The CenturyLink Compliance Center provides information around the security controls in place to mitigate risk and ensure stability. Working with a global enterprise IT service provider like CenturyLink, you can rest assured we have experience with a wide range of security controls, regulatory requirements, and industry standard compliance models.

Benefit from our investment in these IT security frameworks to assess your internal readiness and accelerate compliance obligations. Information provided by CenturyLink around these compliance programs demonstrates how our automation platform provides a solid foundation for your risk mitigation strategy. CenturyLink's hybrid-IT approach combines our public and private cloud offerings with our managed services and more "traditional" IT services to create a hybrid platform capable of meeting a multitude of business needs.


CenturyLink Cloud's data centers comply with SSAE 16 and SOC 1

& SOC 2

Our data centers around the globe are independently audited in accordance with the Statement on Standards for Attestation Engagements #16 (SSAE 16) and have published a Service Organization Controls 1 (SOC 1), Type 2 report, as well as SOC 2 and Type II reports demonstrating its commitment to protecting the security and availability of customer data.

FedRAMP Compliance


Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security for cloud products and services. CenturyLink can help achieve FedRamp compliance.

Read more about FedRAMP

CenturyLink is ISO 27001-certified in multiple data centers

ISO 27001:2013

CenturyLink has also received certification of the ISO/IEC 27001:2013 Information Security Management System (ISMS) Standard for five of its data centers.

Read more about ISO 27001

CenturyLink is ISO 9001-certified in multiple data centers

ISO 9001:2015

ISO 9001:2015 is the international standard that specifies requirements for a Quality Management System (QMS). Organizations use the standard to demonstrate the ability to consistently provide products and services that meet customer and regulatory requirements.

Read more about ISO 9001

PCI Compliance


PCI is the security certification that applies to any organization or merchants that accepts, transmits or stores any credit cardholder data. CenturyLink can work with you to provide a variety of PCI-DSS compliant solutions and is a listed service provider on the VISA PCI Compliance Directory.

Read more about PCI DSS Compliance

View a Dedicated Cloud Compute PCI compliance architecture for an example of our compliance solutions.


Federal Trade Commission enforces COPPA. CenturyLink helps with compliance


CenturyLink can help its customers comply with the Children’s Online Privacy Protection Act (COPPA) Rule requirements. The Federal Trade Commission (FTC), the United States national consumer protection agency, enforces the COPPA Rule, which spells out what operators of websites and online services must do to protect children's privacy and safety online.

Read more about COPPA

CenturyLink IaaS meets HIPAA compliance requirements


The Family Educational Rights and Privacy Act (FERPA) is a federal law that that protects the privacy of student education records and affords parents the right to protect their children's privacy and accuracy of education records. CenturyLink can assist with FERPA compliance by providing a combination of hybrid IT services—Cloud, Managed Services and Colocation.

Read more about FERPA

CenturyLink IaaS meets HIPAA compliance requirements


Covered entities and their business associates who are required to comply with the U.S. Health Insurance Portability and Accountability Act (HIPAA) can leverage CenturyLink to process, maintain, and store individually identifiable health information or protected health information (PHI).

Read more about HIPAA

View a Dedicated Cloud Compute HIPAA compliance architecture.

CenturyLink can assist with APP compliance.

Australian Privacy Principles

Australian Privacy Principles (APPs) regulate the handling of personal information by both Australian government agencies and businesses. CenturyLink encourages customers to understand the APPs, how their business activities comply with these principles, and how to effectively select and use CenturyLink services in those efforts. As a service provider, CenturyLink has focused on a few key APPs.

Read more about the APPs

Standards & Frameworks

CenturyLink Cloud has self-assessed via the STAR CAIQ


The CSA Security, Trust and Assurance Registry (STAR) is a comprehensive set of offerings for cloud provider trust and assurance. CenturyLink Cloud has completed and submitted the STAR Consensus Assessments Initiative Questionnaire (CAIQ).

Read more about CSA and STAR

ENISA Compliant and Secure Hosting


The European Union Agency for Network and Information Security (ENISA) is a center of network and information security expertise for the EU, its member states, the private sector and Europe's citizens. CenturyLink can assist customers in complying with ENISA requirements.

Read more about ENISA

Secure and compliant hosting services to meet requirements of the EU Data Protection Directive 95/46/EC.

EU Directive 95/46/EC

To assist customers in meeting EU Directive requirements, CenturyLink will agree to the Model Clauses, subject to a review process to vet the services in consideration for compliance, and prepare the Appendix that describes the security controls we agree to have in place.

Read more about EU Directive 95/46/EC

FISMA defines a framework for managing information security that must be followed for all information systems used or operated by a U.S. federal government agency.


The Federal Information Security Management Act (FISMA) is a comprehensive framework for securing the federal government’s information technology (IT). FISMA provides a set of specific guidelines for federal agencies on how to plan for, budget, implement, and maintain secure systems.

Read more about FISMA

CenturyLink adheres to BDSG's security requirements for personal data

German Federal Data Protection

The Bundesdatenschutzgesetz or BDSG, is Germany’s Federal Data Protection Act. CenturyLink ensures the required technical and organizational measures are adhered to for protection of personal data against misuse and loss in accordance with the requirements of the BDSG.

Read more about BDSG

TRUSTe Privacy Certification

TRUSTe Privacy Seal

CenturyLink Cloud has been awarded TRUSTe's Privacy Seal signifying that our Privacy Policy and practices have been reviewed for compliance with TRUSTe’s Program Requirements including transparency, accountability and choice regarding the collection and use of your Personal Information.

Read more about TRUSTe

Shared Responsibility for Security & Compliance

Cloud security relies on a "Shared Responsibility" model, with clear demarcations for where the obligations lie with the infrastructure provider versus the customer. CenturyLink's obligation is limited to securing the underlying infrastructure of the cloud, whereas the customer is responsible for securing their own cloud servers, applications, and systems that are deployed on our infrastructure. Customers can accomplish this by implementing their own technologies, or they may deploy tools that we and our partners provide.

Whether you're simply using our CenturyLink public cloud Infrastructure as a Service (IaaS) or building out a full Hybrid IT solution with CenturyLink, we will assist in identifying the right combination of IT services to meet your security and compliance needs. The level of responsibility depends to some degree on the services employed and level of management subscribed to. CenturyLink can help you navigate the complexities of ensuring your organization understands its obligations under the Shared Responsibility model.

Read more about Shared Responsibility

Compliance Resource Guide

Compliance implementation plans are not one-size-fits-all. At CenturyLink, we work with our customers to understand the unique compliance needs of the business, and develop a customized plan that matches both the unique business priorities and regulations necessary to achieve the compliance posture desired.

CenturyLink then works with the business to implement custom security and compliance enabling solutions to facilitate customization to meet any organization’s compliance requirements.

To learn more about compliance implementation, and how CenturyLink can help your business achieve compliance certifications, read our compliance resource guide.


Alert Logic, a leader in cloud security and compliance solutions, provides Security-as-a-Service for cloud and hybrid infrastructures, delivering deep security insight and continuous protection for customers at a lower cost than traditional security solutions. Alert Logic has integrated their Log Manager and their Web Security Manager technologies with the CenturyLink Cloud platform, publishing these virtual appliances as CenturyLink Cloud Partner Templates.

Vormetric provides enterprise encryption and key management services that enable corporations to protect their data. Vormetric’s Data Security Manager (DSM) addresses industry compliance mandates and government regulations globally by securing data in physical, virtual and cloud infrastructures, through Data Encryption, Key Management, Access Policies, Privileged User Control, and Security Intelligence. Vormetric’s technology is integrated with the CenturyLink Cloud platform and available for deployment via Blueprint or Partner Template.

Cavirin offers a security and compliance solution expressly designed for both cloud environments and physical data centers. Cavirin delivers continuous audit and operational compliance to the cloud, with technology expressly designed to measure and monitor risk associated with a range of compliance guidelines (PCI, HIPAA, ISO, NIST, SOC 2, CIS, and/or DISA STIGs.) Integrated with CenturyLink Cloud as a Partner Template, Cavirin helps customers address the business challenge of compliance and regulatory governance.

Related Products

Intrusion Prevention System

Monitors virtual machines, will log, block or stop any identified vulnerability, and will report it based on the IPS policy.


Connect networks within a particular data center through the use of configurable firewall policies, and create firewall policies that connect different data centers.

Private Cloud

Our cloud stack, isolated and dedicated to you. Deploy in over 55 CenturyLink locations around the world.

Security & Compliance

CenturyLink Cloud provides advanced cloud security and compliance that protects enterprise systems and data.

Disaster Recovery

Affordable protection for your on-premise data & production VMs. Avoid the enormous costs of IT downtime and data loss with SafeHaven for CenturyLink Cloud.