// Trust & Security Report
Sumo Logic, Inc.
Cloud SIEM, Log Analytics, Observability, Dojo AI
Certifications held
10
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.sumologic.com“The Sumo Logic 2025 SOC 2 Type II Report is now available for review. This report covers a period from 1/1/2025 to 12/31/2025.”
Verify on fedramp.gov“FedRAMP Certified, Authorization Date: January 29, 2021, Certification Level: Class C (Moderate), Package ID: FR1918740338, Total Authorizations: 3, Reuses: 111”
Verify on trust.sumologic.com“The Sumo Logic 2024 ISO 27001:2022 certification is now available for review. The audit was completed by Coalfire and covers a period from 1/1/2024 to 12/31/2024.”
Verify on trust.sumologic.com“The latest PCI DSS Attestation of Compliance (AOC) / Report on Compliance (ROC) and HIPAA report are now available for customer review. (March 17, 2026)”
Verify on trust.sumologic.com“The Sumo Logic 2024 HIPAA Report and PCI 4.0 Attestation of Compliance and Report on Compliance are now available for review.”
Verify on sumologic.com“Transfers out of the European Economic Area (EEA), UK and Switzerland not deemed adequate by the European Commission are pursuant to Standard Contractual Clauses adopted by the European Commission.”
Verify on sumologic.com“CCPA listed as a compliance badge on the Sumo Logic homepage and trust center: 'SOC 2 Type II, FedRAMP Moderate Authorized, ISO 27001, GDPR, HIPAA, PCI DSS 3.2, CCPA'”
Verify on trust.sumologic.com“Sumo Logic TX-RAMP Level 2 Certification listed as a featured document in the trust center and displayed as a badge.”
Verify on trust.sumologic.com“Sumo Logic is now listed on the EU-US Privacy Framework. For more information, please visit the listing by searching for 'Sumo Logic' directly at the U.S. Department of Commerce Data Privacy Framework: https://www.dataprivacyframework.gov/list”
Verify on trust.sumologic.com“Sumo Logic VPAT_CIP CSE July 2024 listed as a featured document and VPAT badge displayed in the trust center.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Multi-region SaaS: United States, US Federal (FedRAMP), Dublin (EU), Frankfurt (EU), Zurich (EU), Montreal (CA), Tokyo, Seoul, Sydney. AWS European Sovereign Cloud deployment available from June 2, 2026.
Docs explicitly state: 'Customer data is never used to train AI models.' Dojo AI uses Amazon Bedrock (Anthropic models via AWS); AWS contractually commits to not using customer inputs for training and third-party model providers do not have access to customer inputs or outputs. Customer-specific ML models are never shared or made public. Customers can opt out of specific AI features via support ticket. Advanced features like the SOC Analyst Agent require explicit customer opt-in.
// Security controls
Bug Bounty Program
HackerOne (public vulnerability disclosure program at hackerone.com/sumologic; private bug bounty program also operated; first launched Q4 2017)
hackerone.comPenetration Testing
Annual third-party penetration testing confirmed; both External and Internal Penetration Test summaries available as documents in the trust center.
trust.sumologic.comEncryption
Data encrypted at rest and in transit; encryption FAQ available in trust center under 'Encryption' knowledge base section.
trust.sumologic.comDisaster Recovery
Formal disaster recovery plan in place; BC/DR Exercise Executive Summary available as a trust center document.
trust.sumologic.comCyber Insurance
Certificate of Insurance (COI) available as featured trust center document.
trust.sumologic.comMobile Device Management
Formal MDM program in place, confirmed in trust center quick summary.
trust.sumologic.comIdentity and Access Management
Centralized IAM solution (SSO) used to manage employee access, confirmed in trust center quick summary.
trust.sumologic.comSecurity Whitepaper
Sumo Logic Security Whitepaper available as a featured trust center document (PDF).
trust.sumologic.comSecurity Governance
Founded by IT Security veterans; dedicated CSO and SOC team; 9 Security Governance FAQ answers in trust center; NYDFS Compliance White Paper available.
sumologic.com// Products & data scope
data: Customer security logs, events, alerts, entity data (users, devices, networks). Data processed within customer's logical environment. FedRAMP Moderate authorized for US federal use. SOC 2 Type II and PCI DSS apply.
Cloud-native, multi-tenant SaaS. Integrates with 450+ data sources. Supports UEBA, threat hunting, automated playbooks. FedRAMP Moderate dedicated US deployment available.
data: AWS, Azure, Google Cloud logs and telemetry. PCI compliance dashboards included. All data stored under same certification scope as Cloud SIEM.
Pricing uses Flex Credits; pay-per-insight model. Designed for multi-cloud compliance and threat detection. No data rehydration required.
data: Application performance, infrastructure metrics, traces, and logs. Same multi-tenant SaaS infrastructure as SIEM products; covered under same SOC 2 and ISO 27001 scope.
Primarily for DevOps/SRE use cases. AI-driven anomaly detection uses 60-day rolling window; customer data never used for cross-customer model training.
data: Customer security events and logs processed by AI agents. Uses Amazon Bedrock (Anthropic models). Customer data does not leave Sumo Logic's secure environment; not used for foundation model training.
Multi-agent AI platform for threat detection, investigation, and response. SOC Analyst Agent requires explicit customer opt-in. Customers can opt out of any AI feature via support ticket. All AI capabilities reviewed by legal, compliance, and security teams before release.
// What to watch
- FedRAMP authorization is an Agency ATO (not FedRAMP Joint Authorization Board direct), though listed on the official FedRAMP marketplace with 3 active authorizations and 111 reuses.
- Privacy policy explicitly excludes customer operational data (governed by separate Services Agreement/DPA), so AI training policy confirmation comes from product documentation rather than the public privacy statement itself.
- AWS European Sovereign Cloud deployment announced as GA June 2, 2026, which is very recent and may not yet appear in all compliance documentation.
// At a glance
Pricing model
Credit-based SaaS subscription. Plans: Free, Essentials, Enterprise Operations, Enterprise Security, Enterprise Suite. Flex Credits priced per region ($0.15-$0.36/credit). Costs scale with data ingest volume (GB/day) and retention period.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Sumo Logic, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.sumologic.com