System and Organization Controls (SOC) and Statement on Standards for Attestation Engagements (SSAE) are related to audits of service organizations. They are standards established by the American Institute of Certified Public Accountants (AICPA).
SOC is a suite of reports produced during an audit and these reports examine the controls at a service organization related to various types of subject matter but here at Esri we focus on security, availability, processing integrity, confidentiality, and privacy. There are different types of SOC reports: SOC 1, SOC 2, and SOC 3, each serving a different purpose and using different methodologies.
Esri in-scope Services
ArcGIS Online CSPs
ArcGIS Online does not perform a separate SOC audit since it is FedRAMP Authorized which is considered meeting equivalent or better security controls then SOC 2. ArcGIS Online is hosted within the cloud services providers (CSP) of Microsoft Azure and Amazon Web Services, both of which have SOC certifications which can be obtained through the CSP's directly below:
Microsoft Azure SOC Reports:
- SOC 3 Report (Public)
- SOC 1 and SOC 2 Reports (Free/Protected)
Amazon Web Services SOC Reports:
- SOC 3 Report
- SOC 1 and SOC 2 Reports (Free/Protected) Public
EMCS Advanced
The Esri Managed Cloud Services (EMCS) Advanced service offering from Esri Professional Services completes SOC 2 and SOC 3 reports and are issued under SSAE 18 guidance as developed by the AICPA. The EMCS Advanced offering is available to non-federal customers who require a hosted, single-tenant option for ArcGIS Enterprise that meets the industry standard SOC 2 Type 2 security requirements for Security, Confidentiality and Availability.
Note:
EMCS reports are NOT applicable to ArcGIS Online as it is a separate single-tenant service offering:
- EMCS SOC 2 Type 2 Report (NDA required) - to obtain the SOC 2 Type 2 report please contact your account manager
- EMCS SOC 3 report (Public Trust Center document)
- Send EMCS SOC report requests to your account manager
My Esri
Customers utilize the My Esri portal to manage customer account information and download Esri software products upon purchase (My Esri does NOT store data owned by the customer). Once signed into My Esri, customers can review orders, renew ArcGIS maintenance and subscriptions, generate product licenses, download installation media, request technical support, and review training history.
Note:
Esri's corporate SOC 2 for My Esri is NOT applicable for where customer data is stored within Esri products and services (they are fully segmented from each other and have different levels of assurance, see product and service specific guidance for details).
- To obtain a My Esri SOC 2 Report please contact your account manager. (NDA required)
Customer Support Data
Esri Support ensures customer privacy and data security. Customer data is rarely necessary to diagnose and resolve issues with Esri products. Therefore, Esri only stores customer data if it is crucial in troubleshooting. If deemed necessary, we collaborate with customers to obtain and protect their data in a SOC2 compliant system. For customers outside the United States, customer support data is managed by the corresponding distributor and stored within their region of the world. For example, if the customer is located within the European Union (EU) region of the world they get direct support in the EU.
Note:
Esri's corporate SOC 2 for Customer Support Data is NOT applicable for where customer data is stored within Esri products and services (they are fully segmented from each other and have different levels of assurance, see product and service specific guidance for details).
- To obtain a Customer Support Data SOC 2 Report please contact your account manager. (NDA Required)