Compliance

Fivetran prioritizes the highest standards of compliance and security to safeguard your data. Our commitment extends beyond industry regulations - we adhere to rigorous security protocols, ensuring your information's confidentiality, integrity, and availability.

Fivetran annually undergoes its own, independent SSAE18/SOC1 and AT101/SOC2 audit (Security, Availability, and Confidentiality criteria), and the report is made available under NDA to all existing and prospective customers by request under NDA. For all compliance reports and security/privacy document requests, visit Fivetran's Trust Center or see Fivetran's Privacy Policy for more details.

ISO 27001

Fivetran is ISO 27001 Certified. Fivetran’s Information Security Management System (ISMS) meets the requirements set forth by this globally recognized, standards-based approach to security. ISO/IEC 27001 certification applies to the overall Fivetran infrastructure and all its products.

SOC 1 Type II

The SOC 1 Type II report is an independent assessment of our control environment performed by a third party. Service Organization Controls (SOC) 1 reports provide information about a service organization’s control environment that may be relevant to the customer's internal controls over financial reporting.

Fivetran's SOC 1 Type II report is issued in accordance with the International Standard on Assurance Engagements (ISAE) 3402 (Assurance Reports on Controls at a Service Organization). The SOC 1 report covers the design and operating effectiveness of controls relevant to the Fivetran platform.

SOC 2 Type II

The SOC 2 Type II report is an independent assessment of our control environment performed by a third party.

The SOC 2 report is based on the AICPA’s Trust Services Criteria and is issued annually in accordance with the AICPA’s AT Section 101 - Attest Engagements. The SOC 2 report details the design and operating effectiveness of controls relevant to any system containing customer data as part of the Fivetran platform. The Fivetran SOC 2 report addresses the following Trust Services Criteria - Security, Availability, and Confidentiality.

PCI DSS Level 1

Fivetran supports PCI DSS compliance Level 1. This environment undergoes annual assessment by Qualified Security Assessors (QSA's) against the current PCI DSS requirements.

HITRUST Implemented, 1-year (i1)

HITRUST certification is widely considered the gold standard in satisfying HIPAA’s strict security requirements. HITRUST is a certification that is trusted and recommended by many health networks and hospitals to manage security and data risks. HITRUST Implemented, 1-year (i1) certified status demonstrates that the Fivetran platform is leveraging a set of curated controls to deliver a complete security program that broadly protects against current and emerging threats, worldwide.

Cyber Essentials Basic

Cyber Essentials is a UK-government-backed scheme to help organizations protect against cyber-security threats by setting out baseline technical controls.

CSA Star Level 1

The Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR) Consensus Assessments Initiative Questionnaire (CAIQ) Self-Assessment consolidates current information regarding security risks and controls into one industry-standard questionnaire (CSA STAR CAIQ). Fivetran self-assesses against the CSA STAR CAIQ annually, providing our customers with an in-depth view of our control environment. This document provides Fivetran customers with an in-depth view of Fivetran's control environment.

SIG Questionnaire

The Standardized Information Gathering (SIG) questionnaire is an industry-standard compilation of questions used to assess information technology and data security across a broad spectrum of risk control areas. The SIG is issued by Shared Assessments, a global organization dedicated to third party risk assurance. Fivetran self-assesses against the SIG annually, providing our customers with an in-depth view of our control environment against a standardized set of inquiries.

EU-US Data Privacy Framework

We are certified under the EU-US Data Privacy Framework, the UK extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework.

In our potential role as data subprocessor, we adhere to the principles of the EU94/95 privacy rules, as well the upcoming GDPR rules when they are in effect.