.
// Security controls
Encryption at rest
AES-256 available for Splunk Cloud Platform; keys rotated regularly and monitored continuously. Note: may require additional configuration or cost tier for cloud deployments.
help.splunk.comVulnerability disclosure / bug bounty
Bug bounty and vulnerability disclosure program; submissions via advisory.splunk.com
customertrust.splunk.comThird-party audits
One or more annual third-party audits covering SOC 2, ISO 27001, FedRAMP, PCI DSS, and others
customertrust.splunk.comSub-processor list
Published and maintained; email subscription available for change notifications
splunk.comShared responsibility model
Documented Splunk Cloud Platform shared responsibility model published
splunk.com// Products & data scope
data: Security logs, machine data, traces, metrics ingested at petabyte scale. Full SOC 2 Type II, ISO 27001/17/18, HIPAA, PCI DSS, FedRAMP Moderate and High scope.
Primary SaaS offering. Multi-region deployment across AWS, GCP, and Azure. Runs on shared infrastructure with logical tenant isolation. AI Assistant for SPL included.
data: Customer-managed on-prem deployment. Data never leaves customer environment by default.
Self-hostable. ISO 27001 scope includes Enterprise. FIPS 140-2 and Common Criteria (NIAP) certified for government use. Customer responsible for hosting security controls.
data: Security events, threat intelligence (Cisco Talos), incident data. Runs on Splunk Cloud Platform or on-premises.
AI Assistant in Security trains on customer prompts and logs by default; opt-out available in product settings. Integrates Cisco Talos threat intel.
data: Application traces (8M+ per deployment), spans (50M+), metrics, logs from owned and unowned networks.
Separate security addendum (Splunk Observability Cloud Security Addendum). AI Assistant in Observability Cloud sends query-relevant data to third-party LLM services for response generation. SOC 2, ISO, HIPAA coverage.
data: Security alerts, playbook execution data, case management data.
Available as SaaS (cloud) or on-premises. Separate service description; security addendum for cloud variant.
data: Customer prompts, tool call results, security events, SPL queries, observability metrics.
Umbrella for AI Assistant for SPL, AI Assistant in Security, AI Assistant in Observability Cloud, and agentic capabilities. Training data use and third-party LLM involvement varies per sub-product. ISO 42001 not yet held.
// What to watch
- AI training default-on: Splunk trains on customer prompts, responses, underlying logs, and feedback by default across AI Assistant products. Opt-out is available per product (e.g., via Enterprise Security settings) but is not the default. Procurement teams should confirm opt-out is enabled before deploying AI features in sensitive environments.
- Inter-product AI data handling inconsistency: SPL AI Assistant states 'your data is not sent to or used with any third-party genAI service,' but Observability AI explicitly sends query-relevant data to third-party LLM services for response generation. The boundary between products is not unified, which may create compliance surprises for teams assuming a single consistent AI data policy.
- Privacy policy redirect post-acquisition: splunk.com/en_us/legal/privacy/privacy-policy.html now redirects (HTTP 301) to Cisco's corporate privacy page (cisco.com). Splunk-specific data handling practices should be confirmed against the current Cisco/Splunk privacy documentation and the Splunk DPA.
- Encryption at rest: Splunk Cloud Platform offers AES-256 at rest, but implementation details suggest this may require explicit configuration or incur additional cost for some deployment tiers. Default posture should be confirmed in contract or security addendum.
- DPA exclusion for trials and free licenses: The Splunk DPA explicitly does not apply to trials, evaluations, beta, free, donated, test, or development licenses. Teams running PoC evaluations have no DPA coverage.
// At a glance
Pricing model
Enterprise subscription (by data ingest volume and product tier); SaaS and perpetual on-premises licensing options; free trials available (DPA does not apply to trials)
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Splunk LLC (a Cisco company)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
customertrust.splunk.com