Faced with increasing pressures from global regulations, organizations are challenged to balance compliance and competitive innovation. Appian Cloud makes it easy with a comprehensive security and compliance program.
The Air Force is committed to modernizing our legacy business systems in a cost-effective manner… implementing extensible, scalable cloud technologies like the business process management capabilities provided by industry partners like Appian.
Richard T. Aldridge
Program Executive Officer for Business and Enterprise Systems and a member of the Senior Executive Service, U.S. Air Force.
SOC 2 reports are intended to meet the needs of a broad range of users that need to understand internal control at a service organization as it relates to applicable Trust Services Principles and Criteria which include security, availability, processing integrity, confidentiality and privacy trust principles.
A Type II reports on the fairness of presentation of management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls over a period of time, not just a point in time.
The SOC 2 Type II report provides a detailed review, by an independent audit firm, of Appian Cloud’s security, availability, and confidentiality controls.
Appian Cloud’s SOC 3 report is publicly available and provides a summary of the Appian Cloud SOC 2 report. The SOC 3 provides assurance about Appian Cloud’s security, availability, and confidentiality controls in alignment with the AICPA’s Trust Services Principles. This includes an external auditor opinion on the effectiveness of operation of controls.
The Payment Card Industry (PCI) Security Standards Council offers standards to enhance payment card data security. The PCI Data Security Standard (PCI DSS) provides a framework for developing a robust payment card data security process; including prevention, detection, and appropriate handling of security incidents. Customers can leverage Appian Cloud’s PCI-DSS certification to reduce their own PCI compliance complexity after agreeing to the Appian Cloud PCI-DSS terms.
Appian Cloud has been assessed by an external independent auditor and is compliant with PCI DSS.
The United States Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates the security and privacy of Protected Health Information (PHI).
Appian Cloud is compliant with the HIPAA security requirements. With HIPAA compliance, customers can securely process and store protected health information (PHI) in Appian Cloud after executing a Business Associate Agreement.
The Federal Risk and Authorization Management Program (FedRAMP) is a United States government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Being FedRAMP Compliant means a cloud system has an established and highly secure environment that has withstood comprehensive audit review before federal agencies are authorized to engage the system.
Appian Cloud is FedRAMP compliant and has received an Agency Authorization to Operate (ATO) at the Moderate level.
By achieving FedRAMP compliance, Appian Cloud has been deemed a viable solution to provide significant time and cost savings, improved security risk management, and enhanced program transparency for mission-critical federal operations. This authorization can be re-used by other Federal agencies to save both time and staff over working with non-FedRAMP systems.
FedRAMP+ is the United States Department of Defense’s (DoD) adaptation of the FedRAMP process, where they independently approve cloud-based systems for DoD use.
Appian Cloud currently has a DoD Provisional Authorization (PA) rated at Level 2 Impact Level. For additional information on DoD Cloud Security Impact Levels please visit the DoD Cloud Security portal.
DoD customers can leverage Appian Cloud’s PA when assessing and authorizing their system to operate on Appian Cloud.
Using FedRAMP as a foundation, the U.S. Department of Defense (DoD) defined additional requirements in their DoD Cloud Computing Security Requirements Guide (SRG). The authorization program is managed by the Defense Information Systems Agency (DISA).
Federal agencies requiring low-code applications that meet the stricter security standards of IL4, which includes Controlled Unclassified Information (CUI), can deploy the Appian platform as a Smartronix managed service. At IL4, an Appian application can be used to manage and store information, including export controls, privacy information (including PII), and protected health information (PHI).
For additional information on DoD Cloud Security Impact Levels please visit the
The Federal Information Security Management Act (FISMA), enacted in 2002 and amended in 2014, provides a comprehensive framework for ensuring the effectiveness of information security controls for United States federal government IT systems. Together the Office of Management and Budget (OMB), Department of Homeland Security (DHS), and the National Institute of Standards and Technology (NIST) have put a program in place to set the standards and oversee compliance.
Appian Cloud has a security framework with a robust security control structure in place that enables federal organizations to achieve Authorization to Operate (ATO).
Pharmaceutical and Life Sciences companies are required by law to meet Validation and Good Practice Standards (GxP) when building systems that touch or implicate predicate records. These include records and processes associated with Clinical Trials, Laboratory work, Quality Assurance, Regulatory Information Management, Manufacturing, and Electronic Health Records.
Appian Cloud has undergone an independent assessment performed by life science industry experts to evaluate Appian Cloud’s controls and their alignment to GxP computer system validation requirements and standards.
Customers can leverage this independent assessment report to supplement and support their GxP compliance and diligence efforts.
The Food and Drug Administration (FDA) introduced 21 CFR Part 11 as a requirement for commercial life science companies that maintain FDA-required records and signatures in electronic format to meet specific standards and comply with good clinical, laboratory, and manufacturing practices. The primary goals of this regulation are to ensure data integrity; that changes made to the system are documented, reasoned, and non-repudiated; computer systems used are trustworthy; and applications are validated to intended use.
Appian Cloud supports the necessary capabilities and technology to allow customers to build applications that are compliant with 21 CFR Part 11.
G-Cloud 10 is a digital marketplace that enables the UK public sector to find people and technology for projects across the government. The G-Cloud Framework is made possible by the Crown Commercial Service (CCS) which is focused on providing commercial services to the public sector and saving money for the taxpayer. They are able to do this by combining policy, offering advice, pre-vetting quality offerings and allowing organizations to conduct direct buying.
The Crown Commercial Service (CCS) works with both departments and organisations across the whole of the public sector to ensure maximum value is extracted from every commercial relationship and improve the quality of service delivery.
Appian Cloud is compliant with the G-Cloud Framework. Appian Cloud’s G-Cloud certification can be found in the gov.uk Digital Marketplace.
The Rehabilitation Act of 1973, Section 508, requires that Federal agencies’ electronic and information technology is accessible to people with disabilities.
The Voluntary Product Accessibility Template (VPAT) is a tool used to document a product’s conformance with the accessibility standards under Section 508 of the Rehabilitation Act.
Appian has completed the VPAT and the Appian product is compliant with Section 508.
Service Organization Controls (SOC) reports (formerly SAS 70 reports) are designed to help information systems operators and providers build trust and confidence in their service processes and controls.
Appian publishes a SOC 1 Type II report and an International Standards for Assurance Engagements (ISAE) 3402 report. Performed by an independent Certified Public Accountant, this audit engagement examines a service organization’s internal controls over a period of time that could impact the financial reporting of a customer that utilizes the services under audit. These reports are often important components of customer evaluations of their internal controls over financial reporting for purposes of supporting customers’ financial statement audit and compliance needs.
A Type II engagement provides an opinion on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period, rather than just for a point in time.
The Cloud Security Alliance’s (CSA) Security, Trust and Assurance Registry (STAR) Program provides a comprehensive framework for cloud provider trust and assurance. The CSA STAR Program is a publicly accessible registry designed to recognize the varying assurance requirements and maturity levels of providers and consumers, and is used by customers, providers, industries and governments around the world. The STAR program allows cloud providers to assess their controls against the CSA Cloud Controls Matrix.
Appian Cloud is registered in the CSA Security, Trust and Assurance Registry, having completed the Consensus Assessments Initiative Questionnaire (CAIQ) covering 133 controls across 16 domains.
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
The privacy shield frameworks replaced the U.S – EU Safe Harbor framework in 2016 ( EU) and 2017 (Swiss). Additional detail on these frameworks can be found at privacyshield.gov.
Appian is compliant with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Appian’s Privacy Shield certification can be viewed on the Privacy Shield List.
Qualys SSL Labs provides deep analysis of the security configuration of web servers on the Internet, specifically the SSL/TLS configuration. Appian Cloud’s web-tier is rated as an A+ by SSL Labs.
Organizations rely on prescriptive guidance from the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF)for managing security requirements inherent in HIPAA.
To protect highly sensitive information, healthcare organizations—including health insurance companies, hospitals, medical practices and SaaS providers—require a HITRUST CSF (Common Security Framework) certified infrastructure.
HITRUST CSF uses nationally and internationally accepted standards including ISO, NIST, PCI, and HIPAA to ensure a comprehensive set of baseline security controls.
An international standard for information security and risk management, ISO/IEC 27001:2013 protects organizations in all industries and sectors across the globe.
The ISO 27001:2013 standard call for organizations to implement an appropriate Information Security Management System (ISMS), which ensures management, operational, and technical security controls are operating effectively.
By becoming certified in ISO 27001:2013, Appian Cloud demonstrates it has reached a high level of security maturity. With a goal of providing the most robust security possible, Appian has put controls in place to manage or eliminate security risks, enabling customers to trust that their confidential data is protected.