Professional Documents
Culture Documents
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
2409 A.3.6 Are critical processes and entities reassessed annually? Yes Enterprise Risk Management Risk Assessments A. Risk Management
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
4163 A.4.2 Do the risk metrics include Performance benchmarks? No Enterprise Risk Management Risk Reporting A. Risk Management
4646 A.4.3 Do the risk metrics include Key Risk Indicators? Yes Enterprise Risk Management Risk Reporting A. Risk Management
4165 A.4.5 Do the risk metrics include Policy Compliance? Yes Enterprise Risk Management Risk Reporting A. Risk Management
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
4166 A.4.6 Do the risk metrics include Control Effectiveness? Yes Enterprise Risk Management Risk Reporting A. Risk Management
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does the program include the definition of a third party risk Subcontractor Selection and
4651 A.5.1.5 assessment process? Yes Third Party Risk Management Management Process A. Risk Management
Does the program include consistently applied tools, Subcontractor Selection and
4652 A.5.1.6 measurements and criteria to evaluate third party risk? Yes Third Party Risk Management Management Process A. Risk Management
Does the program include definition and a process for ongoing Subcontractor Selection and
4653 A.5.1.7 monitoring and review of third party risk? Yes Third Party Risk Management Management Process A. Risk Management
Are subcontractors evaluated for reassessment when there are Cloudflare audits its critical and high risk Subcontractor Selection and
4168 A.5.1.8.1 material changes to risk posture, service offerings or contracts? Yes vendors once per year. Third Party Risk Management Management Process A. Risk Management
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does the subcontractor third party risk management program Subcontractor Selection and
3904 A.5.1.10 include vendor reputational review? Yes Third Party Risk Management Management Process A. Risk Management
Does the subcontractor third party risk management program Subcontractor Selection and
3911 A.5.1.14 include oversight and governance of program adherence? Yes Third Party Risk Management Management Process A. Risk Management
Does the subcontractor third party risk management program Subcontractor Selection and
3910 A.5.1.15 include defined procedures for subcontractor management? Yes Third Party Risk Management Management Process A. Risk Management
Does the subcontractor third party risk management program Subcontractors' Third Party Risk
3900 A.5.1.15.1 include review of subcontractors' third party risk program? Yes Third Party Risk Management Management A. Risk Management
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does the third party risk management program require the Subcontractors' Third Party Risk
5646 A.5.1.15.4 ability and right to audit subcontractor controls? Yes Third Party Risk Management Management A. Risk Management
Does the third party risk program require subcontractors to Subcontractors' Third Party Risk
5648 A.5.1.15.6 notify if there are changes affecting services rendered? Yes Third Party Risk Management Management A. Risk Management
Are background checks performed periodically, at least as Background checks are only conducted Service Provider Background
3525 A.5.1.15.7.2 frequently as required by regulations? No upon hire. Third Party Risk Management Checks A. Risk Management
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Do contracts with all subcontractors include ownership of This is included in the DPA, which is in-
2506 A.5.2.2 information, trade secrets and intellectual property? Yes place with all sub-processors. Third Party Risk Management Service Provider Agreements A. Risk Management
78 A.5.2.7 Do contracts with all subcontractors include Right to audit? Yes Third Party Risk Management Service Provider Agreements A. Risk Management
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
76 A.5.2.12 Do contracts with all subcontractors include audit reporting? Yes Third Party Risk Management Service Provider Agreements A. Risk Management
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
3896 A.5.3.4.2 Does remediation reporting include reporting frequency? Yes Third Party Risk Management Issue Management A. Risk Management
Does remediation reporting include a process to identify and
log subcontractor information security, privacy and/or data
3901 A.5.3.4.3 breach issues? Yes Third Party Risk Management Issue Management A. Risk Management
Are policies and standards based on industry accepted Information Security Policy Information Security Policy
2482 B.1.1 standards and practices? Yes Management Management B. Security Policy
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Is there a management-approved process for handling Information Security Policy Information Security Policy
4414 B.1.2 deviations and exceptions? Yes Management Management B. Security Policy
Have all policies been assigned to an owner responsible for Information Security Policy Information Security Policy
4173 B.1.5 review and approve periodically? Yes Management Management B. Security Policy
Do owners review and update policies if significant changes Information Security Policy Information Security Policy
4174 B.1.5.1 occur in legal, business, organizational, or technical conditions? Yes Management Management B. Security Policy
Have all information security policies and standards been Information Security Policy Information Security Policy
2471 B.1.6 reviewed in the last 12 months? Yes Management Management B. Security Policy
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Organizational Information
4419 C.1.8 Do the processes include local and site-specific responsibilities? Yes Security Organization Security Responsibilities C. Organizational Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are information security personnel responsible for the Information Security Personnel
61 C.4.2 creation, and review of information security policies? Yes Security Organization Responsibilities C. Organizational Security
Are information security personnel responsible for the review Information Security Personnel
63 C.4.6 and/or monitoring information security incidents or events? Yes Security Organization Responsibilities C. Organizational Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Information security personnel are
supported by Cloudflare if they wish to
receive or maintain a professional security
certification but this is not viewed as
Do information security personnel maintain professional required for all information security Information Security Personnel
220 C.5.2 security certifications? Yes personnel. Security Organization Qualifications C. Organizational Security
Do all projects involving scoped systems and data go through Project Information Security
4420 C.6 some form of information security assessment? Yes Security Oversight Assessment C. Organizational Security
4180 D.8 Is regulated or confidential scoped data stored electronically? Yes Encryption Scoping D. Asset and Info Management
4184 D.8.2 Is regulated or confidential scoped data stored in a database? Yes Encryption Database Encryption D. Asset and Info Management
Does regulated or confidential Scoped data stored in a Cloudflare utilizes full disk encryption and
4187 D.8.2.1.1 database include column/Field Encryption? No not field/column level encryption. Encryption Database Encryption D. Asset and Info Management
Does regulated or confidential scoped data stored in a Cloudflare utilizes full disk encryption and
4188 D.8.2.1.2 database include tablespace Encryption? No not field/column level encryption. Encryption Database Encryption D. Asset and Info Management
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
4181 D.8.3 Is regulated or confidential scoped data stored in files? No Encryption File/Folder Encryption D. Asset and Info Management
Does regulated or confidential scoped data stored in files Cloudflare utilizes full disk encryption and
4182 D.8.3.1 include file/folder-level encryption enabled? No not field/column level encryption. Encryption File/Folder Encryption D. Asset and Info Management
1806 D.8.4 Are encryption keys managed and maintained for scoped data? Yes Encryption Key Management D. Asset and Info Management
1815 D.8.4.2 Are encryption keys encrypted at rest and when transmitted? Yes Encryption Key Management D. Asset and Info Management
Is there segregation of duties between personnel responsible Employees responsible for key
for key management duties and those responsible for normal management duties also have normal
1902 D.8.4.3 operational duties? Yes operational duties. Encryption Key Management D. Asset and Info Management
4437 D.8.4.4 Is the use of keys by personnel logged? Yes Encryption Key Management D. Asset and Info Management
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
1814 D.8.4.6 Is there a centralized key management system (KMS)? Yes Encryption Key Management D. Asset and Info Management
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
3548 D.8.6 Are constituents able to view client's unencrypted Data? No Encryption Constituent Access D. Asset and Info Management
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does Constituent background screening criteria include Credit Only in the US where there is Employee Background Investigation Policy
155 E.1.1.2 checks? No Credit check (if in Finance). Human Resource Policy Content E. Human Resource Security
Does Constituent background screening criteria include Drug Background Investigation Policy
176 E.1.1.6 Screening? No Human Resource Policy Content E. Human Resource Security
183 E.1.2 Are constituents required to sign employment agreements? Yes Human Resource Policy Agreements for Constituents E. Human Resource Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does the security awareness training program include security Security Awareness Training
214 E.1.3.1 policies, procedures and processes? Yes Human Resource Policy Program E. Human Resource Security
Does the security awareness training program include Security Awareness Training
4550 E.1.3.2 techniques to recognize phishing attempts? Yes Human Resource Policy Program E. Human Resource Security
Does the security awareness training program include an Security Awareness Training
2536 E.1.3.3 explanation of constituents' security roles and responsibilities? Yes Human Resource Policy Program E. Human Resource Security
Does the security awareness training program include a Security Awareness Training
215 E.1.3.4 competency test? Yes Human Resource Policy Program E. Human Resource Security
Does the security awareness training program include new hire Security Awareness Training
3302 E.1.3.5 and annual participation? Yes Human Resource Policy Program E. Human Resource Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
26 F.1.1 Does the physical security program include a clean desk policy? Yes Physical Security Program Secured Facility Controls F. Physical and Environmental
Are there physical security controls for all secured facilities e.g.,
4714 F.1.2 data centers, office buildings? Yes Physical Security Program Secured Facility Controls F. Physical and Environmental
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
360 F.1.2.7 Do the physical security controls include external lighting? Yes Physical Security Program Secured Facility Controls F. Physical and Environmental
364 F.1.2.8 Do the physical security controls include lighting on all doors? Yes Physical Security Program Secured Facility Controls F. Physical and Environmental
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are there physical access controls that include restricted access Secured Facility Controls -
381 F.1.2.14 and logs kept of all access? Yes Physical Security Program Access F. Physical and Environmental
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Do physical access controls include access reviews at least Secured Facility Controls -
384 F.1.2.14.4 every six months? Yes Physical Security Program Access F. Physical and Environmental
Do physical access controls require reporting of lost or stolen Secured Facility Controls -
390 F.1.2.14.5 access cards/keys? Yes Physical Security Program Access F. Physical and Environmental
Environmental Controls -
566 F.1.3.4 Do environmental controls include fluid sensors? Yes Physical Security Program Computer Hardware F. Physical and Environmental
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Environmental Controls -
3298 F.1.3.6 Do environmental controls include heat detectors? Yes Physical Security Program Computer Hardware F. Physical and Environmental
Environmental Controls -
569 F.1.3.7 Do environmental controls include smoke detectors? Yes Physical Security Program Computer Hardware F. Physical and Environmental
Environmental Controls -
3303 F.1.3.8 Do environmental controls include fire suppression? Yes Physical Security Program Computer Hardware F. Physical and Environmental
All data centers have this in place; not all Environmental Controls -
3289 F.1.3.9 Do environmental controls include multiple power feeds? Yes physical offices. Physical Security Program Computer Hardware F. Physical and Environmental
396 F.2 Are visitors permitted in the facility? Yes Physical Security Program Visitor Management F. Physical and Environmental
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
397 F.2.1 Are visitors required to sign in and out? Yes Physical Security Program Visitor Management F. Physical and Environmental
399 F.2.3 Are visitors required to be escorted through secure areas? Yes Physical Security Program Visitor Management F. Physical and Environmental
495 F.3.2 Is there a security guard or digital CCTV at each point of entry? Yes Loading Dock Controls Secure Workspace Perimeter F. Physical and Environmental
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Environmental Controls -
513 F.3.3 Are there smoke detectors in all loading docks? Yes Loading Dock Controls Computer Hardware F. Physical and Environmental
Environmental Controls -
514 F.3.4 Are there fire alarms in all loading docks? Yes Loading Dock Controls Computer Hardware F. Physical and Environmental
Environmental Controls -
516 F.3.5 Are fire suppression systems located in all loading docks? Yes Loading Dock Controls Computer Hardware F. Physical and Environmental
Is there Digital CCTV in all loading docks and is the video stored
508 F.3.6 for at least 90 days? Yes Loading Dock Controls Video Monitoring F. Physical and Environmental
Is access restricted to loading docks and are logs kept of all Secure Workspace Access
3203 F.3.7 access? Yes Loading Dock Controls Reporting F. Physical and Environmental
Environmental Controls -
543 F.4.1 Does the battery/UPS room include Hydrogen sensors? Yes Battery/UPS Room Controls Computer Hardware F. Physical and Environmental
Environmental Controls -
570 F.4.2 Does the battery/UPS room include a fire alarm? Yes Battery/UPS Room Controls Computer Hardware F. Physical and Environmental
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Environmental Controls -
3204 F.4.3 Does the battery/UPS room include fire suppression? Yes Battery/UPS Room Controls Computer Hardware F. Physical and Environmental
Does the battery/UPS room include Digital CCTV and is the Between 30-90 days of stroage for
560 F.4.4 video stored for at least 90 days? Yes CCTV/Video. Battery/UPS Room Controls Video Monitoring F. Physical and Environmental
Does the battery/UPS room include restricted access and are Physical Security Controls -
546 F.4.5 logs kept of all access? Yes Battery/UPS Room Controls Scoped Data F. Physical and Environmental
Does the generator or generator area include a fuel supply Environmental Controls -
627 F.5.1 readily available? Yes Power Generator Controls Computer Hardware F. Physical and Environmental
Does the generator or generator area include a power supply Environmental Controls -
628 F.5.2 for at least 48 hours? Yes Power Generator Controls Computer Hardware F. Physical and Environmental
Does the generator or generator area include Restricted access Secure Workspace Access
629 F.5.3 and are logs kept of all access? Yes Power Generator Controls Reporting F. Physical and Environmental
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Is access restricted to the mailroom and are logs kept of all Secure Workspace Access
660 F.6.1 access? N/A Mailroom Controls Reporting F. Physical and Environmental
Is access to the media library restricted and are logs kept of all Secure Workspace Access
694 F.7.1 access? N/A Media Library Controls Reporting F. Physical and Environmental
Does the media library include Digital CCTV with video stored
3292 F.7.2 at least 90 days? N/A Media Library Controls Video Monitoring F. Physical and Environmental
Does the telecom equipment room include Digital CCTV with Telecom Equipment Room
781 F.8.1 video stored at least 90 days? N/A Controls Video Monitoring F. Physical and Environmental
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Is access to the telecom equipment room restricted and are Telecom Equipment Room Secure Workspace Access
786 F.8.2 logs kept of all access? N/A Controls Reporting F. Physical and Environmental
Are your devices located in a locked server cabinet within the Information Technology Device Physical Security Controls -
457 F.9 data center? Yes Physical Security Scoped Data F. Physical and Environmental
Do server cabinets include restricted access and are logs kept Information Technology Device Physical Security Controls -
479 F.9.1 of all access? Yes Physical Security Scoped Data F. Physical and Environmental
Do server cabinets include Digital CCTV and video stored at Information Technology Device
474 F.9.2 least 90 days? Yes Physical Security Video Monitoring F. Physical and Environmental
351 F.10.1 Do other tenants use the data center? Yes Data Center Controls Secure Workspace Perimeter F. Physical and Environmental
Is there a procedure for equipment removal from the data Physical Security Controls -
491 F.10.3 center? Yes Data Center Controls Scoped Data F. Physical and Environmental
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are there active maintenance contracts for all physical Security Maintenance Contracts for
528 F.10.4.2 systems? Yes Data Center Controls Critical Equipment F. Physical and Environmental
Are there active maintenance contracts for all monitored fire Maintenance Contracts for
531 F.10.4.5 alarms? Yes Data Center Controls Critical Equipment F. Physical and Environmental
Are there active maintenance contracts for all fire suppression Maintenance Contracts for
532 F.10.4.6 systems? Yes Data Center Controls Critical Equipment F. Physical and Environmental
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are operating procedures documented, maintained, and made Operational Procedures and
2583 G.1.1 available to all users? Yes Responsibilities IT Operational Procedures G. IT Operations Management
Cloudflare does not currently benchmark
its IT management processes against an
industry standard/benchmark. However,
Is the maturity of IT management processes formally evaluated Cloudflare undergoes external audits for
at least annually using an established benchmark e.g., COBIT the following: SOC 2 Type 2, ISO 27001
3633 G.2 maturity models? No and ISO 27701. IT Governance Maturity Benchmarking G. IT Operations Management
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does the Change Control process include a formal process to Customers are notified if change is known
ensure clients are notified prior to changes being made which to impact customers; however, process Operational Procedures and
3401 G.3.10.2 may impact their service? Yes requires refinement. Responsibilities Change Control G. IT Operations Management
Does the Change Control process include a scheduled Operational Procedures and
3406 G.3.10.3 maintenance window? Yes Responsibilities Change Control G. IT Operations Management
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does the Change Control process include a scheduled No planned client downtime during Operational Procedures and
3412 G.3.10.3.1 maintenance window which results in client downtime? No service windows Responsibilities Change Control G. IT Operations Management
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Is testing for validation of all implemented controls required for Operational Procedures and
4209 G.4.5 new, upgraded or enhanced systems? Yes Responsibilities System Acceptance Criteria G. IT Operations Management
Are business continuity requirements considered for new, Operational Procedures and
2879 G.4.6 upgraded or enhanced systems? Yes Responsibilities System Acceptance Criteria G. IT Operations Management
Are system resources monitored to ensure adequate capacity is Operational Procedures and
2595 G.4.8 maintained for new, upgraded or enhanced systems? Yes Responsibilities System Acceptance Criteria G. IT Operations Management
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are error recovery and restart procedures required for new, Operational Procedures and
2875 G.4.11 upgraded or enhanced systems? Yes Responsibilities System Acceptance Criteria G. IT Operations Management
Are preparation and testing of operating procedures required Operational Procedures and
2876 G.4.12 for new, upgraded or enhanced systems? Yes Responsibilities System Acceptance Criteria G. IT Operations Management
Are effective manual procedures required for new, upgraded or Operational Procedures and
2878 G.4.13 enhanced systems? Yes Responsibilities System Acceptance Criteria G. IT Operations Management
Do systems and network devices utilize a common time Operational Procedures and
1272 G.5 synchronization service? Yes Responsibilities Time Synchronization G. IT Operations Management
Do you have a problem management life cycle process for Organizational Procedures and
5827 G.6 tracking, reviewing, and solving issues in a timely manner? Yes Responsibilities Problem Management G. IT Operations Management
Does your organization have a customer contact and Organizational Procedures and
5828 G.7 communication process? Yes Responsibilities Customer Communications G. IT Operations Management
Do service level agreements include specific requirements for Organizational Procedures and
5829 G.8 customer contact and communication procedures? Yes Responsibilities Customer Communications G. IT Operations Management
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Cloudflare provisions access based on the
principles of least privilege and need to
know. Additional access must be
requested via our internal ticketing
system and it requires both a legitimate
Are Corrective controls in place to prevent access to client
business reason and manager approval.
3546 H.2.6 scoped data? Please explain. No Access Control Constituent Access H. Access Control
Logging and Monitoring Policy requires
Customers utilize the administrative
logging of activities in critical systems. We
dashboard (dash.cloudflare.com) to
perform quarterly access reviews for
manage their account. This includes
privileged access.
granting/rovoking access, changing
settings, viewing logs and other
Are clients allowed to manage access to their own systems and
administrative functions. Cloudflare is
4722 H.3 data? Yes Access Control Client Access Control H. Access Control
responsible for the management of the
systems/hardware that delivers services.
Is there a set of rules governing the way IDs are created and
4723 H.5 assigned? Yes Access Provisioning Identity Management H. Access Control
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
1939 H.6 Is access to systems that store or process scoped data limited? Yes Authentication Access Restrictions H. Access Control
Is access to systems that store or process scoped data limited Cloudflare does not currently employ time
1940 H.6.1 by time of day? No of day restrictions for its systems. Authentication Access Restrictions H. Access Control
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
4408 H.7 Are passwords used? Yes Authentication Password Policy H. Access Control
Does the password policy apply to all Web and File Transfer
Services? If no, please explain in the Additional Information
4224 H.7.1.4 field. Yes Authentication Password Policy H. Access Control
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
4726 H.7.2.2 Are client passwords of up to at least 64 characters permitted? Yes Authentication Password Policy - Complexity H. Access Control
Does the password policy define requirements for provisioning Password Policy - Provisioning
4727 H.7.3 and resetting passwords? Yes Authentication and Reset H. Access Control
Does the password policy require initial and temporary Password Policy - Provisioning
4230 H.7.3.1 passwords to be changed upon next login? Yes Authentication and Reset H. Access Control
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does the password policy require initial and temporary Password Policy - Provisioning
4231 H.7.3.2 passwords to be random and complex? Yes Authentication and Reset H. Access Control
Does password policy require a password history of at least 12 Password Policy - Provisioning
4229 H.7.3.3 iterations before reuse? Yes Authentication and Reset H. Access Control
Does password policy require a minimum age before a Password Policy - Provisioning
1570 H.7.3.5 password can be reset? Yes Authentication and Reset H. Access Control
Cloudflare does not use recovery hints or
questions but does send reset links to the
email that is registerd to the account.
Are password hints or password recovery questions used for Additional verification of identity is
client or Constituent passwords? If yes, please describe in the required if the user does not have access Password Policy - Provisioning
4728 H.7.3.6 Additional Information field. No to their email address. Authentication and Reset H. Access Control
Clooudflare requires complex passwords
and the use of two factor authentication
for its personnel. Passwords are not
compared against a list of compromised
Are all new passwords tested against a list that contains values passwords. However, certain passwords Password Policy - Provisioning
4729 H.7.3.7 known to be commonly used, expected or compromised? Yes not permitted. Authentication and Reset H. Access Control
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does the password policy require keeping passwords Password Policy - Password
2661 H.7.5 confidential? Yes Authentication Security H. Access Control
Does the password policy prohibit users from sharing Password Policy - Password
1974 H.7.5.1 passwords? Yes Authentication Security H. Access Control
Does the password policy prohibit keeping an unencrypted Password Policy - Password
2662 H.7.5.2 record of passwords (paper, software file or handheld device)? Yes Authentication Security H. Access Control
Does the password policy require passwords to be encrypted in Password Policy - Password
4233 H.7.5.4 transit? Yes Authentication Security H. Access Control
Does the password policy require passwords to be encrypted or Password Policy - Password
4234 H.7.5.5 hashed in storage? Yes Authentication Security H. Access Control
Does the password policy require passwords be masked when Password Policy - Password
4235 H.7.5.6 entered and displayed by default? Yes Authentication Security H. Access Control
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are password files and application data stored in different file Password Policy - Password
2008 H.7.5.7 systems? Yes Authentication Security H. Access Control
Are user IDs and passwords communicated/distributed via User IDs are set/communicated by email. Password Policy - Password
3212 H.7.5.8 separate media e.g., e-mail and phone? N/A Passwords are set by individual users. Authentication Security H. Access Control
Does the password policy require system configuration to lock Password Policy - Password
4236 H.7.5.10 an account when five or more invalid login attempts are made? Yes Authentication Security H. Access Control
1910 H.8 Is Multi-factor Authentication deployed? Yes Authentication Multi-Factor Authentication H. Access Control
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
4730 H.8.3 Is Multi-Factor Authentication available for client accounts? Yes Authentication Multi-Factor Authentication H. Access Control
4732 H.10 Are documented log-on banner requirements maintained? Yes Authentication Log-On Banners H. Access Control
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Do log-on banners state that users are accessing a U.S. Cloudflare does not have access to
4741 H.10.3.8 Government information system? N/A government systems. Authentication Log-On Banners H. Access Control
4742 H.11 Is there a process for reviewing access? Yes Access Reviews Entitlement Reviews H. Access Control
3207 H.11.1 Are user access rights reviewed periodically? Yes Access Reviews Entitlement Reviews H. Access Control
4444 H.11.1.1 Are user access rights reviewed at least quarterly? Yes Access Reviews Entitlement Reviews H. Access Control
3208 H.11.1.2 Are privileged user access rights reviewed periodically? Yes Access Reviews Entitlement Reviews H. Access Control
4445 H.11.1.2.1 Are privileged user access rights reviewed at least quarterly? Yes Access Reviews Entitlement Reviews H. Access Control
2654 H.11.2 Are access rights reviewed when a constituent's role changes? Yes Access Reviews Entitlement Reviews H. Access Control
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
3205 H.12.1 Are inactive constituent user IDs disabled within 90 days? Yes Access Reviews Inactivity Controls H. Access Control
4442 H.12.1.1 Are inactive constituent user IDs deleted within 120 days? Yes Access Reviews Inactivity Controls H. Access Control
Does your organization have a process for end users to Cloudflare IT does not utilize remote
acknowledge and accept remote desktop support prior to desktop tools to take over its personnel
5833 H.15 another user taking control of their system? N/A machines. Access Provisioning Access Acceptance H. Access Control
Is there an individual or group responsible for Application Application Security Roles and Application Security
3945 I.1.1 Security? Yes Responsibilities Responsibility I. Application Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Do application security experts work with developers for every Application Security Roles and
3958 I.1.2.1 application? Yes Responsibilities Secure DevOps I. Application Security
Do all outside development resources comply with the SDLC Cloudflare does not currently outsource Application Security Roles and
3960 I.1.2.2.1 (Software Development Life Cycle)? N/A development. Responsibilities External Developers I. Application Security
Is there a process to require supervision and monitoring of the Cloudflare does not currently outsource Application Security Roles and
4744 I.1.2.2.2 activity of outsourced system development? N/A development. Responsibilities External Developers I. Application Security
Do changes to applications or application code go through a Secure Architectural Design New Platform Secure
2164 I.1.3 risk assessment? Yes Standards Architecture Risk Analysis I. Application Security
Is a security architecture risk analysis performed when new Secure Architectural Design New Platform Secure
3946 I.1.3.1 applications are designed? Yes Standards Architecture Risk Analysis I. Application Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Do security architecture risk analyses of applications include a Secure Architectural Design New Platform Secure
3948 I.1.3.3 security architecture design review for high risk applications? Yes Standards Architecture Risk Analysis I. Application Security
Are security architecture risk analyses of applications reviewed Secure Architectural Design New Platform Secure
3950 I.1.3.5 when major changes are introduced into applications? Yes Standards Architecture Risk Analysis I. Application Security
Are the risks from internal and external sources clearly Secure Architectural Design New Platform Secure
3944 I.1.4 understood based on risk exposure? Yes Standards Architecture Risk Analysis I. Application Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are system, vendor, or service accounts disallowed for normal Secure Architectural Design
2970 I.1.13 operations and monitored for usage? Yes Standards Service Account Management I. Application Security
Are web applications configured to follow best practices or Secure Architectural Design
2081 I.1.14 security guidelines (e.g., OWASP)? Yes Standards Web Security Standards I. Application Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are development, test, and staging environment separate from Secure Architectural Design Application Environment
2182 I.1.16 the production environment? Yes Standards Segmentation I. Application Security
Are development, test, and staging environment separated Secure Architectural Design Application Environment
849 I.1.16.1 from the production environment logically? Yes Standards Segmentation I. Application Security
Are development, test, and staging environment separated Secure Architectural Design Application Environment
850 I.1.16.2 from the production environment physically? Yes Standards Segmentation I. Application Security
Do applications have separate source code repositories for Secure Architectural Design Application Environment
847 I.1.17 production and non-production environments? Yes Standards Segmentation I. Application Security
Are audit logs maintained and reviewed for all application Secure Architectural Design Application Source Library
2683 I.1.19.1 source library updates? Yes Standards Access Control I. Application Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are developers permitted to access systems and applications Access is only granted to personnel who
based on established profiles that define responsibilities or job have a legitimate business justification as Secure Architectural Design
1909 I.1.20.1 functions? Yes well as manager approval. Standards Developer Access Control I. Application Security
Are Scoped systems and data used in the test, development, or Customer Account Information is not used Secure Architectural Design
2169 I.1.21 QA environments? No outisde of production. Standards Test Data Access Control I. Application Security
Is authorization required when production data is copied to the Customer Account Information is not used Secure Architectural Design
2672 I.1.21.1 test environment? N/A outisde of production. Standards Test Data Access Control I. Application Security
Are access control procedures the same for both the test and Customer Account Information is not used Secure Architectural Design
2674 I.1.21.5 production environment? N/A outisde of production. Standards Test Data Access Control I. Application Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
2058 I.2 Is application development performed? Yes SDLC Scoping I. Application Security
4451 I.2.1.2 Does the SDLC process include peer code review? Yes SDLC SDLC I. Application Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are applications evaluated from a security perspective prior to Application Security QA_UAT
3962 I.2.4 promotion to production? Yes SDLC Process I. Application Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Is code obtained from external sources reviewed for security Reviews of Code Obtained from
3987 I.2.5 flaws and backdoors prior to use in production? Yes SDLC External Sources I. Application Security
Is code obtained from external sources identified in application Reviews of Code Obtained from
4119 I.2.5.1 documentation as external code? Yes SDLC External Sources I. Application Security
Is code obtained from external sources reviewed for new Reviews of Code Obtained from
4120 I.2.5.2 versions at least every 6 months? Yes SDLC External Sources I. Application Security
4121 I.2.5.3 Is any code obtained from external sources open source? Yes SDLC Open Source Software Security I. Application Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
3936 I.2.6 Is a Secure Code Review performed regularly? Yes SDLC Secure Code Review I. Application Security
Do Secure Code Reviews include dynamic scanning against Cloudflare does not yet perform dynamic
3966 I.2.6.6 web-based applications while in the Q/A phase? No scans. SDLC Secure Code Review I. Application Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
3955 I.2.6.10 Is an automated secure source code review conducted? Yes SDLC Secure Code Review I. Application Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
4245 I.3.2.4 Is HTTPS enabled for all web pages? Yes Web Server Security Web Encryption Security I. Application Security
Cloudflare internally uses TLS 1.2 or 1.3.
Customers are responsible for configuring
the TLS level used across their web
properties using the Cloudflare Dashboard
(Crypto Tab), which includes the option to
Are either TLS 1.2 or 1.3 used for encrypting all web pages
use less secure TLS versions. This is
4246 I.3.2.4.1 used? Yes Web Server Security Web Encryption Security I. Application Security
offered to provide flexibility to our broad
customer base, however, we recommend
that customers use the highest level of
TLS they can support.
Are all unnecessary/unused services in web server software Administrative and File Sharing
4248 I.3.2.5 uninstalled or disabled? Yes Web Server Security Service Security I. Application Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Is a dedicated virtual directory structure used for each Cloudflare is not hosting websites on
4251 I.3.2.8 website? N/A behalf of customers. Web Server Security Web Server Hardening I. Application Security
Are all web server software files maintained separate from the
4253 I.3.2.10 Operating System? Yes Web Server Security Web Server Hardening I. Application Security
Are available high-risk web server software security patches Web Server Vulnerability
4254 I.3.2.11 applied and verified at least monthly? Yes Web Server Security Management I. Application Security
Are all web server software patching exceptions documented Web Server Vulnerability
4255 I.3.2.12 and approved by information security or senior management? Yes Web Server Security Management I. Application Security
Are web server software patches, service packs, and hot fixes Web Server Vulnerability
4256 I.3.2.12.1 tested prior to installation? Yes Web Server Security Management I. Application Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are web server software vulnerabilities evaluated and Web Server Vulnerability
4257 I.3.2.12.2 prioritized? Yes Web Server Security Management I. Application Security
Are third party alert services used to keep up to date with the Web Server Vulnerability
4260 I.3.2.12.4 latest web server software vulnerabilities? Yes Web Server Security Management I. Application Security
Are web server software versions that no longer have security Web Server Vulnerability
4261 I.3.2.12.5 patches released prohibited? Yes Web Server Security Management I. Application Security
Are web server software configuration options restricted to Web Server Configuration
4262 I.3.2.13 authorized users? Yes Web Server Security Management I. Application Security
Are web server software events relevant to supporting incident Web Server Auditing and
4265 I.3.2.14.1 investigation retained for a minimum of one year? Yes Web Server Security Logging I. Application Security
Are system notifications generated in the event the system fails Web Server Auditing and
4266 I.3.2.14.2 to write a web server software event to an audit log? Yes Web Server Security Logging I. Application Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are events relevant to supporting incident investigation stored Web Server Auditing and
4267 I.3.2.14.3 on alternate systems? Yes Web Server Security Logging I. Application Security
4278 I.3.5 Is a Web Application Firewall (WAF) enabled on web servers? Yes Web Server Security Web Application Firewall I. Application Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
3495 I.3.6.2 Are APIs tested for security weaknesses? Yes API Security API Security I. Application Security
3496 I.3.6.2.1 Does API security testing include Data scoping? Yes API Security API Vulnerability Testing I. Application Security
3497 I.3.6.2.2 Does API security testing include XSS? Yes API Security API Vulnerability Testing I. Application Security
3498 I.3.6.2.3 Does API security testing include SQL injection? Yes API Security API Vulnerability Testing I. Application Security
3499 I.3.6.2.4 Does API security testing include Session abuse? Yes API Security API Vulnerability Testing I. Application Security
3500 I.3.6.2.5 Does API security testing include Replay attack? Yes API Security API Vulnerability Testing I. Application Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
3501 I.3.6.2.6 Does API security testing include DoS? Yes API Security API Vulnerability Testing I. Application Security
3502 I.3.6.2.7 Does API security testing include Data Leakage? Yes API Security API Vulnerability Testing I. Application Security
Is there a self-service kill switch available to clients to disable Customers can revoke API tokens if they
3510 I.3.6.4 an API in the event of a security incident (e.g., DoS)? Yes suspect these are being misused. API Security API Kill Switch I. Application Security
Are mobile applications that access scoped systems and data Cloudflare does not currently provide
3826 I.4 developed? No mobile applications. Mobile Application Security Scoping I. Application Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are any actions performed by the mobile application to access, Cloudflare does not currently provide
3829 I.4.1 process, transmit or locally store scoped systems and data? N/A mobile applications. Mobile Application Security Scoping I. Application Security
Is dynamic code analysis performed on mobile applications Cloudflare does not currently provide
4102 I.4.2 (including fuzzing)? N/A mobile applications. Mobile Application Security Secure Code Analysis I. Application Security
Is there an established Incident Management Program that has The Security Incident Response Plan is
been approved by management, communicated to appropriate approved by management, posted on
constituents and an owner to maintain and review the company Intranet, and is owned and Cybersecurity Incident
2241 J.1 program? Yes maintained by Information Security. Management Governance J. Incident Event & Comm Mgmt
Cloudflare's Customer Support Team and
SRE Teams are follow-the-sun model
ensuring that there is always someone on
call in the event of an incident or
customer issue. The Security Incident
Response Team (SIRT) also is available
24/7/365 to respond to incidents, and is
comprised of top level management and Cybersecurity Incident
2276 J.1.1 Is an Incident/Event Response team available 24x7x365? Yes experienced engineers. Management Cybersecurity Governance J. Incident Event & Comm Mgmt
Does the Incident Management Program include an individual Incident Management is owned by the Cybersecurity Incident
4455 J.1.2 program owner? Yes Head of Engineering. Management Cybersecurity Governance J. Incident Event & Comm Mgmt
Does documentation exist defining which personnel are External communications are limited to Cybersecurity Incident
4745 J.1.4 authorized to speak with the public during adverse events? Yes approved representatives of the company Management Cybersecurity Governance J. Incident Event & Comm Mgmt
Does documentation exist defining which personnel are External communications are limited to
assigned to repair reputational damage and communicate with approved representatives of the company Cybersecurity Incident
4746 J.1.5 external stakeholders after adverse events? Yes by company policy Management Cybersecurity Governance J. Incident Event & Comm Mgmt
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Is the Incident Response Plan and changes to the plan The Security Incident Response Plan is Cybersecurity Incident
4747 J.1.6 distributed to defined stakeholders and organizations? Yes posted on company Intranet. Management Cybersecurity Governance J. Incident Event & Comm Mgmt
Does the Incident Management Program include results of Feedback and observations from audits Cybersecurity Incident
4458 J.1.8 program audits and reviews, including those of key customers? Yes are included in continuous improvement. Management Cybersecurity Governance J. Incident Event & Comm Mgmt
Does the Incident Response Plan include guidance for Cybersecurity Incident Cybersecurity Incident
2251 J.2.1 containment? Yes Management Response Plan J. Incident Event & Comm Mgmt
Does the Incident Response Plan include guidance for Cybersecurity Incident Cybersecurity Incident
2256 J.2.2 remediation? Yes Management Response Plan J. Incident Event & Comm Mgmt
Does the Incident Response Plan include guidance for Cybersecurity Incident Cybersecurity Incident
2250 J.2.3 notification of stakeholders? Yes Management Response Plan J. Incident Event & Comm Mgmt
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does the Incident Response Plan include guidance for status Cybersecurity Incident Cybersecurity Incident
2253 J.2.4 tracking? Yes Management Response Plan J. Incident Event & Comm Mgmt
Does the Incident Response Plan include guidance for repair Cybersecurity Incident Cybersecurity Incident
2254 J.2.5 procedures? Yes Management Response Plan J. Incident Event & Comm Mgmt
Does the Incident Response Plan include guidance for recovery Cybersecurity Incident Cybersecurity Incident
2255 J.2.6 procedures? Yes Management Response Plan J. Incident Event & Comm Mgmt
Does the Incident Response Plan include guidance for privacy Cybersecurity Incident Cybersecurity Incident
3234 J.2.9 incidents? Yes Management Response Plan J. Incident Event & Comm Mgmt
Does the Incident Response Plan include guidance for Cybersecurity Incident Cybersecurity Incident
2699 J.2.10 escalation procedure? Yes Management Response Plan J. Incident Event & Comm Mgmt
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does the Incident Response Plan include actions to be taken in Cybersecurity Incident Cybersecurity Incident
2704 J.2.14 the event of an information security event? Yes Management Response Plan J. Incident Event & Comm Mgmt
Does the Incident Response Plan include formal disciplinary Cybersecurity Incident Cybersecurity Incident
2705 J.2.15 process for dealing with those who commit a security breach? Yes Management Response Plan J. Incident Event & Comm Mgmt
Does the Incident Response Plan require notifying the client Notification is subject to Cloudlfare's
when unauthorized access to scoped systems and data is incident management policy and any Cybersecurity Incident Cybersecurity Incident
4239 J.2.17 confirmed? Yes contractual obligations. Management Response Plan J. Incident Event & Comm Mgmt
Do the Incident Response Plan notification procedures include Cybersecurity Incident Cybersecurity Incident
4748 J.2.17.1 any customer/client-specific notification requirements? Yes Management Response Plan J. Incident Event & Comm Mgmt
Do Incident Response Plan notification procedures require
notifying any required government, self-regulatory, or other
supervisory bodies within 72 hours from the determination Cloudflare will notify relevant parties
that a Cybersecurity Event with a reasonable likelihood of (government entities and customers)
materially harming any material part of normal business according to appropriate laws and Cybersecurity Incident Cybersecurity Incident
4749 J.2.17.2 operations has occurred? No regulations. Customers will Management Response Plan J. Incident Event & Comm Mgmt
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does the Incident Response Plan include annual testing of the Cybersecurity Incident Cybersecurity Incident
2708 J.2.19 procedures? Yes Management Response Plan J. Incident Event & Comm Mgmt
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Is the Incident Response Plan protected from unauthorized Cybersecurity Incident Cybersecurity Incident
4754 J.2.24 disclosure and modification? Yes Management Response Plan J. Incident Event & Comm Mgmt
Cybersecurity Incident
2709 J.3 Is the scope of the Incident Management Program defined? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include loss of service incident Cybersecurity Incident
2710 J.3.1 procedures (equipment or facility)? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include system malfunction or Cybersecurity Incident
2711 J.3.2 overload incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include human error incident Cybersecurity Incident
2712 J.3.3 procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include non-compliance with Cybersecurity Incident
2713 J.3.4 policy or guidelines incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include breach of physical Cybersecurity Incident
2714 J.3.5 security arrangement incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include Uncontrolled system Cybersecurity Incident
2715 J.3.6 change incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does the Incident Response Plan include access violation Cybersecurity Incident
2272 J.3.8 incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include physical asset loss or Cybersecurity Incident
2265 J.3.9 theft incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include unauthorized physical Cybersecurity Incident
2266 J.3.10 access incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include information system Cybersecurity Incident
2259 J.3.11 failure or loss of service incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include denial of service Cloudflare's DDoS mitigation product is Cybersecurity Incident
2260 J.3.12 incident procedures? Yes applied to internal services as well. Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include errors resulting from Cybersecurity Incident
2707 J.3.13 incomplete or inaccurate business data incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include breach or loss of Cybersecurity Incident
2262 J.3.14 confidentiality incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does the Incident Response Plan include system exploit Cybersecurity Incident
2261 J.3.15 incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include unauthorized logical Cybersecurity Incident
2267 J.3.16 access or use of system resources incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Is there an email address or web form available for clients to Cybersecurity Incident Incident Response
4281 J.4.1 report security incidents response time? Yes support@cloudflare.com Management Communications J. Incident Event & Comm Mgmt
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
4466 J.5.6 Does regular security monitoring include Network IDS events? Yes Security Event Monitoring Incident Detection - NIDS J. Incident Event & Comm Mgmt
Does regular security monitoring include behavioral activity Incident Detection - Botnet
4467 J.5.7 indicating botnet traffic? Yes Security Event Monitoring Traffic J. Incident Event & Comm Mgmt
Does regular security monitoring include network device Incident Detection - Network
4337 J.5.8 security events? Yes Security Event Monitoring Devices J. Incident Event & Comm Mgmt
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Incident Detection -
Is 24x7x365 security monitoring of the hosting environment Virtualized/ Cloud
3596 J.6 performed? Yes Security Event Monitoring Environments J. Incident Event & Comm Mgmt
Cloudflare monitors traffic to customer
web properities which are using our
service. Only those requests which go
through Cloudflare will be monitored (i.e. Incident Detection -
Does security event monitoring include inbound traffic from not requests related to customer Virtualized/ Cloud
3597 J.6.1 the Internet to the Client environment? Yes properties not on Cloudflare). Security Event Monitoring Environments J. Incident Event & Comm Mgmt
Incident Detection -
Does security event monitoring include outbound traffic from Virtualized/ Cloud
3598 J.6.2 the Internet to the Client environment? No Security Event Monitoring Environments J. Incident Event & Comm Mgmt
Incident Detection -
Does security event monitoring include outbound traffic from Virtualized/ Cloud
4553 J.6.3 the Client environment to Internet? Yes Security Event Monitoring Environments J. Incident Event & Comm Mgmt
Does security event monitoring include traffic from the Service Incident Detection -
Provider administrative environment to the Client Virtualized/ Cloud
3599 J.6.4 environment? N/A Security Event Monitoring Environments J. Incident Event & Comm Mgmt
Does security event monitoring include traffic from the Client Incident Detection -
environment to the Service Provider administrative Virtualized/ Cloud
3600 J.6.5 environment? N/A Security Event Monitoring Environments J. Incident Event & Comm Mgmt
Incident Detection -
Does security event monitoring include Monitoring between Virtualized/ Cloud
3601 J.6.6 each Tenant's Client environments? N/A Security Event Monitoring Environments J. Incident Event & Comm Mgmt
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does the Business Resiliency Program include an individual Business Resilience Governance
4014 K.1.1 program owner with full responsibility and accountability? Yes Program Resilience Program Governance K. Business Resiliency
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does the Business Resiliency Program's annual review include Business Resilience Governance
4021 K.1.3.4 results of exercising and testing? Yes Program Business Resilience Metrics K. Business Resiliency
Does the Business Resiliency Program's annual review include Business Resilience Governance
4023 K.1.3.5 lessons learned and actions arising from disruptive incidents? Yes Program Business Resilience Metrics K. Business Resiliency
Does the Business Resiliency Program's annual review include Business Resilience Governance
5855 K.1.3.6 results of training and awareness efforts? Yes Program Business Resilience Metrics K. Business Resiliency
Does business resiliency documentation include controls to Business Resilience Governance Business Resilience
4028 K.1.4.1 ensure its availability when and where it is needed? Yes Program Documentation K. Business Resiliency
2329 K.2 Has a business impact analysis been conducted? Yes Business Continuity Planning Business Impact Analysis K. Business Resiliency
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are specific response and recovery strategies defined for the Business Activity Recovery
4042 K.4 prioritized business activities? Yes Business Continuity Planning Planning K. Business Resiliency
Are specific response and recovery strategies defined for loss Business Activity Recovery
4044 K.4.1 and unavailability of critical personnel (40% or more)? Yes Business Continuity Planning Planning K. Business Resiliency
Are specific response and recovery strategies defined for loss Business Activity Recovery
4045 K.4.2 or unavailability of critical data? Yes Business Continuity Planning Planning K. Business Resiliency
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Business Recovery
Has senior management assigned the responsibility for the Management and
4054 K.6 overall management of critical response and recovery efforts? Yes Business Continuity Planning Communications K. Business Resiliency
Does the overall management of critical response and recovery Business Recovery
include conditions for activating the plan(s), and the associated Management and
2289 K.6.2 roles and responsibilities? Yes Business Continuity Planning Communications K. Business Resiliency
Does the overall management of critical response and recovery Business Recovery
include roles and responsibilities for those who invoke and Management and
2294 K.6.3 execute response and recovery plans? Yes Business Continuity Planning Communications K. Business Resiliency
Business Recovery
Does the overall management of critical response include Management and
2303 K.6.4 multiple mechanisms to communicate with personnel? Yes Business Continuity Planning Communications K. Business Resiliency
Business Recovery
Does the overall management of critical response include Management and
5786 K.6.5 multiple mechanisms to communicate with customer/clients? Yes Business Continuity Planning Communications K. Business Resiliency
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Is there a periodic (at least annual) review of your business Business Continuity Plan
2286 K.7 resiliency procedures? Yes Business Continuity Planning Management K. Business Resiliency
Does periodic review of business resiliency procedures include Business Continuity Plan
4055 K.7.1 updates to the procedures as necessary after the review? Yes Business Continuity Planning Management K. Business Resiliency
Does periodic review of business resiliency procedures include Business Continuity Plan
4057 K.7.3 changes in organizational structure and personnel changes? Yes Business Continuity Planning Management K. Business Resiliency
Does periodic review of business resiliency procedures include Business Continuity Plan
4058 K.7.4 emerging threats and identified new risks? Yes Business Continuity Planning Management K. Business Resiliency
Does periodic review of business resiliency procedures include Business Continuity Plan
4059 K.7.5 warning and communication procedures and capabilities? Yes Business Continuity Planning Management K. Business Resiliency
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Please see the full list of Cloudflare sub-
processors on our website, which includes
country/location and activity performed:
https://www.cloudflare.
com/gdpr/subprocessors/
Are there any dependencies on critical third party service
Whether or not a sub-processor is used
2729 K.8 providers? Yes Business Continuity Planning Critical Vendors K. Business Resiliency
will depend on the product being utilized.
Are all suppliers of critical hardware, network services and Cloudflare includes suppliers in our BCP
facility services involved in annual continuity and recovery and DRP, but does not conduct joint tests
3632 K.8.2 tests? Yes with these entities. Business Continuity Planning Critical Vendors K. Business Resiliency
Do business resiliency test scenarios contain fail-over across Cloudflare does not curerntly conduct
3635 K.8.2.2 critical vendors? No tests with its sub-processors. Business Continuity Planning Critical Vendors K. Business Resiliency
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
5793 K.8.7 Are there at least two network paths to all critical vendors? Yes Business Continuity Planning Critical Vendors K. Business Resiliency
Are test results and remediation action plans provided by third Cloudflare does not collect BCP test
5795 K.8.11 parties after each test? No results from all of its sub-processors. Business Continuity Planning Critical Vendors K. Business Resiliency
Are clients/customers permitted to actively participate in third Cloudflare does not allow customers to
5796 K.8.12 party planned tests? No participate in its tests. Business Continuity Planning Critical Vendors K. Business Resiliency
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Is third party performance against the service level Individual teams are responsible for
requirements measured and monitored with remediation monitoring their vendor's performance
5799 K.8.13.2 actions taken to address under performance? Yes against Cloudflare internal requirements. Business Continuity Planning Critical Vendors K. Business Resiliency
Is the disaster recovery location more than 100 miles from the
5875 K.9.1 production data center? Yes Disaster Recovery Governance Disaster Recovery Location K. Business Resiliency
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does disaster recovery testing include specific exercises and Disaster Recovery Testing
2346 K.10.2 tests that address the unavailability of specific IT resources? Yes Disaster Recovery Testing Scope K. Business Resiliency
Does information technology disaster recovery testing include Disaster Recovery Testing
4061 K.10.3 production data center(s)? Yes Disaster Recovery Testing Scope K. Business Resiliency
Does information technology disaster recovery testing include Disaster Recovery Testing
4062 K.10.4 data stores? Yes Disaster Recovery Testing Scope K. Business Resiliency
Does information technology disaster recovery testing include Disaster Recovery Testing
4064 K.10.5 recovery of critical network infrastructure? Yes Disaster Recovery Testing Scope K. Business Resiliency
Are measurable recovery objectives defined for each exercise Disaster Recovery Testing
4071 K.10.6 and test? Yes Disaster Recovery Testing Criteria K. Business Resiliency
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Is there an annual schedule of planned disaster recovery Disaster Recovery Testing Issue
2779 K.10.10 exercises and tests? Yes Disaster Recovery Testing Management K. Business Resiliency
Do business continuity exercises include notification procedure Disaster Recovery Testing Issue
2352 K.10.12 and mechanism tests? Yes Disaster Recovery Testing Management K. Business Resiliency
Do disaster recovery tests include full scale exercises/end-to- Disaster Recovery Testing Issue
2357 K.10.15 end? Yes Disaster Recovery Testing Management K. Business Resiliency
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Do disaster recovery tests include production transaction Disaster Recovery Testing Issue
4076 K.10.16 processing? Yes Disaster Recovery Testing Management K. Business Resiliency
Do disaster recovery tests include typical business volumes/full Disaster Recovery Testing Issue
4077 K.10.17 capacity? Yes Disaster Recovery Testing Management K. Business Resiliency
Do business continuity tests include business relocation Disaster Recovery Testing Issue
2762 K.10.18 testing? Yes Disaster Recovery Testing Management K. Business Resiliency
Are critical service providers included in disaster recovery Disaster Recovery Testing Issue
2764 K.10.20 testing? Yes Disaster Recovery Testing Management K. Business Resiliency
Is there a process for documenting disaster recovery test Disaster Recovery Test Scripts -
5867 K.11 scripts and exercises? Yes Disaster Recovery Testing Documentation K. Business Resiliency
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does the disaster recovery exercise and test script Disaster Recovery Test Scripts -
5871 K.11.4 documentation include a detailed schedule for completion? Yes Disaster Recovery Testing Documentation K. Business Resiliency
Does business continuity testing include recovery supporting Business Continuity Testing
4063 K.12 critical loss or unavailability of personnel (40% or more)? Yes Business Continuity Testing Scope K. Business Resiliency
Do business continuity testing exercise scenarios include loss of Business Continuity Testing
4066 K.12.2 critical information and communication technology? Yes Business Continuity Testing Scope - Scenarios K. Business Resiliency
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Do business continuity testing exercise scenarios include loss of Business Continuity Testing
4067 K.12.3 service due to dedicated denial of service/cyber attacks? Yes Business Continuity Testing Scope - Scenarios K. Business Resiliency
Do business continuity testing exercise scenarios include loss of Business Continuity Testing
4068 K.12.4 critical workplaces/buildings? Yes Business Continuity Testing Scope - Scenarios K. Business Resiliency
Do business continuity testing exercise scenarios include loss of Business Continuity Testing
4069 K.12.5 critical personnel? Yes Business Continuity Testing Scope - Scenarios K. Business Resiliency
Do business continuity testing exercise scenarios include loss of Business Continuity Testing
4070 K.12.6 critical third party services (e.g., partners and suppliers)? Yes Business Continuity Testing Scope - Scenarios K. Business Resiliency
Clooudflare does not notiify customers
when it performs tests of its BCP.
Are the results of testing exercises conducted internally shared Business Continuity Testing
4082 K.12.10 with customers? No Business Continuity Testing Scope - IT/IS Operations K. Business Resiliency
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are joint testing exercises conducted in partnership with Business Continuity Testing
4083 K.12.11 customers? No Business Continuity Testing Scope - IT/IS Operations K. Business Resiliency
Are there established business resiliency testing exercise Business Resiliency Testing - Cyber Resilience Scenario
4084 K.13 scenarios addressing cyber resilience? Yes Exercises Testing K. Business Resiliency
Does cyber resilience testing include data or system Business Resiliency Testing - Cyber Resilience Scenario
4087 K.13.3 destruction and corruption scenarios? Yes Exercises Testing K. Business Resiliency
Does cyber resilience testing include communications Business Resiliency Testing - Cyber Resilience Scenario
4088 K.13.4 infrastructure disruption scenarios including DDOS attacks? Yes Exercises Testing K. Business Resiliency
Does cyber resilience testing include simultaneous attack Business Resiliency Testing - Cyber Resilience Scenario
4089 K.13.5 scenarios? Yes Exercises Testing K. Business Resiliency
2305 K.14 Is there a pandemic/infectious disease outbreak plan? Yes Business Resiliency Governance Pandemic Planning K. Business Resiliency
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are backup integrity and related restoration procedures tested Business Continuity Procedures
2602 K.19.1.1 at least annually? Yes Business Resiliency Governance - Backup Policy and Procedures K. Business Resiliency
Is backup media tracked and reviewed for compliance to data Business Continuity Procedures
4211 K.19.1.2 retention/destruction requirements at least annually? Yes Business Resiliency Governance - Backup Policy and Procedures K. Business Resiliency
Are backup and replication errors reviewed and resolved as Business Continuity Procedures
4469 K.19.2 required? Yes Business Resiliency Governance - Backup Policy and Procedures K. Business Resiliency
Are backup and replication errors reviewed and resolved at Business Continuity Procedures
4212 K.19.2.1 least weekly? Yes Business Resiliency Governance - Backup Policy and Procedures K. Business Resiliency
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does the data retention policy define retention history Business Continuity Procedures
parameters based on information security provided guidance - Data Retention Policy and
5801 K.19.5.1 about dormant malware? Yes Business Resiliency Governance Procedures K. Business Resiliency
Are offline data backups protected from destructive malware Business Continuity Procedures
or other threats that may corrupt production and online - Data Retention Policy and
5803 K.19.5.3 backup versions of data? Yes Business Resiliency Governance Procedures K. Business Resiliency
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does the delivery of the products or services require handling With the exception of Cloudflare Stream,
of digital media such as photos or videos that could include we do not require customers to Compliance Training - Digital
4764 L.5 personal information? No send/receive digital media. Compliance Management Content Handling L. Compliance
Are personnel are trained in legal and appropriate handling of Compliance Training - Digital
4579 L.5.1 digital content? Yes Compliance Management Content Handling L. Compliance
Are personnel trained on reporting the receipt of illegal digital Compliance Training - Digital
4580 L.5.2 content to management? Yes Compliance Management Content Handling L. Compliance
Does a policy exist that sets requirements around the types of Compliance Training - Digital
4581 L.5.3 digital media that must have metadata scrubbed? Yes Compliance Management Content Handling L. Compliance
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Do employees receive training that covers Anti-Bribery and Business Ethics and Corporate Anti-Bribery and Anti-
4767 L.7.2 Anti-Corruption topics? Yes Compliance Corruption L. Compliance
Is obtaining or retaining business on behalf of client's part of Cloudflare does not find leads on behalf of Business Ethics and Corporate Anti-Bribery and Anti-
4769 L.7.3 the scope of services offered? No its customers. Compliance Corruption L. Compliance
Cloudflare will evaluate its candidates
work history for the last 7 years, which
includes work for governmental entities.
Are prospective employees screened for their connections to However, it does not evaluate employees
government officials? If no, please describe in additional for family/friend connections is Business Ethics and Corporate Anti-Bribery and Anti-
4770 L.7.4 information field. No government posistions. Compliance Corruption L. Compliance
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Is Anti-Bribery & Anti-Corruption training mandatory for all Business Ethics and Corporate Anti-Bribery and Anti-
4773 L.7.7 staff? Yes Compliance Corruption L. Compliance
Does each employee complete Anti-Bribery & Anti-Corruption Business Ethics and Corporate Anti-Bribery and Anti-
4774 L.7.7.1 training when first starting their role? Yes Compliance Corruption L. Compliance
Is each employee required to retake Anti-Bribery & Anti- Business Ethics and Corporate Anti-Bribery and Anti-
4775 L.7.7.2 Corruption training annually? Yes Compliance Corruption L. Compliance
Is Anti-Bribery & Anti-Corruption training tailored for Business Ethics and Corporate Anti-Bribery and Anti-
4776 L.7.7.3 employees' specific roles? Yes Compliance Corruption L. Compliance
Is Anti-Bribery & Anti-Corruption training actively monitored Business Ethics and Corporate Anti-Bribery and Anti-
4777 L.7.7.4 for completion? Yes Compliance Corruption L. Compliance
Do consequences exist for non-completion of Anti-Bribery & Business Ethics and Corporate Anti-Bribery and Anti-
4778 L.7.7.5 Anti-Corruption training? Yes Compliance Corruption L. Compliance
Does Anti-Bribery & Anti-Corruption training have an Business Ethics and Corporate Anti-Bribery and Anti-
4779 L.7.7.6 evaluative or testing component? Yes Compliance Corruption L. Compliance
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Is prohibition of facilitation payment reviews included in the Business Ethics and Corporate Anti-Bribery and Anti-
4784 L.7.11 Anti-Bribery and Anti-Corruption policies and procedures? Yes Compliance Corruption L. Compliance
Are there documented recordkeeping procedures for recording Cloudflare does not receive payments in Business Ethics and Corporate Anti-Bribery and Anti-
4786 L.7.13 cash transactions? N/A cash. Compliance Corruption L. Compliance
Is a written contract required for all subcontractors that Business Ethics and Corporate Anti-Bribery and Anti-
4789 L.7.16 perform services under this contract? Yes Compliance Corruption L. Compliance
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Is there a contractual requirement that payments be made in Business Ethics and Corporate Anti-Bribery and Anti-
4793 L.7.16.4 the country where services are to be performed? Yes Compliance Corruption L. Compliance
Are all subcontractors contractually prohibited from creating Business Ethics and Corporate Anti-Bribery and Anti-
4797 L.7.16.8 discounts? N/A Compliance Corruption L. Compliance
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Is training on Anti-Trust and Anti-Competitive Business Business Ethics and Corporate Anti-Trust & Anti-Competitive
4800 L.8.1 Practices for all relevant constituents? Yes Compliance Business Practices L. Compliance
Is training on Anti-Trust and Anti-Competitive Business Business Ethics and Corporate Anti-Trust & Anti-Competitive
4801 L.8.1.1 Practices conducted on an annual basis? Yes Compliance Business Practices L. Compliance
Does the organization provide and communicate guidance and Business Ethics and Corporate
5652 L.9 requirements for operating in a socially responsible manner? Yes Compliance Corporate Social Responsibility L. Compliance
Is there a defined supplier code of conduct required of all Business Ethics and Corporate
4803 L.10.1 suppliers? Yes Compliance Ethical Sourcing L. Compliance
Are their defined standards in the sourcing process to address Business Ethics and Corporate
4804 L.10.2 sustainability? Yes Compliance Ethical Sourcing L. Compliance
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Is there a documented internal compliance and ethics program Cloudflare has an HR compliance team
to ensure professional ethics and business practices are which is part of the Legal Compliance Business Ethics and Corporate
3733 L.11 implemented and maintained? Yes organization. Compliance Ethics L. Compliance
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Will the security controls for the Call Center include a Security
4812 L.14.1.1 Guard force? N/A Call Center Controls Physical Security L. Compliance
Will the security controls for the Call Center include Electronic
4813 L.14.1.2 Access? N/A Call Center Controls Physical Security L. Compliance
Will the security controls for the Call Center include a defined
4814 L.14.1.3 visitor's control process? Please explain. N/A Call Center Controls Physical Security L. Compliance
4815 L.14.1.4 Will the security controls for the Call Center include CCTV? N/A Call Center Controls Physical Security L. Compliance
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
4818 L.14.4 Does the Call Center use Voice Over IP? N/A Call Center Controls Telephony L. Compliance
4822 L.14.8 Can Customer Service Representatives (CSR) work remotely? N/A Call Center Controls Personnel L. Compliance
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
4826 L.14.10.1 Are the call recordings stored in a secured data center? N/A Call Center Controls Call Monitoring and Recording L. Compliance
4827 L.14.10.2 Are recorded calls stored for over 30 days? N/A Call Center Controls Call Monitoring and Recording L. Compliance
Can you provide reports on who has access to monitor calls and
4832 L.14.10.7 whose calls they monitor? N/A Call Center Controls Call Monitoring and Recording L. Compliance
4833 L.14.10.8 Is speech analytics conducted on call recordings? N/A Call Center Controls Call Monitoring and Recording L. Compliance
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are collections activities conducted directly to Client's Cloudflare does not perform collections
4835 L.17 customers? N/A activities on behalf of customers. Consumer Protection Collections Practices L. Compliance
Are terms of sale, dispute and/or return of goods procedures CLoudflare does not interact with our
4561 L.18.2 available online? N/A customers end users/consumers. Consumer Protection Offer & Terms Compliance L. Compliance
4141 L.19 Are there direct interactions with your client's customers? No Consumer Protection Complaint Management L. Compliance
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are all systems regularly reviewed for compliance with all Cybersecurity Regulatory Cybersecurity Compliance
4838 L.20.1 cybersecurity legal, contractual, and policy requirements? Yes Compliance Controls L. Compliance
Is cryptography enabled in accordance with all legal and Cybersecurity Regulatory Cybersecurity Compliance
4839 L.20.2 contractual requirements? Yes Compliance Controls L. Compliance
Are any entities involved in the delivery of scoped services Cloudflare has not obtained a license from
licensed or regulated by the New York Department of Financial NYDFS since Cloudflare does not provide Cybersecurity Regulatory
4840 L.21 Services (NYDFS)? N/A insurance to customers. Compliance NYDFS 23 NYCRR 500 L. Compliance
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Do Incident Response Plan Notification Procedures include
notifying the New York Department of Financial Services
(NYDFS) Superintendent as promptly as possible, but in no
event later than 72 hours from a determination that a
Cloudflare has not obtained a license from
Cybersecurity Event with a reasonable likelihood of materially
NYDFS since Cloudflare does not provide Cybersecurity Regulatory
harming any material part of normal business operations has
4841 L.21.1 N/A insurance to customers. Compliance NYDFS 23 NYCRR 500 L. Compliance
occurred?
Are audit trails designed to detect and respond to Cloudflare retains data only for as long as Cybersecurity Regulatory
4583 L.21.3 Cybersecurity events retained for 3 years? No required/limited by laws and regulations. Compliance NYDFS 23 NYCRR 500 L. Compliance
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
3379 L.23 Are client audits and/or risk assessments permitted? No External Assurance and Audit Client Audit Requirements L. Compliance
3380 L.23.1 Are onsite audits or risk assessments by clients permitted? No External Assurance and Audit Client Audit Requirements L. Compliance
Are Data Flow/System Interface diagrams available during a High-level data flows can be shared, or
3387 L.23.4.2 client risk assessment or audit? Yes described External Assurance and Audit Client Audit Requirements L. Compliance
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Is a list of ports that are open externally available during a Cloudflare publicly lists which ports are
3388 L.23.4.3 client risk assessment or audit? Yes open externally External Assurance and Audit Client Audit Requirements L. Compliance
4287 L.23.5.3 Has a SOC 2 audit been performed within the last 12 months? Yes External Assurance and Audit Independent Audits L. Compliance
4288 L.23.5.4 Has a SOC 3 audit been performed within the last 12 months? Yes External Assurance and Audit Independent Audits L. Compliance
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
4852 L.29 Do you have a documented health and safety policy? No Health & Safety Governance L. Compliance
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Have you had any serious and/or recordable accidents, injuries Cloudflare is not providing services that
or illness in the last 5 years? If yes, please explain in the require its employees to be onsite at
4858 L.29.6 Additional Information field. N/A customer locations. Health & Safety Recordable Accidents L. Compliance
Has the organization been cited for regulatory non-compliance Cloudflare is not providing services that
by a health or safety regulator/Agency? If yes, please explain in require its employees to be onsite at
4859 L.29.7 the Additional Information field. N/A customer locations. Health & Safety Citations L. Compliance
Are there documented policies and procedures in place to Cloudflare is not providing services that
address recordkeeping, reporting, and posting for OSHA require its employees to be onsite at
4860 L.29.8 Compliance? N/A customer locations. Health & Safety OSHA Compliance L. Compliance
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are processes maintained for the balancing and reconciliation Cloudflare is not providing financial
4870 L.32.2.2 of transactions? N/A products. Payments Compliance Check Processing L. Compliance
For recurring ACH transactions, are processes maintained to Cloudflare is not providing financial
4875 L.32.2.3.3.1 respond to requests to discontinue the recurring transactions? N/A products. Payments Compliance Check Processing L. Compliance
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does your credit and debit card process comply with PCI
4877 L.32.4.1 Standards? Yes Payments Compliance Payment Card Processing L. Compliance
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
4891 L.34.4 Is there a dedicated sanctions compliance officer? Yes Sanction Compliance Governance L. Compliance
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Is there a sanction compliance training program that
periodically (and at a minimum, annually) provides job-specific
knowledge based on need, communicates the sanctions
compliance responsibilities for each employee, and holds
employees accountable for sanctions compliance training
4899 L.34.9 through assessments? Yes Sanction Compliance Training L. Compliance
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are end user device security reviews performed to validate Security Configuration
4300 M.1.1.2 compliance with documented standards? Yes End User Device Security Standards M. End User Device Security
Are all unnecessary/unused services uninstalled or disabled for Access is reviewed quarterly and user
devices used for accessing, transmitting, processing, or storing access is revoked if systems are not
4301 M.1.2 Scoped data on end user devices? Yes regularly accessed. End User Device Security End User Device Hardening M. End User Device Security
Are all available high-risk security patches applied and verified Patching and Vulnerability
4305 M.1.6 at least monthly on all end-user devices? Yes End User Device Security Management M. End User Device Security
Are all end user device patching exceptions documented and Patching and Vulnerability
4306 M.1.7 approved by information security or senior management? Yes End User Device Security Management M. End User Device Security
Are all patches, service packs, and hot fixes tested prior to Patching and Vulnerability
4307 M.1.7.1 deployment to end user devices? Yes End User Device Security Management M. End User Device Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are all vulnerabilities evaluated and prioritized for end user Patching and Vulnerability
4308 M.1.7.2 devices? Yes End User Device Security Management M. End User Device Security
Are all high-risk end user devices prioritized to receive patches Patching and Vulnerability
4309 M.1.7.3 first? Yes End User Device Security Management M. End User Device Security
Are third party alert services used to keep up to date with the Patching and Vulnerability
4311 M.1.8 latest vulnerabilities for all end user devices? Yes End User Device Security Management M. End User Device Security
Are all end user device operating system versions that no Patching and Vulnerability
4312 M.1.9 longer have patches released prohibited? Yes End User Device Security Management M. End User Device Security
Are all end user device operating system and application logs
configured to provide sufficient detail to support incident
investigation, including successful and failed login attempts and
4313 M.1.10 changes to sensitive configuration settings and files? Yes End User Device Security Audit Logs M. End User Device Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are all end user device operating system and application logs
relevant to supporting incident investigation protected against
4317 M.1.14 modification, deletion, and/or inappropriate access? Yes End User Device Security Audit Logs M. End User Device Security
Are application whitelisting, application blacklisting, or Cloudflare uses end point monitoring
restriction of users' ability to install unapproved applications software which tracks what is
documented and used to prevent the installation of malicious downloaded by users, including
4322 M.1.19 software for all end user devices? No potentially malicious software. End User Device Security Malware Protection M. End User Device Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are constituents allowed to utilize mobile devices within your Mobile Device Policy and
4090 M.1.22 environment? Yes Procedures Mobile Device Access M. End User Device Security
Can constituents connect to scoped Systems using mobile Mobile Device Policy and
4096 M.1.22.6 devices? No Procedures Mobile Device Access M. End User Device Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are all mobile devices evaluated as part of the IT Risk Mobile Device Policy and
3762 M.1.23.1 Management program? Yes Procedures Mobile Device Management M. End User Device Security
Are any mobile devices with access to scoped data Constituent Scoped data is not accessible from mobile
3764 M.1.24 owned (BYOD)? N/A device. End User Device Security BYOD M. End User Device Security
Is a technical solution in place to enforce mobile device security Mobile Device Policy and
4098 M.1.25 requirements (e.g., PIN, encryption, remote wipe, etc.)? N/A Procedures Mobile Device Management M. End User Device Security
Does the mobile device user agreement include the owner of Mobile Device Policy and
3774 M.1.26.1 data on the mobile device? N/A Procedures Mobile Device User Agreement M. End User Device Security
Does the mobile device user agreement include the User's Mobile Device Policy and
3775 M.1.26.2 responsibility in ensuring the security of the mobile device? N/A Procedures Mobile Device User Agreement M. End User Device Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does the mobile device user agreement include the support Mobile Device Policy and
3782 M.1.26.4 roles and responsibilities? N/A Procedures Mobile Device User Agreement M. End User Device Security
Is there a process or procedure for responding to mobile device This is in place where devices are Mobile Device Policy and
3778 M.1.27 data compromise events? Yes company manged. Procedures Incident Response Procedures M. End User Device Security
Does the mobile device incident response process or procedure Mobile Device Policy and
3779 M.1.27.1 include remotely wiping the mobile device? Yes Procedures Incident Response Procedures M. End User Device Security
Does the mobile device incident response process or procedure Mobile Device Policy and
3780 M.1.27.2 include remotely accessing scoped data on the mobile? N/A Procedures Incident Response Procedures M. End User Device Security
Does the mobile device incident response process or procedure Mobile Device Policy and
3781 M.1.27.3 include physically accessing scoped data on the mobile device? N/A Procedures Incident Response Procedures M. End User Device Security
Does the mobile device incident response process or procedure Mobile Device Policy and
4111 M.1.27.4 include performing a forensic analysis on the mobile device? Yes Procedures Incident Response Procedures M. End User Device Security
Is there an approved process to support the mobile device Mobile Device Policy and
3783 M.1.28 lifecycle? Yes Applicable for company issued devices Procedures Mobile Device Management M. End User Device Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does the mobile device lifecycle include onboarding mobile Mobile Device Policy and
3784 M.1.28.1 devices? Yes Procedures Mobile Device Management M. End User Device Security
Does the mobile device lifecycle include offboarding mobile Mobile Device Policy and
3785 M.1.28.2 devices? Yes Procedures Mobile Device Management M. End User Device Security
Is Mobile Device Management (MDM) subject to an internal or Mobile Device Policy and
4101 M.1.31 external audit? Yes Procedures Mobile Device Management M. End User Device Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Per Cloudflare policy, devices owned by
the company or used by the employee to
connect to company resources must be
running the most recent operating system
Are there approved mobile operating system versions (unless IT has instructed users to delay an Mobile Device Policy and
3823 M.1.32 permitted to connect to the environment? N/A update due to a vulnerability). Procedures Mobile Device Management M. End User Device Security
Are mobile operating system versions that are deemed end of Mobile Device Policy and
3824 M.1.33 life permitted to connect to Scoped systems and data? N/A Procedures Mobile Device Management M. End User Device Security
Are constituents permitted to create and activate mobile This is encouraged to prevent employees Mobile Device Policy and
3825 M.1.34 hotspots? (Bring Your Own Network, BYON). Yes from connecting to unsecure WiFi. Procedures Mobile Device Management M. End User Device Security
Are Personal Computers (PCs) used to transmit, process or Personal Computer Policy and
1791 M.2 store Scoped systems and data. Yes Procedures Scoping M. End User Device Security
Is security approval required prior to implementing non- Personal Computer Policy and
1793 M.2.1 standard PC operating equipment? Yes Procedures PC Change Management M. End User Device Security
Is security approval required prior to implementing freeware or Personal Computer Policy and
1794 M.2.2 shareware applications on PCs? Yes Procedures PC Change Management M. End User Device Security
Are non-company managed PCs used to connect to the Personal Computer Policy and
1797 M.2.3 company network? No Procedures BYOD M. End User Device Security
Is installation of software on company-owned equipment Employees have local administrator rights Personal Computer Policy and
1803 M.2.4 (workstations, mobile devices) restricted to administrators? No to their company-issued devices Procedures PC Change Management M. End User Device Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are all network device administrative interfaces configured to Network Device Hardening
1016 N.2.1 require authentication and encryption? Yes Network Policy Standards N. Network Security
Are all network device administrative interfaces configured to Network Device Hardening
4903 N.2.1.2 require multifactor authentication? Yes Network Policy Standards N. Network Security
Are default passwords changed or disabled prior to placing Network Device Hardening
4404 N.2.2 network devices into production? Yes Network Policy Standards N. Network Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are third party alert services used to keep up to date with the
4333 N.4.5 latest network device vulnerabilities? Yes Network Policy Network Device Patching N. Network Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are all firewall and other network Access Control List (ACL)
rules reviewed and updated at least quarterly and include
identification and removal of networks, sub networks, hosts, Firewall rules are reviewed and updated
3705 N.6 protocols or ports no longer in use? Yes on an as-needed basis. Network Policy ACL Management N. Network Security
979 N.6.1 Do network devices deny all access by default? Yes Network Policy ACL Management N. Network Security
Do the firewalls have any rules that permit 'any' network, sub
network, host, protocol or port on any of the firewalls (internal
3693 N.6.2 or external)? No Network Policy ACL Management N. Network Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are encrypted communications required for all remote system Remote Administration
4915 N.9.2 access? Yes Remote Network Access Controls N. Network Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Baseboard Management
4918 N.10.1 Is the default password changed on all BMCs? Yes Remote System Access Controllers N. Network Security
Are all BMCs configured on network address ranges reserved Baseboard Management
4919 N.10.2 specifically for BMCs and no other devices? Yes Remote System Access Controllers N. Network Security
Are BMC firmware updates monitored regularly and applied at Baseboard Management
4920 N.10.3 the first available maintenance window? Yes Remote System Access Controllers N. Network Security
Are firewalls configured to restrict all outbound traffic from Baseboard Management
4922 N.10.5 BMCs? Yes Remote System Access Controllers N. Network Security
Baseboard Management
4923 N.10.6 Is Multifactor Authentication enabled on all BMCs? Yes Remote System Access Controllers N. Network Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Is there a review and correction of Network IDS/IPS false Network Intrusion Detection/
4338 N.11.4 positives in at least weekly? Yes Network Security Prevention N. Network Security
Is there Network IDS/IPS monitoring and alert escalation to Network Intrusion Detection/
1077 N.11.5 security incident response personnel 24x7x365? Yes Network Security Prevention N. Network Security
Are Network IDS/IPS events sent to a central logging system or Network Intrusion Detection/
1080 N.11.6 SIEM? Yes Network Security Prevention N. Network Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are there controls to prevent one client attempting to Cloud Tenant Segregation
3563 N.14 compromise another client in a resource pooled environment? Yes Network Security Controls N. Network Security
Do cloud tenant segregation controls include IPS monitoring Cloud Tenant Segregation
3565 N.14.2 between tenants? N/A Network Security Controls N. Network Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are Industrial Control Systems (ICS) used as part of the delivery Cloudflare is not providing customer with Industrial Control System
4592 N.16 of service? N/A Industrial Control Systems. Security Scoping N. Network Security
Are all Industrial Control Systems segregated onto their own Cloudflare is not providing customer with Industrial Control System Network Segregation and
4593 N.16.1 network (VLAN or Software Defined Network)? N/A Industrial Control Systems. Security Segmentation N. Network Security
Are all ICS devices segregated by an application firewall from Cloudflare is not providing customer with Industrial Control System Network Segregation and
4594 N.16.2 the rest of the network? N/A Industrial Control Systems. Security Segmentation N. Network Security
Are physical areas with ICS devices scanned at least annually Cloudflare does not utilize these
for non 802-11 wireless communications e.g., Bluetooth, technologies in its production Industrial Control System
4595 N.16.3 Zigbee, Z-Wave? N/A environment. Security Wireless Controls N. Network Security
Is there collection of, access to, processing of, disclosure of, or Personal Information,
retention of client scoped data that includes any classification Identification, and
4533 P.1 of personal information or personal data of individuals? Yes Privacy Program Management Classification P. Privacy
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Cloudflare's Security Incident and
Response Policy includes a standard to
inform customers or the public based
upon the scale of impact. Cloudflare
Are there documented policies and procedures to detect and
commits to inform its customers in a
report unauthorized acquisition, use, or disclosure of PHI client Privacy Incident & Breach
timely manner of any incident that may
3696 P.1.3.1 scoped data? Yes Healthcare Privacy Management P. Privacy
have impacted their data.
Individuals have the right to access,
correct, update, export, or delete their
personal information and may email
Are there documented procedures to enable the ability to SAR@cloudflare.com with any such
reasonably amend PHI maintained by the service provider upon subject access requests (“SAR”), and we Accuracy and Completeness of
3699 P.1.3.2 request? Yes will respond within thirty (30) days. Healthcare Privacy Personal Information P. Privacy
Are training records maintained for employees (including Training logs for Security Awareness and
management) with access to or potential access to client PHI to Privacy Training on an annual basis and
3702 P.1.3.3 meet the privacy and security obligations required by HIPAA? Yes administered through company LMS. Healthcare Privacy Privacy Awareness & Training P. Privacy
Is there a business associate contract in place to address Cloudflare may enter into BAAs with
obligations for the privacy and security requirements for the customers process PHI on behalf of their Protection of Personal
3701 P.1.3.4 services provided to the covered entity? N/A end customers. Healthcare Privacy Information P. Privacy
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Cloudflare also remains certified under
the EU-US and Swiss-US Privacy Shield
frameworks for onward transfers of EU
data to the United States. (See https:
Are there documented policies and procedures for cross border
//www.cloudflare.com/privacyshield/).
data flows or transfers of client Scoped data to the US from European Privacy & Data
Customers can agree to the data
3713 P.1.5.1 other countries, or from EU to other countries? Yes Protection Privacy Policies P. Privacy
processing addendum (DPA) within the
Cloudflare dashboard, or by speaking to
their Account Team."
Has the organization developed and approved Binding
Corporate Rules (BCR) to the applicable data protection
authorities for the authorization of international data Standard Contractual Clauses in place in European Privacy & Data Disclosure of Personal
5888 P.1.5.1.1 transfers? No lieu of BCR Protection Information P. Privacy
Standard Contractual Clauses and other
additional measures are in place to enable
the transfer of personal data (mainly
limited to IP addresses only) to third
countries.
Are transfers enabled only to countries that have received an European Privacy & Data Disclosure of Personal
See https://www.cloudflare.
5889 P.1.5.1.2 adequacy status from data protection authorities? No Protection Information P. Privacy
com/gdpr/introduction/
Are Standard Contractual Clauses (SCCs) in place to authorize European Privacy & Data Disclosure of Personal
5890 P.1.5.1.3 transfers of client scoped data? Yes Protection Information P. Privacy
Is there a Data Processing Agreement (DPA) in place to address European Privacy & Data Disclosure of Personal
5891 P.1.5.2 the organization's obligations for the services provided? Yes Protection Information P. Privacy
If necessary, based on the services, is your organization Cloudflare is registered with the United
registered with the appropriate Data Protection Authorities? If Kingdom’s Information Commissioner’s
yes, please list which authorities and member countries are in Office (ICO). Our registration number is European Privacy & Data
4479 P.1.5.3 scope for the services in the Additional Information field. Yes ZA139631. Protection Compliance Review P. Privacy
If required, is there a designated Data Protection Officer? If European Privacy & Data
4480 P.1.5.4 yes, please identify in the Additional Information field. Yes Emily Hancock Protection Compliance Review P. Privacy
Is there a process in place to erase Personal Data based on the Disposal, Destruction and
Right to be Forgotten if required based upon the services European Privacy & Data Redaction of Personal
4481 P.1.5.5 provided? Yes Protection Information P. Privacy
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Is there a mechanism to temporarily suspend the processing of European Privacy & Data Privacy Data Collection, Notice,
5892 P.1.5.6 Personal Data based upon an individual's request? Yes Protection Choice & Consent P. Privacy
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does the data inventory and/or data flow documentation Personal Information,
include identification of any access, transfer, processing, Identification, and
4942 P.1.12.3 disclosed, or retention that crosses national borders? Yes Privacy Program Management Classification P. Privacy
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does the organization maintain records that identify the Sub-processors and locations are listed on
approved countries to which personal data can possibly be Cloudflare's website:
transferred in normal operations, including subcontractor https://www.cloudflare.
5897 P.1.12.5 locations? Yes com/gdpr/subprocessors/ Privacy Program Management Privacy Policies P. Privacy
Personal Information,
Does the data inventory include the categories of types of Identification, and
5898 P.1.12.6 individuals whose data is being processed? Yes Privacy Program Management Classification P. Privacy
Does the data inventory identify the systems/products/services Infrastructure and Systems
5899 P.1.12.7 in scope for the provision of the services? Yes Privacy Program Management Management P. Privacy
Personal Information,
Does the data inventory identify the specific data elements Identification, and
5900 P.1.12.8 used within the services? Yes Privacy Program Management Classification P. Privacy
Personal Information,
Does the data flow identify the source or origin of the data at Identification, and
5901 P.1.12.9 each phase of its lifecycle? Yes Privacy Program Management Classification P. Privacy
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Is a process maintained to identify and record any detected or Privacy Incident & Breach
4495 P.1.16.1 reported unauthorized disclosures of personal information? Yes Privacy Program Management Management P. Privacy
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are data analytic inputs and outputs identified and evaluated Information Developed About
5910 P.5.8.2 for bias? N/A Use, Retention, & Disposal Individuals P. Privacy
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
5912 P.5.9.1 Do the services involve the use of automated decision making? Yes Use, Retention, & Disposal Use of Personal Information P. Privacy
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does the process to respond to an individual's access request Where an individual requests this
include the personal information that has been shared with information it can be provided to them, Access by Individuals to their
4949 P.6.2.2 fourth parties (vendors, subcontractors, service providers)? Yes subject to compliance with relevent laws. Access Personal Information P. Privacy
Does the process to respond to an individual's access request Yes for the purpose of collecting; N/A for
include providing the business or commercial purpose for selling as Cloudflare does not sell personal Access by Individuals to their
4951 P.6.2.4 collecting or selling personal information? Yes informaiton. Access Personal Information P. Privacy
Are records of data disclosures and sharing maintained that can Access by Individuals to their
5918 P.6.2.6 be accessed by individuals upon request? Yes Access Personal Information P. Privacy
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Vendors, including sub-processors, are
subject to Cloudflare Vendor Security
Program, which includes a questionnaire-
Is there a Vendor Risk Management Program (including
based review and sharing all relevant
ongoing monitoring) maintained to address the security of the
security certifications. Vendors who are
client scoped data, that may be accessed, processed,
deemed high-risk due to the service they
4524 P.8.4 communicated to, or managed by external parties? Yes Security for Privacy Information Security Program P. Privacy
are offering, including sub-processors, are
re-evaluated annually by the vendor risk
program.
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are there policies and processes in place to address privacy Inquiry, Complaint, and Dispute
4530 P.10.2 inquiries, complaints and disputes? Yes Monitoring and Enforcement Process P. Privacy
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
4534 T.1 Are Windows servers used as part of the Scoped Services? No Malware Protection Scoping T. Threat Management
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are Anti-malware software version and engine upgrade Third party software is updated
4384 T.1.1.9 deployment failures reviewed at least weekly? Yes automatically at the Edge. Malware Protection Anti-Malware Operations T. Threat Management
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
4351 T.2.4.1 Do network Vulnerability Scans occur at least monthly? Yes Vulnerability Management Vulnerability Scans: Internal T. Threat Management
4353 T.2.5.1 Do network Vulnerability Scans occur at least monthly? Yes Vulnerability Management Vulnerability Scans External T. Threat Management
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
3721 T.2.6 Are penetration tests performed? Yes Vulnerability Management Penetration Testing T. Threat Management
4357 T.2.6.2 Is penetration testing performed after significant changes? Yes Vulnerability Management Penetration Testing T. Threat Management
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
4362 T.2.6.9 Are web applications included in Penetration Tests? Yes Vulnerability Management Penetration Testing T. Threat Management
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Do you deliver software, firmware, and/or BIOS updates to Cloudflare is not providing customers with
clients through automatic downloads (e.g., Windows Update, hardware or services that require Automatic Software Update
4962 T.5 LiveUpdate)? N/A updates. Vulnerability Management Mechanisms T. Threat Management
Are Servers used for transmitting, processing or storing scoped Server Security Configuration
4366 U.1 data? Yes Management Governance U. Server Security
Are server security configuration standards documented and Server Security Configuration Server Security Configuration
4367 U.1.1 based on external industry or vendor guidance? Yes Management Standards U. Server Security
Are server security configuration reviews performed regularly Server Security Configuration Server Security Configuration
4369 U.1.1.2 to validate compliance with documented standards? Yes Management Reviews U. Server Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are all servers configured according to security standards as Server Security Configuration Server Build Security
4536 U.1.2 part of the build process? Yes Management Configuration U. Server Security
Are all remote access and file sharing services configured to Server Security Configuration
4371 U.1.2.2 require authentication and encryption on all servers? Yes Management Network and System Services U. Server Security
Is data on a separate drive than the operating system Server Security Configuration
4372 U.1.2.3 executables/binaries on all servers? Yes Management Volume Security U. Server Security
Are all servers configured to log users out after 15 minutes of Cloudflare enforces timeout at the device Server Security Configuration
4373 U.1.2.4 inactivity? No level through MDM. Management Session Time-Out U. Server Security
Are vendor default passwords removed, disabled or changed Server Security Configuration
2659 U.1.2.5 prior to placing any device or system into production? Yes Management Password Management U. Server Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are operating system and application events relevant to Server Security Configuration
4379 U.1.3.3 supporting incident investigation stored on alternate systems? Yes Management Audit Logs U. Server Security
2213 U.1.5 Are all systems and applications patched regularly? Yes Server Patching Patching Cadence U. Server Security
Are all server patches, service packs and hot fixes tested prior
2215 U.1.5.2 to installation? Yes Server Patching Patch Testing U. Server Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are all server patching exceptions necessary, documented and Patching Exception
4375 U.1.5.6 approved? Yes Server Patching Management U. Server Security
Are third party alert services used to keep up to date with the
2216 U.1.5.7 latest server vulnerabilities? Yes Server Patching Patching Operations U. Server Security
4537 U.1.6 Is Unix or Linux used as part of the scoped services? Yes Unix/Linux Security Scoping U. Server Security
Root/Administrator
1292 U.1.6.1 Are users required to 'su' or 'sudo' into root? Yes Unix/Linux Security Authentication U. Server Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
4538 U.1.7 Are AS/400s used as part of the scoped services? No AS/400 Security Scoping U. Server Security
1580 U.1.7.1 Are group profile assignments based on constituent role? N/A Cloudflare does not use AS/400s. AS/400 Security Role-Based Group Profile U. Server Security
1581 U.1.7.2 Are group profile assignments approved? N/A Cloudflare does not use AS/400s. AS/400 Security Group Profile Approval U. Server Security
4539 U.1.8 Are Mainframes used as part of the scoped services? No Mainframe Security Scoping U. Server Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Are Hypervisors used to manage systems used to transmit, Hypervisor and Virtualization
3649 U.1.9 process or store Scoped data? No Security Hypervisor Security U. Server Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Is there a system generated alerts in the event of Hypervisor Hypervisor and Virtualization
3657 U.1.9.7 audit log failure? N/A Security Hypervisor Security U. Server Security
Are Hypervisor audit logs protected against modification, Hypervisor and Virtualization
3659 U.1.9.9 deletion and/or inappropriate access? N/A Security Hypervisor Security U. Server Security
Does the Hypervisor system lock accounts after 3-5 invalid Hypervisor and Virtualization
3670 U.1.9.10 login attempts? N/A Security Hypervisor Security U. Server Security
Are unneeded Hypervisor services disabled e.g., file-sharing Hypervisor and Virtualization
3672 U.1.9.12 between the guest and the host operating system)? N/A Security Hypervisor Security U. Server Security
Does the Hypervisor have introspection capabilities to monitor Hypervisor and Virtualization
3673 U.1.9.13 the security of each guest operating system? N/A Security Guest OS Security U. Server Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Is there an approval process before VMs can be created to Hypervisor and Virtualization
3680 U.1.9.19 avoid VM sprawl? N/A Security Virtual Machine Management U. Server Security
Is migration of VMs logged, including source and target Hypervisor and Virtualization
3681 U.1.9.20 systems, time, user? N/A Security Virtual Machine Management U. Server Security
Do all VMs in the same host share the same risk and data Hypervisor and Virtualization
3682 U.1.9.21 classification? N/A Security Virtual Machine Management U. Server Security
Do all VMs in the same host share the same system sensitivity
level grouping (development and production not present on Hypervisor and Virtualization
3683 U.1.9.22 the same host)? N/A Security Virtual Machine Management U. Server Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Does the data container security policy require that Linux User
Namespace Support be enabled to reduce the kernel and
4403 U.1.10.10 system resources that a container can access? N/A Container Security Container Security Policy U. Server Security
Are Vulnerability Scans performed against all Containers using Cloudflare does not currently scan
4577 U.1.10.11 tools that can inspect the contents of Containers? No containers for vulnerabilities. Container Security Vulnerability Management U. Server Security
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
3304 V.1 Are Cloud Hosting services (IaaS) provided? Yes Cloud Hosting Cloud Service Model V. Cloud Hosting
3505 V.1.1.2 Does the API allow clients to manage access to the VPN? No Cloud API Cloud Security Configuration V. Cloud Hosting
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
3508 V.1.1.5 Does the API allow clients to manage client-side certificates? Yes Cloud API Cloud Security Configuration V. Cloud Hosting
3511 V.1.1.8 Can the API alert, block or lock based on rate limit? Yes Cloud API Cloud Security Configuration V. Cloud Hosting
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Can a client supply their own default base virtual image for
3570 V.5.2.1 guest operating systems? No Configuration Management Base Image Management V. Cloud Hosting
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Can clients run their own vulnerability scans against their own
4547 V.6.3 cloud environment? Yes Independent Oversight Client-Managed Security V. Cloud Hosting
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
4988 Z. Additional Questions
4989 Z. Additional Questions
4990 Z. Additional Questions
4991 Z. Additional Questions
4992 Z. Additional Questions
4993 Z. Additional Questions
4994 Z. Additional Questions
4995 Z. Additional Questions
4996 Z. Additional Questions
4997 Z. Additional Questions
4998 Z. Additional Questions
4999 Z. Additional Questions
5000 Z. Additional Questions
5001 Z. Additional Questions
5002 Z. Additional Questions
5003 Z. Additional Questions
5004 Z. Additional Questions
5005 Z. Additional Questions
5006 Z. Additional Questions
5007 Z. Additional Questions
5008 Z. Additional Questions
5009 Z. Additional Questions
5010 Z. Additional Questions
5011 Z. Additional Questions
5012 Z. Additional Questions
5013 Z. Additional Questions
5014 Z. Additional Questions
5015 Z. Additional Questions
5016 Z. Additional Questions
5017 Z. Additional Questions
5018 Z. Additional Questions
5019 Z. Additional Questions
5020 Z. Additional Questions
5021 Z. Additional Questions
5022 Z. Additional Questions
5023 Z. Additional Questions
5024 Z. Additional Questions
5025 Z. Additional Questions
5026 Z. Additional Questions
5027 Z. Additional Questions
5028 Z. Additional Questions
5029 Z. Additional Questions
5030 Z. Additional Questions
5031 Z. Additional Questions
5032 Z. Additional Questions
5033 Z. Additional Questions
5034 Z. Additional Questions
5035 Z. Additional Questions
5036 Z. Additional Questions
5037 Z. Additional Questions
5038 Z. Additional Questions
5039 Z. Additional Questions
5040 Z. Additional Questions
5041 Z. Additional Questions
5042 Z. Additional Questions
5043 Z. Additional Questions
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
5044 Z. Additional Questions
5045 Z. Additional Questions
5046 Z. Additional Questions
5047 Z. Additional Questions
5048 Z. Additional Questions
5049 Z. Additional Questions
5050 Z. Additional Questions
5051 Z. Additional Questions
5052 Z. Additional Questions
5053 Z. Additional Questions
5054 Z. Additional Questions
5055 Z. Additional Questions
5056 Z. Additional Questions
5057 Z. Additional Questions
5058 Z. Additional Questions
5059 Z. Additional Questions
5060 Z. Additional Questions
5061 Z. Additional Questions
5062 Z. Additional Questions
5063 Z. Additional Questions
Yes