Industry Certifications & Compliance

ISO/IEC 27001:2022 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2022 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

• Certificate Expiration Date: August 21, 2026

ISO/IEC 27701:2019 specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

• Certificate Expiration Date: August 21, 2026

The American Institute of Certified Public Accountants (AICPA) System and Organizational Controls (SOC) for Service Organizations reports are designed to help service organizations that provide services to other entities, build trust and confidence in the service performed and controls related to the services through a report by an independent CPA. Each type of SOC for Service Organizations report is designed to help service organizations meet specific user needs.

BeyondTrust SOC Reports are based on independent third-party assessor examinations. The resulting reports demonstrate how BeyondTrust achieves key compliance controls and objectives. The purpose of these reports is to help customers and auditors understand the BeyondTrust controls established to support operations and compliance.

• AWS SOC 2 Type 2: Certified for Entitle, Identity Security Insights®, Endpoint Privilege Management for Linux, and Secure Remote Access (Remote Support & Privileged Remote Access)

• Azure SOC 2 Type 2: Certified for Endpoint Privilege Management Cloud and Password Safe Cloud

The EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF were respectively developed by the U.S. Department of Commerce and the European Commission, UK Government, and Swiss Federal Administration to provide U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union, United Kingdom, and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law.

• EU-US Data Privacy Framework, Expiration Date: March 24, 2026

• Swiss-US Data Privacy Framework, Expiration Date: March 24, 2026

• UK Extension to the EU-US Data Privacy Framework, Expiration Date: March 24, 2026

View Letter of Attestation (LOA)

FIPS 140-2 standard is specific to security requirements for a cryptographic module used within a security system, and is published by the U.S. National Institute of Standards and Technologies (NIST). FIPS 140-2 was the main input document for developing ISO/IEC 19790, and is recognized worldwide as an important benchmark for third-party validations of encryption products of all kinds.

• BeyondTrust Remote Support Certification Date: April 2021

The PCI Security Standards Council (PCI SSC), representing financial institutions, merchants, processor companies, software developers, and point-of-sale vendors, developed PCI DSS in 2004 to safeguard credit card and cardholder data against breach and other forms of unauthorized access.

To process, store, or transmit credit card data, merchants and payment or internet service providers must be PCI compliant. Otherwise, they face strict penalties including fines and possible loss of credit card privileges.

Level 4 applies to merchants that process fewer than 20,000 Visa or Mastercard e-commerce transactions per year or up to 1 million total Visa or Mastercard credit card transactions and that have not suffered a data breach or attack that compromised card or cardholder data.

• PCI/DSS Level 4 Expiration Date: January 27, 2027

The Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification.

• Common Criteria Protection Profile for Enterprise Security Management Certificate Date: June 2018

The Federal Risk and Authorization Management Program (FedRAMP®) was established in 2011 to provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information.

BeyondTrust has achieved FedRAMP Moderate authorization for its Secure Remote Access solutions (Remote Support and Privileged Remote Access).

• FedRAMP Moderate Authorized: April 17, 2024

Texas Risk and Authorization Management Program (TX-RAMP) provides a standardized approach for security assessment, certification, and continuous monitoring of cloud computing services that process the data of Texas state agencies.

BeyondTrust Privileged Remote Access and Remote Support solutions have been certified by TX-RAMP under the Secure Remote Access service offering.

• Certificate ID: TX1230552

• Certification Status: Level 2 Certification

The CISA Secure by Design Pledge lays out requirements that vendors will take into account to improve the overall security of products and/or services. This is a voluntary pledge focused on enterprise software products and services (e.g., on-prem, cloud services, SaaS).

BeyondTrust is one of the signatories of the pledge, which underscores and demonstrates BeyondTrust's commitment to building safer, secure, and more transparent technology products.