F5 Compliance

Australia Information Security Registered Assessors Program (IRAP)

The Information Security Registered Assessors Program (IRAP) enables Australian Government customers to validate that  vendors comply with the requirements of the Australian Government Information Security Manual (ISM) produced by the Australian Cyber Security Centre (ACSC).  

F5 Distributed Cloud Services have been assessed by an independent IRAP assessor against applicable ISM controls. The objective of this assessment was achieved as it was determined that the security controls implemented for the Distributed Cloud Platform are considered effective for storing, processing, and communicating information up to the PROTECTED classification level. 

Protecting Australian government data from unauthorized access and disclosure remains a prime consideration when procuring and leveraging cloud services. F5 recognizes that customers rely upon the secure delivery of F5 services and the importance of having features that enable them to create secure environments. F5 enables customers to meet these objectives by prioritizing security in the delivery of its services, through the establishment of a robust control environment, and by making available for use a wide range of security services and features. For more information, contact an F5 Account Manager who can share F5’s IRAP report.

Cloud Computing Compliance Criteria Catalogue (C5)

The Cloud Computing Compliance Criteria Catalogue (C5) is published by Germany’s Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik or BSI) and specifies minimum requirements for secure cloud computing. There is substantial overlap between C5 and ISO/IEC 27001 and SOC-2 Type II security controls.

F5 is currently undergoing an assessment of the design and operating effectiveness of   C5 controls. This certification will include an external auditor’s opinion that F5 Distributed Cloud, Bot Defense and Silverline services have properly implemented an internal control system which conforms to C5 criteria. This C5 report will be available to share with customers under NDA in late May 2024.

California Consumer Privacy Act (CCPA)

Similar to Europe's General Data Protection Regulation (GDPR), though with several key differences, California's data privacy act is a governmental framework designed to help safeguard consumers' sensitive personal information. As the digital landscape has evolved over the past decade, the tech sector's notion of consumer rights have expanded - particularly when it comes to sensitive data. With a number of highly-public sensitive data breaches in recent years, personal information - from Social Security Numbers to payment card data - needs to be safeguarded more vigorously than ever before. California's data privacy act, known as CCPA, is an effort to do just that. It's a governmental framework designed to help make sure organizations are properly protecting their customers' sensitive personal data.

F5 has been adhering to strict standards for our users’ data even before CCPA went into effect. We minimize our collection of personal data and only use personal data for the purpose for which it was collected. We have committed that we would keep personal information private, so we have never sold or rented our users’ personal information to anyone. We give people the ability to access, correct, or delete their personal information; and consistent with our role as a data processor, give our customers control over the information captured by our products.

Digital Operating Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a European Union (EU) regulation that creates a binding, comprehensive Information and Communication Technology (ICT) risk management framework for the EU financial sector. DORA applies to all Financial Institutions and ICT service providers (collectively, FIs) in the EU. FIs have until January 17, 2025 to comply with DORA before enforcement starts. 

F5’s Distributed Cloud (XC) Platform helps FIs comply with DORA. Services such as XC DDoS Mitigation, XC WAF, XC API Security, and XC Bot Defense help FIs detect, log, and mitigate cyber threats and anomalous activities on their web and mobile applications as well as their data and network infrastructure. The Distributed Cloud Platform also enables FIs to monitor, audit, and report on their ICT risk management activities and comply with DORA’s governance and oversight requirements. By leveraging F5 Distributed Cloud Platform, FIs can achieve operational resilience, protect their customers and reputation, and avoid regulatory sanctions in the face of increasing cyber threats and ICT disruptions. 

Digital Services Act (DSA)

The EU Regulation 2022/2065, better known as the Digital Services Act, imposes a number of requirements on “intermediary services.” The Act defines three classes of intermediary services: “mere conduit,” “caching,” and “hosting.” All intermediary services are required to comply with orders from relevant authorities to remove or disable access to illegal content, designate a representative in the EU, and publish information on the terms and conditions for the service. Greater obligations are imposed on hosting services, particularly “online platforms” and “very large online platforms.”

With the exception of F5 Distributed Cloud CDN, which is a “caching” service, all of F5’s commercial services act as a “mere conduit.” F5 has designated NGINX, 3/F, 89/90 South Mall, Cork, Ireland T12 RPP0 as its representative in the European Union for the purposes of the DSA. The terms and conditions for use of our services are detailed in our Acceptable Use Policy

Digital Markets Act (DMA)

The EU Regulation 2022/1925, better known as the Digital Markets Act, is designed to ensure fair competition in the digital sector. To this end, companies designated by the European Commission as “gatekeepers” have special obligations over and above the general competition rules to interoperate with third-party services and prevent “lock-in.”

F5 has not been designated a gatekeeper by the European Commission and does not anticipate being so designated in the foreseeable future. While F5 does provide a “core platform service” with our cloud computing offerings, we do not meet the revenue and user thresholds to be considered a gatekeeper, nor do we enjoy an “entrenched and durable position” in the market for cloud computing services.  As such, the heightened obligations of a gatekeeper under the DMA do not apply to F5.

Distributed Cloud Bot Defense

Data generated or collected by Distributed Cloud Bot Defense is persistently stored in one of the following locations, selected by each customer: the United States, Canada, the EU. For 24/7 Security Operations Center (“SOC”) support, data is queried from F5’s Global SOC locations, which include at least Poland, United States, Canada, Mexico, India, and Singapore. For a complete list and more information, please refer to the Data Residency and Processing Reference.

Distributed Cloud WAF, API Security, and CDN

Data generated or collected by these services are stored in France for 30 days and an encrypted backup is stored in Germany for up to one year for BC/DR purposes. For 24/7 Security Operations Center (“SOC”) support, data is queried from F5’s Global SOC locations, which include at least Poland, United States, Canada, Mexico, India, and Singapore. For a complete list and more information, please refer to the Data Residency and Processing Reference.

General Data Protection Regulation (GDPR) and Data Protection Framework

The General Data Protection Regulation (GDPR) is a European Union law that applies to all organizations, regardless of location, that process the personal data of people in the European Economic Area (EEA; the 27 member states of the EU plus Iceland, Norway, and Liechtenstein) in the context of offering them goods or services or monitoring their behavior. Under the GDPR, organizations are required to identify a legal basis for processing personal data, give notice to individuals on what data is collected and how it will be used, honor requests from individuals to access, correct, or delete information about them, employ appropriate security controls to protect personal data from unauthorized access, notify individuals and authorities of data breaches, appoint a Data Protection Officer, and consider privacy at the beginning of an activity, rather than as an afterthought. The GDPR also restricts the transfer of personal data out of the EEA unless safeguards are in place to ensure essentially equivalent protection in the receiving jurisdiction.

F5 complies with the GDPR, as detailed in our Privacy Notice.  F5 operates  services as a processor to its Distributed Cloud Platform customers who are controllers (or as a subprocessor to a customer who is a processor). Accordingly, F5 complies with Article 28 for each of our Distributed Cloud offerings. F5 is a participant in the EU-US Data Privacy Framework, which the European Commission has determined provides adequate protection for transfers to participating companies in the United States, and utilizes the Standard Contractual Clauses to protect personal data transferred to global SOC locations for purposes of support. Furthermore, F5 has a robust privacy and security program to ensure customers can meet their obligations under the GDPR. Contact a sales representative to request a copy of F5’s annually issued SOC 2 Type II report, which is available under NDA and includes a table mapping its controls to requirements under the GDPR.

Health Insurance Portability and Accountability Act (HIPAA)

The Security and Data Breach Notification Rules adopted under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) protect the confidentiality and integrity of protected health information (PHI) when held by healthcare providers, insurers, and healthcare clearinghouses (covered entities), as well as companies that provide services to covered entities, known as business associates.

While F5 does not store or process health-related data on behalf of our customers, it is possible that some data we hold could constitute PHI, such as the association between a user with a particular IP address and an F5 customer that is a covered entity. To ensure compliance, we implement security controls that exceed those required by the Security Rule (and our compliance has been assessed by external auditors in our SOC 2 Type 2 Report), we have designated our Chief Information Security Officer as the HIPAA Security Official, and we have executed business associate agreements (BAAs) with our vendors who may hold this data. We also have a standard BAA for contracting with customers that is available upon request.

ISO 27001, ISO 27017, ISO 27018

F5 Distributed Cloud Services are ISO 27001 Certified with an extension of ISO 27017 and ISO 27018 

Global Support is ISO 27001 certified only

ISO 27001 is an international standard to manage information security. It is the world's best-known standard for information security management systems (ISMS). The ISO 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system.

Conformity with ISO 27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the organization, and that this system respects all the best practices and principles enshrined in this International Standard.

ISO 27001 promotes a holistic approach to information security by vetting people, policies, and technology. An information security management system implemented according to this standard ensures risk management, cyber-resilience, and operational excellence.

ISO 27001 is the only auditable international standard that defines the requirements of an ISMS that must be met. 

ISO 27001 is made up of –

93 Controls broken into 4 domains:

  • Organizational
  • People
  • Physical
  • Technological        

ISO 27017 is a Code of Practice for Information Security Controls based on ISO 27001 for Cloud Services and is an information security framework for organizations using cloud services. Cloud service providers need to comply with this standard because it keeps their cloud service customers (and others) safer by providing a consistent and comprehensive approach to information security.

ISO 27017 includes 37 controls based off the ISO 27002 guidelines.

ISO 27018 is a Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting is PII Processors. This standard outlines best practices for public cloud service providers (CSPs) on how to better protect personally identifiable information (PII) that it processes.

ISO 27018 includes 16 Controls based off 27002 as well as 25 new privacy and security controls.

Payment Card Industry Data Security Standard (PCI DSS)

F5 Distributed Cloud Services are PCI-DSS Compliant as a Level 1 Service Provider 

The Payment Card Industry Data Security Standard (PCI DSS) encourages and enhances payment card account data security and facilitates a broader adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. While specifically designed to focus on environments with payment card account data, PCI DSS can also be used to protect against threats and secure other elements in the payment ecosystem.

PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). This includes all entities involved in payment card account processing — including merchants, processors, acquirers, issuers, and other service providers.

Compliance with PCI DSS also ensures that businesses adhere to industry best practices when processing, storing, and transmitting credit card data. In turn, PCI DSS compliance fosters trust among customers and stakeholders.

PCI DSS comprises a minimum set of requirements for protecting account data and may be enhanced by additional controls and practices to further mitigate risks. The below table lists the PCI DSS requirements at a high level, F5 qualifies as Level 1 Service Provider and while it does not process, store, or transmit CHD/SAD; it could impact the security of the cardholder data environment (CDE) of our customers.


PCI DSS Security Standard - High Level Overview



Build and Maintain a Secure Network and Systems

1. Install and Maintain Network Security Controls

2. Apply Secure Configurations to all System Components.


Protect Account Data

3. Protect Stored Account Data.

4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks.

Maintain a Vulnerability Management Program

5. Protect All Systems and Networks from Malicious Software.

6. Develop and Maintain Secure Systems and Software.

Implement Strong Access Control Measures

7. Restrict Access to System Components and Cardholder Data by Business Need to Know.

8. Identify Users and Authenticate Access to System Components.

9. Restrict Physical Access to Cardholder Data.

Regularly Monitor and Test Networks

10. Log and Monitor All Access to System Components and Cardholder Data.

11. Test Security of Systems and Networks Regularly.

Maintain an Information Security Policy

12. Support Information Security with Organizational Policies and Programs.



Source: Payment Card Industry Data Security Standard: Requirements and Testing Procedures, v4.0



F5 complies with the Personal Information Protection and Electronic Documents Act (PIPEDA), which is Canada's federal privacy law for private sector organizations. F5 respects the rights of individuals to access, correct, and delete their personal information, as well as the principles of consent, accountability, and security. F5 only collects, uses, and discloses personal information for the purposes identified in our Privacy Notice and services agreements, and as permitted by PIPEDA. F5 has implemented reasonable safeguards to protect personal information from unauthorized access, use, disclosure, alteration, or destruction. Contact a sales representative to request a copy of F5’s annually issued SOC 2 Type II report, which is available under NDA, for descriptions of those safeguards.

SOC 2 Type II

F5 Distributed Cloud Services are SOC2 Type II Compliant

A SOC 2 Type II report is a Service Organization Control (SOC) report that focuses on the American Institute of Certified Public Accountants (AICPA) trust principles. It generally examines a service provider’s internal controls and systems related to security, availability, processing integrity, confidentiality, and privacy of data. These reports can play an important role in providing oversight of an organization, vendor management programs, and regulatory oversight. A type 2 report covers both the suitability of an organization's controls and its operating effectiveness over a period of time.

At F5, the SOC 2 Type II report helps meet the needs of our customers who need detailed information and assurance about the controls at F5. It offers evidence to our customers that we are implementing the security controls that we say we do and that those controls are working as intended. Without eyes and ears across the cloud, it is difficult to assess how secure the information is in the hands of third-party vendors and a SOC 2 Type II report offers this peace of mind.

Of the five trust principles that an organization can choose to follow, SDC is certified for the security, availability, and confidentiality of the information processed by our systems.

Each trust principle lists control objectives which the organization decides how it wants to meet these control objectives. SOC 2 trust principles are modeled around:

  • Policies
  • Communications
  • Procedures
  • Monitoring

Additional Resources

F5 Privacy Notices

Learn how F5 handles the data we collect and work to keep it safe and private.

View privacy notices ›

Data Residency and Processing Reference

Find out where F5 data is processed and stored and view our list of subprocessors.

Learn more about data residency ›