Compliance
OutSystems undergoes regular verification of security and compliance controls enabling you to fulfill your policies and to keep your data private.
Meet your requirements using OutSystems.
More About Trust
Security and Compliance Overview
To learn more and access OutSystems security and compliance posture, please reference our Security and Compliance Overview page.

SOC 2 Compliance
OutSystems provides a SOC 2 compliant cloud offer. Service Organization Controls (SOC) reports demonstrate our commitment to securing your data. The AICPA defines their purpose as follows:
“A Software-as-a-Service (SaaS) or Cloud Service Organization that offers virtualized computing environments or services for user entities and wishes to assure its customers that the service organization maintains the confidentiality of its customers’ information in a secure manner and that the information will be available when it is needed.”
Our SOC 2 report is available to customers under NDA and can be accessed by contacting your account manager.
Quality, Information Security, and Business Continuity
The OutSystems mission is to help our customers innovate faster. OutSystems works toward this mission by ensuring that the OutSystems platform consistently delivers benefits to customers. Our purpose is to protect all forms of information with improved resilience, thereby creating lasting relationships that guarantee customer success. To that end, OutSystems has implemented an Integrated Management System for Quality, Information Security, and Business Continuity, in the scope of OutSystems Support services, in its offices located in Portugal, Japan, and Malaysia.

ISO Certifications
ISO 27001 is the international standard for information security management. ISO 27001 formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information security risks. By implementing the standard, organizations can identify security risks and put controls in place to manage or eliminate them, gain stakeholder and customer trust that their confidential data is protected, and help achieve preferred supplier status helping to win new business.
ISO 27017 provides guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of the ISO/IEC 27002 and ISO/IEC 27001 standards. It demonstrates OutSystems ongoing commitment with globally-recognized best practices to make cloud services as safe and secure as the rest of the data included in our certified information management system.
Health Insurance Portability and Accountability Act (HIPAA)
OutSystems Sentry has been attested to comply with the HIPAA security requirements. The United States Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides data privacy and security provisions for safeguarding medical information.
After executing a Business Associate Agreement, customers can securely process and store electronic protected health information (ePHI) in the OutSystems Sentry Cloud.


Cloud Security Alliance (CSA)
Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to “promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.”
As part of our commitment to security best practices in cloud computing, OutSystems is a member of the CSA. In addition, we have completed the CSA STAR Self-Assessment and published the results to their website.
Center for Internet Security (CIS) SecureSuite® Member
Membership in CIS’ SecureSuite gives OutSystems access to numerous assessment tools and compliance benchmarking and reporting capabilities to help ensure that we are building the most up-to-date security protections into our platform. CIS membership also lets us track our internal information and communications technologies, and our customers’ cloud-based systems’ compliance over time, which helps us respond to changes in benchmark recommendations or compliance updates quickly, for a more agile cybersecurity posture.


PCI Data Security Standard SAQ D Service Provider
PCI DSS SAQ D was developed to provide a streamlined set of requirements for merchants and service providers that process cardholder data and online payments, allowing them to validate their compliance with the Payment Card Industry Data Security Standard (PCI DSS) in a comprehensive yet efficient manner.
OutSystems PCI DSS SAQ D Attestation of Compliance, issued by a PCI Qualified Security Assessor, demonstrates to our customers, the card brands, and other relevant parties that OutSystems as a service provider has taken the appropriate security measures to protect cardholder data and ensure a secure environment is consistently maintained throughout all payment processing operations, in use-cases where the merchant's cardholder data functions are outsourced to validated third parties.
TISAX Assessments
The ENX Association supports TISAX (Trusted Information Security Assessment Exchange) on behalf of VDA, the common acceptance of Information Security Assessments in the automotive industry. The TISAX Assessments are conducted by audit providers that demonstrate their qualification at regular intervals. TISAX and TISAX results are not intended for the general public.
For OutSystems, confidentiality, availability and integrity of information have great value. We have taken extensive measures on protection of sensitive information. Therefore, we follow the question catalogue of information security of the German Association of the Automotive Industry (VDA ISA). The Assessment (Assessment-ID AZ2NY1-1) was conducted by an independent TISAX audit provider, covering our OutSystems Cloud Sentry offer (Scope-ID SLF9L6). The result is available through the ENX Portal.

Privacy and Data Protection
OutSystems applies industry-standard procedures to safeguard the confidentiality of the data stored by the applications hosted in the OutSystems Cloud.
- We carefully control employee access to your data and applications based on the task being performed.
- Customers can choose the region for their data to comply with data residency regulations.
- You can access your own customer data at any time with your own tools during your OutSystems Cloud subscription. If you end your OutSystems Cloud subscription, established standards and processes govern how we remove your customer data.
"OutSystems has an extensive track record meeting strict security requirements in heavily regulated industries such as financial, healthcare, and defense. We are constantly looking for ways to strengthen the trust relationship with our customers through increased transparency and security controls."
José Casinha
OutSystems CISO