Information Security Compliance and Audit is responsible for engaging and supporting external auditors and CenturyLink business units in successfully completing an annual renewal of audit reports and certifications for CenturyLink products.

Information Security Compliance works closely with internal global groups and departments to ensure that processes and procedures are accurately represented and tested during annual audits. The Information Security Compliance and Audit group creates and performs internal and external third-party assessments, monitors processes, gathers evidence, and helps with remediation plans. Information Security Compliance works across all departments within CenturyLink to ensure there is continuous improvement and compliance readiness.


CenturyLink Cloud's data centers comply with SSAE 16 and SOC 1

SOC Program

Our data centers around the globe are independently audited in accordance with the Statement on Standards for Attestation Engagements #18 (SSAE 18). They have published a Service Organization Controls SOC 1 Type 2 report and SOC 2 Type 2 report(s), demonstrating their commitment to protecting security, availability, and confidentiality (where applicable) of customer data.

CenturyLink's ISO 22301:2012 certification is limited to the business continuity management system (BCMS) supporting the SAP-HANA Enterprise Cloud (HEC) for Managed Hosting Services

ISO 22301:12

The scope of the ISO 22301:2012 certification is limited to the business continuity management system (BCMS) supporting the SAP-HANA Enterprise Cloud (HEC) for Managed Hosting Services. HANA Enterprise Cloud (HEC) is a solution to provide SAP HANA to SAP customers using CenturyLink’s Dedicated Cloud Compute (DCC) platform.


CenturyLink Technologies India holds and operates an IT Service Management System that complies with the requirements of ISO/IEC 20000-1:2011

ISO/IEC 20000-1:2011

CenturyLink Technologies India (CTLI), Pvt. Ltd. Salarpuria Hallmark Block B, Ground Floor, Karnataka, India specifically holds and operates an IT Service Management System that complies with the requirements of ISO/IEC 20000-1:2011 for the following scope:

CTLI Operations division service management system supporting the provision of Managed Hosting & Managed Services to global customers from Bangalore, India, including support functions. This is in accordance with the latest version of the Service Catalogue ver. 14 dated January 18, 2016.

CenturyLink is ISO 27001-certified in multiple data centers

ISO 27001:2013

CenturyLink has received a certificate of registration for ISO/IEC 27001:2013 Information Security Management System (ISMS) Standard. CenturyLink can therefore be formally audited and certified compliant with the standard. The primary benefit of ISO 27001 certification means that the company can demonstrate to existing and potential customers that effective information security processes have been defined and implemented, thus creating a trust relationship. The scope of the ISO/IEC 27001:2013 certification is limited to the information security management system (ISMS) supporting global managed hosting in accordance with the Statement of Applicability (SOA).

Read more about ISO 27001

CenturyLink is ISO 9001-certified in multiple data centers

ISO 9001:2015

CenturyLink maintains an ISO 9001:2015 certification limited to the Quality Management System (QMS) covering a variety of requirements regarding the SAP HANA Enterprise Cloud (HEC) product.

Read more about ISO 9001

PCI Compliance

Payment Card Industry Data Security Standard (PCI)

PCI is the security certification that applies to any organization or merchants that accepts, transmits or stores any credit cardholder data. CenturyLink can work with you to provide a variety of PCI compliant solutions and is a listed service provider on the VISA PCI Compliance Directory.

Read more about PCI DSS Compliance

View a Dedicated Cloud Compute PCI compliance architecture for an example of our compliance solutions.


CenturyLink IaaS meets HIPAA compliance requirements


Covered entities and their business associates who are required to comply with the U.S. Health Insurance Portability and Accountability Act (HIPAA) can leverage CenturyLink to process, maintain, and store individually identifiable health information or protected health information (PHI).

Read more about HIPAA

CenturyLink can assist with APP compliance.

Australian Privacy Principles

Australian Privacy Principles (APPs) regulate the handling of personal information by both Australian government agencies and businesses. CenturyLink encourages customers to understand the APPs, how their business activities comply with these principles, and how to effectively select and use CenturyLink services in those efforts. As a service provider, CenturyLink has focused on a few key APPs.

Read more about the APPs

CenturyLink and OSPAR Compliance.


Outsourced Service Provider Audit Report (OSPAR) is a report that complies with The Association of Banks in Singapore’s guidelines. In this manner, it requires financial institutions (FIs) in Singapore to ensure that their outsourced service providers (OSP) are audited in accordance with Singapore Standard on Assurance Engagements 3000 (Revised) for assurance engagements other than audits or reviews of historical financial information. To remain OSPAR-certified, the OSP must have the relevant measures and controls, and implement them consistently to pass annual independent audits.

OSPAR certification provides credibility to the OSP and the assurance that it maintains the same level of governance, rigor and consistency as FIs in Singapore.


Standards & Frameworks

CenturyLink Cloud has self-assessed via the STAR CAIQ


The CSA Security, Trust and Assurance Registry (STAR) is a comprehensive set of offerings for cloud provider trust and assurance. CenturyLink Cloud has completed and submitted the STAR Consensus Assessments Initiative Questionnaire (CAIQ).

Read more about CSA and STAR

FISMA defines a framework for managing information security that must be followed for all information systems used or operated by a U.S. federal government agency.


The Federal Information Security Management Act (FISMA) is a comprehensive framework for securing the federal government’s information technology (IT). FISMA provides a set of specific guidelines for federal agencies on how to plan for, budget, implement, and maintain secure systems.

Read more about FISMA

CenturyLink adheres to BDSG's security requirements for personal data

German Federal Data Protection

The Bundesdatenschutzgesetz or BDSG, is Germany’s Federal Data Protection Act. CenturyLink ensures that the required technical and organizational measures are adhered to for protection of personal data against misuse and loss in accordance with the requirements of the BDSG.

Read more about BDSG

TRUSTe Privacy Certification

TRUSTe Privacy Seal

CenturyLink Cloud has been awarded TRUSTe's Privacy Seal. This signifies that our Privacy Policy and practices have been reviewed for compliance with TRUSTe’s Program Requirements, including transparency, accountability and choice regarding the collection and use of your Personal Information.

Read more about TRUSTe

Shared Responsibility for Security & Compliance

Cloud security relies on a "Shared Responsibility" model with clear demarcations for where the infrastructure provider’s obligations lie versus the customer. CenturyLink's obligation is limited to securing the underlying infrastructure of the cloud; the customer is responsible for securing the cloud servers, applications, and systems they deploy on our infrastructure. Customers can accomplish this by implementing their own technologies, or they may deploy tools that we and our partners provide.

Whether you're simply using our CenturyLink public cloud Infrastructure as a Service (IaaS) or building out a full Hybrid IT solution with CenturyLink, we will assist in identifying the right combination of IT services to meet your security and compliance needs. The level of responsibility depends to some degree on the services employed and level of management subscribed to. CenturyLink can help you navigate the complexities of ensuring your organization understands its obligations under the Shared Responsibility model.

Read more about Shared Responsibility

Compliance Resource Guide

Compliance implementation plans are not one-size-fits-all. At CenturyLink, we work with our customers to understand their unique compliance needs and develop a customized plan that matches both their unique business priorities and regulations necessary to achieve the desired compliance posture.

CenturyLink then works with the business to implement custom security and compliance enabling solutions to facilitate customization to meet any organization’s compliance requirements.

To learn more about compliance implementation, and how CenturyLink can help your business achieve compliance certifications, read our compliance resource guide.


Alert Logic, a leader in cloud security and compliance solutions, provides Security-as-a-Service for cloud and hybrid infrastructures, delivering deep security insight and continuous protection for customers at a lower cost than traditional security solutions. Alert Logic has integrated their Log Manager and their Web Security Manager technologies with the CenturyLink Cloud platform, publishing these virtual appliances as CenturyLink Cloud Partner Templates.

Vormetric provides enterprise encryption and key management services that enable corporations to protect their data. Vormetric’s Data Security Manager (DSM) addresses industry compliance mandates and government regulations globally by securing data in physical, virtual and cloud infrastructures through Data Encryption, Key Management, Access Policies, Privileged User Control, and Security Intelligence. Vormetric’s technology is integrated with the CenturyLink Cloud platform and available for deployment via Blueprint or Partner Template

Cavirin offers a security and compliance solution for cloud environments and physical data centers. Cavirin delivers continuous audit and operational compliance to the cloud with technology expressly designed to measure and monitor risk associated with a range of compliance guidelines (PCI, HIPAA, ISO, NIST, SOC 2, CIS, and/or DISA STIGs.) Integrated with CenturyLink Cloud as a Partner Template, Cavirin helps customers address the business challenge of compliance and regulatory governance.

Related Products

Intrusion Prevention System

Monitors virtual machines, will log, block or stop any identified vulnerability, and will report it based on the IPS policy.


Connect networks within a particular data center through the use of configurable firewall policies, and create firewall policies that connect different data centers.

Cloud Platform

The CenturyLink Cloud is reliable, secure, robust and global. It is designed for your business needs today and tomorrow.

Security & Compliance

CenturyLink Cloud provides advanced cloud security and compliance that protects enterprise systems and data.

Disaster Recovery

Affordable protection for your on-premise data & production VMs. Avoid the enormous costs of IT downtime and data loss with SafeHaven for CenturyLink Cloud.