// Trust & Security Report

    Sumo Logic, Inc. logo

    Sumo Logic, Inc.

    Cloud SIEM, Log Analytics, Observability, Dojo AI

    Certifications held

    10

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    The Sumo Logic 2025 SOC 2 Type II Report is now available for review. This report covers a period from 1/1/2025 to 12/31/2025.

    Verify on trust.sumologic.com
    FedRAMP Moderate
    HELD

    FedRAMP Certified, Authorization Date: January 29, 2021, Certification Level: Class C (Moderate), Package ID: FR1918740338, Total Authorizations: 3, Reuses: 111

    Verify on fedramp.gov
    ISO 27001:2022
    HELD

    The Sumo Logic 2024 ISO 27001:2022 certification is now available for review. The audit was completed by Coalfire and covers a period from 1/1/2024 to 12/31/2024.

    Verify on trust.sumologic.com
    PCI DSS 4.0.1
    HELD

    The latest PCI DSS Attestation of Compliance (AOC) / Report on Compliance (ROC) and HIPAA report are now available for customer review. (March 17, 2026)

    Verify on trust.sumologic.com
    HIPAA
    HELD

    The Sumo Logic 2024 HIPAA Report and PCI 4.0 Attestation of Compliance and Report on Compliance are now available for review.

    Verify on trust.sumologic.com
    GDPR
    HELD

    Transfers out of the European Economic Area (EEA), UK and Switzerland not deemed adequate by the European Commission are pursuant to Standard Contractual Clauses adopted by the European Commission.

    Verify on sumologic.com
    CCPA
    HELD

    CCPA listed as a compliance badge on the Sumo Logic homepage and trust center: 'SOC 2 Type II, FedRAMP Moderate Authorized, ISO 27001, GDPR, HIPAA, PCI DSS 3.2, CCPA'

    Verify on sumologic.com
    TX-RAMP Level 2
    HELD

    Sumo Logic TX-RAMP Level 2 Certification listed as a featured document in the trust center and displayed as a badge.

    Verify on trust.sumologic.com
    EU-US Data Privacy Framework
    HELD

    Sumo Logic is now listed on the EU-US Privacy Framework. For more information, please visit the listing by searching for 'Sumo Logic' directly at the U.S. Department of Commerce Data Privacy Framework: https://www.dataprivacyframework.gov/list

    Verify on trust.sumologic.com
    VPAT (Accessibility)
    HELD

    Sumo Logic VPAT_CIP CSE July 2024 listed as a featured document and VPAT badge displayed in the trust center.

    Verify on trust.sumologic.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Multi-region SaaS: United States, US Federal (FedRAMP), Dublin (EU), Frankfurt (EU), Zurich (EU), Montreal (CA), Tokyo, Seoul, Sydney. AWS European Sovereign Cloud deployment available from June 2, 2026.

    Docs explicitly state: 'Customer data is never used to train AI models.' Dojo AI uses Amazon Bedrock (Anthropic models via AWS); AWS contractually commits to not using customer inputs for training and third-party model providers do not have access to customer inputs or outputs. Customer-specific ML models are never shared or made public. Customers can opt out of specific AI features via support ticket. Advanced features like the SOC Analyst Agent require explicit customer opt-in.

    // Security controls

    Bug Bounty Program

    HackerOne (public vulnerability disclosure program at hackerone.com/sumologic; private bug bounty program also operated; first launched Q4 2017)

    hackerone.com

    Penetration Testing

    Annual third-party penetration testing confirmed; both External and Internal Penetration Test summaries available as documents in the trust center.

    trust.sumologic.com

    Encryption

    Data encrypted at rest and in transit; encryption FAQ available in trust center under 'Encryption' knowledge base section.

    trust.sumologic.com

    Disaster Recovery

    Formal disaster recovery plan in place; BC/DR Exercise Executive Summary available as a trust center document.

    trust.sumologic.com

    Cyber Insurance

    Certificate of Insurance (COI) available as featured trust center document.

    trust.sumologic.com

    Mobile Device Management

    Formal MDM program in place, confirmed in trust center quick summary.

    trust.sumologic.com

    Identity and Access Management

    Centralized IAM solution (SSO) used to manage employee access, confirmed in trust center quick summary.

    trust.sumologic.com

    Subprocessors

    Subprocessor list available on request via trust center.

    trust.sumologic.com

    Status Page

    Platform status page available at https://status.sumologic.com/

    trust.sumologic.com

    Security Whitepaper

    Sumo Logic Security Whitepaper available as a featured trust center document (PDF).

    trust.sumologic.com

    Security Governance

    Founded by IT Security veterans; dedicated CSO and SOC team; 9 Security Governance FAQ answers in trust center; NYDFS Compliance White Paper available.

    sumologic.com

    // Products & data scope

    Cloud SIEMSecurity Information and Event Management

    data: Customer security logs, events, alerts, entity data (users, devices, networks). Data processed within customer's logical environment. FedRAMP Moderate authorized for US federal use. SOC 2 Type II and PCI DSS apply.

    Cloud-native, multi-tenant SaaS. Integrates with 450+ data sources. Supports UEBA, threat hunting, automated playbooks. FedRAMP Moderate dedicated US deployment available.

    Logs for SecurityCloud Log Analytics / Security Data Lake

    data: AWS, Azure, Google Cloud logs and telemetry. PCI compliance dashboards included. All data stored under same certification scope as Cloud SIEM.

    Pricing uses Flex Credits; pay-per-insight model. Designed for multi-cloud compliance and threat detection. No data rehydration required.

    Monitoring and Troubleshooting (Cloud Operations)Observability / APM

    data: Application performance, infrastructure metrics, traces, and logs. Same multi-tenant SaaS infrastructure as SIEM products; covered under same SOC 2 and ISO 27001 scope.

    Primarily for DevOps/SRE use cases. AI-driven anomaly detection uses 60-day rolling window; customer data never used for cross-customer model training.

    Dojo AIAgentic AI / SecOps Automation

    data: Customer security events and logs processed by AI agents. Uses Amazon Bedrock (Anthropic models). Customer data does not leave Sumo Logic's secure environment; not used for foundation model training.

    Multi-agent AI platform for threat detection, investigation, and response. SOC Analyst Agent requires explicit customer opt-in. Customers can opt out of any AI feature via support ticket. All AI capabilities reviewed by legal, compliance, and security teams before release.

    // What to watch

    • FedRAMP authorization is an Agency ATO (not FedRAMP Joint Authorization Board direct), though listed on the official FedRAMP marketplace with 3 active authorizations and 111 reuses.
    • Privacy policy explicitly excludes customer operational data (governed by separate Services Agreement/DPA), so AI training policy confirmation comes from product documentation rather than the public privacy statement itself.
    • AWS European Sovereign Cloud deployment announced as GA June 2, 2026, which is very recent and may not yet appear in all compliance documentation.

    // At a glance

    Pricing model

    Credit-based SaaS subscription. Plans: Free, Essentials, Enterprise Operations, Enterprise Security, Enterprise Suite. Flex Credits priced per region ($0.15-$0.36/credit). Costs scale with data ingest volume (GB/day) and retention period.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Sumo Logic, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.sumologic.com

    > Browse all vendor trust reports