Compliance


The CenturyLink Compliance Center provides information around the security controls in place to mitigate risk and ensure stability. Working with a global enterprise IT service provider like CenturyLink, you can rest assured we have experience with a wide range of security controls, regulatory requirements and industry standard compliance models.

Benefit from our investment in these IT security frameworks to assess your internal readiness and accelerate compliance obligations. Information provided by CenturyLink around these compliance programs demonstrates how our automation platform provides a solid foundation for your risk mitigation strategy.

Certifications

CenturyLink Cloud's data centers comply with SSAE 16 and SOC 1

SOC 1/SSAE 16, SOC 2, SOC 3

CenturyLink's data centers around the globe are independently audited in accordance with the Statement on Standards for Attestation Engagements #16 (SSAE 16) and have published a Service Organization Controls 1 (SOC 1), Type 2 report, as well as SOC 2, Type II and SOC 3 reports demonstrating its commitment to protecting the security and availability of customer data.

Uptime Institute certifies CenturyLink Data Centers

M&O Stamp of Approval

Uptime Institute has successfully certified more than half of CenturyLink's 50 global data centers with its Management & Operations (M&O) Stamp of Approval. Additional certifications are ongoing.

Read more about M&O Stamp of Approval

CenturyLink is ISO 27001-certified in multiple data centers

ISO 27001:2013

CenturyLink has also received certification of the ISO/IEC 27001:2013 Information Security Management System (ISMS) Standard for five of its data centers.

Read more about ISO 27001

PCI Compliance

PCI DSS 3.0

PCI is the security certification that applies to any organization or merchants that accepts, transmits or stores any credit cardholder data. CenturyLink offers a variety of PCI-DSS compliant solutions and is a listed service provider on the VISA PCI Compliance Directory.

Read more about PCI DSS Compliance

Regulations

Federal Trade Commission enforces COPPA. CenturyLink helps with compliance

COPPA

CenturyLink enables its customers to comply with the Children’s Online Privacy Protection Act (COPPA) Rule requirements. The Federal Trade Commission (FTC), the United States national consumer protection agency, enforces the COPPA Rule, which spells out what operators of websites and online services must do to protect children's privacy and safety online.

Read more about COPPA

CenturyLink IaaS meets HIPAA compliance requirements

FERPA

The Family Educational Rights and Privacy Act (FERPA) is a federal law that that protects the privacy of student education records and affords parents the right to protect their children's privacy and accuracy of education records. CenturyLink can assist with FERPA compliance by providing any combination of IT services—Cloud, Managed Services and Colocation.

Read more about FERPA

CenturyLink IaaS meets HIPAA compliance requirements

HIPAA

Covered entities and their business associates who are required to comply with the U.S. Health Insurance Portability and Accountability Act (HIPAA) can leverage CenturyLink to process, maintain, and store individually identifiable health information or protected health information (PHI).

Read more about HIPAA

CenturyLink can assist with APP compliance.

Australian Privacy Principles

Australian Privacy Principles (APPs) regulate the handling of personal information by both Australian government agencies and businesses. CenturyLink encourages customers to understand the APPs, how their business activities comply with these principles, and how to effectively select and use CenturyLink services in those efforts. As a service provider, CenturyLink has focused on a few key APPs.

Read more about the APPs

International Standards

CenturyLink Cloud has self-assessed via the STAR CAIQ

CSA STAR

The CSA Security, Trust and Assurance Registry (STAR) is a comprehensive set of offerings for cloud provider trust and assurance. CenturyLink Cloud has completed and submitted the STAR Consensus Assessments Initiative Questionnaire (CAIQ).

Read more about CSA and STAR

CenturyLink adheres to BDSG's security requirements for personal data

German Federal Data Protection

The Bundesdatenschutzgesetz or BDSG, is Germany’s Federal Data Protection Act. CenturyLink ensures the required technical and organizational measures are adhered to for protection of personal data against misuse and loss in accordance with the requirements of the BDSG.

Read more about BDSG

ENISA Compliant and Secure Hosting

ENISA

The European Union Agency for Network and Information Security (ENISA) is a center of network and information security expertise for the EU, its member states, the private sector and Europe's citizens. CenturyLink can assist customers in complying with ENISA requirements.

Read more about ENISA

Secure and compliant hosting services to meet requirements of the EU Data Protection Directive 95/46/EC.

EU Directive 95/46/EC

To assist customers in meeting EU Directive requirements, CenturyLink will agree to the Model Clauses, subject to a review process to vet the services in consideration for compliance, and prepare the Appendix that describes the security controls we agree to have in place.

Read more about EU Directive 95/46/EC

TRUSTe Privacy Certification

TRUSTe Privacy Seal

CenturyLink Cloud has been awarded TRUSTe's Privacy Seal signifying that our Privacy Policy and practices have been reviewed for compliance with TRUSTe’s Program Requirements including transparency, accountability and choice regarding the collection and use of your Personal Information.

Read more about TRUSTe

CenturyLink is Safe Harbor Certified for personal information

US – EU Safe Harbor

CenturyLink is Safe Harbor Certified and adheres to the principles administered by the US Department of Commerce in consultation with the European Commission and the Federal Data Protection and Information Commissioner of Switzerland with respect to personal information.

Read more about Safe Harbor

Shared Responsibility for Security & Compliance

Cloud security relies on a "Shared Responsibility" model, with clear demarcations for where the obligations lie with the infrastructure provider versus the customer. CenturyLink's obligation is limited to securing the underlying infrastructure of the cloud, whereas the customer is responsible for securing their own cloud servers, applications, and systems that are deployed on our infrastructure. Customers can accomplish this by implementing their own technologies, or they may deploy tools that we and our partners provide.

Whether you're simply using our CenturyLink public cloud Infrastructure as a Service (IaaS) or building out a full Hybrid IT solution with CenturyLink, we will assist in identifying the right combination of IT services to meet your security and compliance needs. The level of responsibility depends to some degree on the services employed and level of management subscribed to. CenturyLink can help you navigate the complexities of ensuring your organization understands its obligations under the Shared Responsibility model.

Read more about Shared Responsibility

Partners

Alert Logic, a leader in cloud security and compliance solutions, provides Security-as-a-Service for cloud and hybrid infrastructures, delivering deep security insight and continuous protection for customers at a lower cost than traditional security solutions. Alert Logic has integrated their Threat Manager and their Web Security Manager technologies with the CenturyLink Cloud platform, publishing these virtual appliances as CenturyLink Cloud Partner Templates.

Vormetric provides enterprise encryption and key management services that enable corporations to protect their data. Vormetric’s Data Security Manager (DSM) addresses industry compliance mandates and government regulations globally by securing data in physical, virtual and cloud infrastructures, through Data Encryption, Key Management, Access Policies, Privileged User Control, and Security Intelligence. Vormetric’s technology is integrated with the CenturyLink Cloud platform and available for deployment via Blueprint or Partner Template.

Cavirin offers a security and compliance solution expressly designed for both cloud environments and physical data centers. Cavirin delivers continuous audit and operational compliance to the cloud, with technology expressly designed to measure and monitor risk associated with a range of compliance guidelines (PCI, HIPAA, ISO, NIST, SOC 2, CIS, and/or DISA STIGs.) Integrated with CenturyLink Cloud as a Partner Template, Cavirin helps customers address the business challenge of compliance and regulatory governance.

Related Products

Intrusion Prevention System

Monitors virtual machines, will log, block or stop any identified vulnerability, and will report it based on the IPS policy.

Firewall

Connect networks within a particular data center through the use of configurable firewall policies, and create firewall policies that connect different data centers.

Private Cloud

Our cloud stack, isolated and dedicated to you. Deploy in over 55 CenturyLink locations around the world.

Security & Compliance

CenturyLink Cloud provides advanced cloud security and compliance that protects enterprise systems and data.

Disaster Recovery

Affordable protection for your on-premise data & production VMs. Avoid the enormous costs of IT downtime and data loss with SafeHaven for CenturyLink Cloud.