Cloudflare Full Sig 2021

756762Shared Assessments Program 756762SIG Management Tool (SMT) 756762 Version 2020
Jump To:
Master
Serial No Ques Num Question/Request Response Comments Notes Category Sub-category Domain
Is there a formalized risk governance plan that defines the

5643 A.1 Enterprise Risk Management program requirements? Yes Enterprise Risk Management Risk Governance Plan A. Risk Management
Does the risk governance plan include risk management

2325 A.1.1 policies, procedures, and internal controls? Yes Enterprise Risk Management Risk Governance Plan A. Risk Management
Does the risk governance plan include range of assets to

2326 A.1.2 include: people, processes, data and technology? Yes Enterprise Risk Management Risk Governance Plan A. Risk Management
Does the risk governance plan include range of internal and

external threats to include: malicious, natural, accidental,
2420 A.1.3 cyber, business changes (transaction volume)? Yes Enterprise Risk Management Risk Governance Plan A. Risk Management
Does the risk governance plan include risk scenarios that

address threats, vulnerabilities, likelihoods, and impacts that
2429 A.1.4 could impact people, processes, technologies, and facilities? Yes Enterprise Risk Management Risk Governance Plan A. Risk Management
Does the organization have a governing body accountable to

4633 A.1.5 maintain the risk governance plan? Yes Enterprise Risk Management Risk Governance Plan A. Risk Management
Does the risk governance plan define and communicate the

organization's risk appetite and approach to risk to its
4634 A.1.6 employees? Yes Enterprise Risk Management Risk Governance Plan A. Risk Management
Is the risk governance plan approved by senior management

4635 A.1.7 and/or board of directors? Yes Enterprise Risk Management Risk Governance Plan A. Risk Management
756762Content Library 756762Page 1 of Page(s)

Jump To:
Master
Is training provided to employees regarding risk expectations

4636 A.1.8 and their obligations? Yes Enterprise Risk Management Risk Governance Plan A. Risk Management
Does the risk governance plan include the identification of the

systems/products/services that support organizational
5837 A.1.9 priorities? Yes Enterprise Risk Management Risk Governance Plan A. Risk Management
Does the risk governance plan include the alignment to the

organization's mission, objectives, and stakeholders to inform
5838 A.1.10 roles and responsibilities for risk management decisions? Yes Enterprise Risk Management Risk Governance Plan A. Risk Management
Does the risk governance plan include the establishment and

5839 A.1.11 communication of the priorities of activities? Yes Enterprise Risk Management Risk Governance Plan A. Risk Management
Are there Subject Matter Experts and/or groups assigned to

assess risk for different categories e.g., operational,
reputational, regulatory, technology, privacy, financial, etc.? If
no, please explain any exclusions in the additional information
4412 A.2 field. Yes Enterprise Risk Management Risk Governance - Personnel A. Risk Management
Do risk assessment personnel maintain relevant professional

4637 A.2.1 certifications? Yes Enterprise Risk Management Risk Governance - Personnel A. Risk Management
Do risk assessment personnel maintain contacts with relevant

professional special interest groups, specialist forums or
4638 A.2.2 professional associations? Yes Enterprise Risk Management Risk Governance - Personnel A. Risk Management
Do risk assessment personnel participate in continuing

education programs e.g., online training, webinars, seminars,
4639 A.2.3 etc.? Yes Enterprise Risk Management Risk Governance - Personnel A. Risk Management

Jump To:
Master
Are personnel tasked with scoping assessments trained in the

2427 A.2.4 organization's assessment scoping criteria? Yes Enterprise Risk Management Risk Governance - Personnel A. Risk Management
Do all assessment groups utilize a consistent standardized

4413 A.2.5 framework for assessing risk? Yes Enterprise Risk Management Risk Governance - Personnel A. Risk Management
Is there a formalized Risk Assessment process that identifies,

quantifies, and prioritizes risks based on the risk acceptance
4640 A.3 levels relevant to the organization? Yes Enterprise Risk Management Risk Assessments A. Risk Management
Does the organization maintain an inventory of the applicable

risks and controls included in the Enterprise Risk Management
4641 A.3.1 program? Yes Enterprise Risk Management Risk Assessments A. Risk Management
Does the risk assessment process identify and monitor inherent

4642 A.3.2 and residual risk? Yes Enterprise Risk Management Risk Assessments A. Risk Management
Does the risk assessment process identity and monitor

4643 A.3.3 qualitative risk? Yes Enterprise Risk Management Risk Assessments A. Risk Management
Does the risk assessment process identity and monitor

4644 A.3.4 quantitative risk? Yes Enterprise Risk Management Risk Assessments A. Risk Management
Are assessments scoped using a formal set of criteria that

2431 A.3.5 considers legal/regulatory compliance requirements? Yes Enterprise Risk Management Risk Assessments A. Risk Management

Jump To:
Master
Does the risk assessment address confidentiality, integrity and

5840 A.3.5.1 availability? Yes Enterprise Risk Management Risk Assessments A. Risk Management
Does the risk assessment include the risks related to the

5841 A.3.5.2 processing of personal information and risk to the individual? Yes Enterprise Risk Management Risk Assessments A. Risk Management
Does the risk assessment include documentation of the

rationale for exclusion of specific controls based on the scoping
5842 A.3.5.3 performed in the assessment? Yes Enterprise Risk Management Risk Assessments A. Risk Management
2409 A.3.6 Are critical processes and entities reassessed annually? Yes Enterprise Risk Management Risk Assessments A. Risk Management
Does the organization have a process in place for justifying why

a specific control may be omitted from its information security
5843 A.3.7 risk treatment program? Yes Enterprise Risk Management Risk Assessments A. Risk Management
Is there a process to identify and manage the risk response and

3286 A.3.8 treatment of risks? Yes Enterprise Risk Management Risk Treatment A. Risk Management
Does the risk treatment program include a formal process for

assigning appropriate management ownership for risk
4158 A.3.9 decisions? Yes Enterprise Risk Management Risk Treatment A. Risk Management
Does the risk treatment program include a formal process for

4159 A.3.10 accepting risks and approving action plans? Yes Enterprise Risk Management Risk Treatment A. Risk Management

Jump To:
Master
Does the risk treatment program include a formal program for

4160 A.3.11 accepting risks and prioritizing and approving action plans? Yes Enterprise Risk Management Risk Treatment A. Risk Management
Does the risk treatment program include creation of internal

4161 A.3.12 controls if material risks are identified? Yes Enterprise Risk Management Risk Treatment A. Risk Management
Does the Enterprise Risk Management program include

4162 A.4 measures for defining, monitoring, and reporting risk metrics? Yes Enterprise Risk Management Risk Reporting A. Risk Management
Do risk metrics include measurements against risk tolerance

4645 A.4.1 criteria set by the plan? Yes Enterprise Risk Management Risk Reporting A. Risk Management
4163 A.4.2 Do the risk metrics include Performance benchmarks? No Enterprise Risk Management Risk Reporting A. Risk Management
4646 A.4.3 Do the risk metrics include Key Risk Indicators? Yes Enterprise Risk Management Risk Reporting A. Risk Management
Do the risk metrics include Service Level Agreement

4164 A.4.4 Compliance? No Enterprise Risk Management Risk Reporting A. Risk Management
4165 A.4.5 Do the risk metrics include Policy Compliance? Yes Enterprise Risk Management Risk Reporting A. Risk Management

Jump To:
Master
4166 A.4.6 Do the risk metrics include Control Effectiveness? Yes Enterprise Risk Management Risk Reporting A. Risk Management
Do the risk metrics include IT Vulnerability Management

4167 A.4.7 compliance? Yes Enterprise Risk Management Risk Reporting A. Risk Management
Do the risk metrics include privacy and data protection

5844 A.4.8 compliance? Yes Enterprise Risk Management Risk Reporting A. Risk Management
Cloudflare's list of sub-processors under

the GDPR is publicly available on our
website: https://www.cloudflare.
com/gdpr/subprocessors/
Do subcontractors (e.g., backup vendors, service providers, The subprocessors being utilized differ
equipment support maintenance, software maintenance depending on the product that is used by
vendors, data recovery vendors, hosting providers, etc.) have the customer. Workers utilizes GCP and Subcontractor Selection and
71 A.5 access to scoped systems and data or processing facilities? No Azure. Third Party Risk Management Management Process A. Risk Management
Is there a documented third party risk management program in

place for the selection, oversight and risk assessment of
Subcontractors e.g., service providers, dependent service Subcontractor Selection and
3897 A.5.1 providers, sub-processors? Yes Third Party Risk Management Management Process A. Risk Management
Does the third party risk management program have a

governing body accountable for the selection, oversight and Subcontractor Selection and
4647 A.5.1.1 risk assessment of subcontractors? Yes Third Party Risk Management Management Process A. Risk Management
Have policies, standards, and procedures for implementing the

third party risk management program been reviewed and Subcontractor Selection and
4648 A.5.1.2 approved by senior management? Yes Third Party Risk Management Management Process A. Risk Management
Does the third party risk management program include

creating and maintaining a third party inventory based on Subcontractor Selection and
4649 A.5.1.3 information and/or risk classification? Yes Third Party Risk Management Management Process A. Risk Management

Jump To:
Master
Does the program include definition of required contract

development, adherence and management policies and Subcontractor Selection and
4650 A.5.1.4 processes? Yes Third Party Risk Management Management Process A. Risk Management
Does the program include the definition of a third party risk Subcontractor Selection and
4651 A.5.1.5 assessment process? Yes Third Party Risk Management Management Process A. Risk Management
Does the program include consistently applied tools, Subcontractor Selection and
4652 A.5.1.6 measurements and criteria to evaluate third party risk? Yes Third Party Risk Management Management Process A. Risk Management
Does the program include definition and a process for ongoing Subcontractor Selection and
4653 A.5.1.7 monitoring and review of third party risk? Yes Third Party Risk Management Management Process A. Risk Management

assessments performed on all potential subcontractors before Subcontractor Selection and
2514 A.5.1.8 entering contracts with them? Yes Third Party Risk Management Management Process A. Risk Management
Are subcontractors evaluated for reassessment when there are Cloudflare audits its critical and high risk Subcontractor Selection and
4168 A.5.1.8.1 material changes to risk posture, service offerings or contracts? Yes vendors once per year. Third Party Risk Management Management Process A. Risk Management

identification of the inherent risks of the service and determine
the proper level of assessment needed prior to engaging with Subcontractor Selection and
2425 A.5.1.8.2 subcontractors? Yes Third Party Risk Management Management Process A. Risk Management

identification and documentation of the residual risks of the
service and determine the proper level of assessment needed Subcontractor Selection and
4654 A.5.1.8.3 prior to engaging with subcontractors? Yes Third Party Risk Management Management Process A. Risk Management
Financial analysis is done where possible;

Does the subcontractor third party risk management program however, where vendors are privately Subcontractor Selection and
3903 A.5.1.9 include comprehensive financial analysis? N/A held companies this may not be possible. Third Party Risk Management Management Process A. Risk Management

Jump To:
Master
Does the subcontractor third party risk management program Subcontractor Selection and
3904 A.5.1.10 include vendor reputational review? Yes Third Party Risk Management Management Process A. Risk Management
Does the subcontractor third party risk management program

include defined risk assessment and classification method for Subcontractor Selection and
3906 A.5.1.11 vendors? Yes Third Party Risk Management Management Process A. Risk Management
Initially risk assessment is completed by

Cloudflare's Governance Risk and
Compliance Team. Cloudflare also puts in
place a security addendum with
subcontractors. Performance against the
vendor contract is measured by the team
Does the subcontractor third party risk management program who owns the vendor relationship, after
include management of subcontractor risk, compliance, and initial evaluation has been completed by Subcontractor Selection and
3907 A.5.1.12 performance? Yes Security. Third Party Risk Management Management Process A. Risk Management
The GDPR sub-processor page includes an

Does the third party risk management program require RSS feed where customers can sign up for
business units to notify if there are new or changed automated notification in the event of a Subcontractor Selection and
3909 A.5.1.13 subcontractors? Yes change in sub-processors. Third Party Risk Management Management Process A. Risk Management
3911 A.5.1.14 include oversight and governance of program adherence? Yes Third Party Risk Management Management Process A. Risk Management
3910 A.5.1.15 include defined procedures for subcontractor management? Yes Third Party Risk Management Management Process A. Risk Management
Does the subcontractor third party risk management program Subcontractors' Third Party Risk
3900 A.5.1.15.1 include review of subcontractors' third party risk program? Yes Third Party Risk Management Management A. Risk Management
Does the third party risk management program require

subcontractors to perform risk and security assessments on
their subcontractors prior to engaging their services (logical, Subcontractors' Third Party Risk
5644 A.5.1.15.2 physical, other controls)? Yes Third Party Risk Management Management A. Risk Management

Jump To:
Master

subcontractors to perform risk and security assessments on Subcontractors' Third Party Risk
5645 A.5.1.15.3 their critical subcontractors at least annually? Yes Third Party Risk Management Management A. Risk Management
Does the third party risk management program require the Subcontractors' Third Party Risk
5646 A.5.1.15.4 ability and right to audit subcontractor controls? Yes Third Party Risk Management Management A. Risk Management

Confidentiality and/or Non-Disclosure Agreements from Subcontractors' Third Party Risk
5647 A.5.1.15.5 subcontractors? Yes Third Party Risk Management Management A. Risk Management
Does the third party risk program require subcontractors to Subcontractors' Third Party Risk
5648 A.5.1.15.6 notify if there are changes affecting services rendered? Yes Third Party Risk Management Management A. Risk Management

background checks performed for service provider contractors Service Provider Background
5649 A.5.1.15.7 and subcontractors? Yes Third Party Risk Management Checks A. Risk Management
Service Provider Background

3522 A.5.1.15.7.1 Are background checks performed at time of hire? Yes Third Party Risk Management Checks A. Risk Management
Are background checks performed periodically, at least as Background checks are only conducted Service Provider Background
3525 A.5.1.15.7.2 frequently as required by regulations? No upon hire. Third Party Risk Management Checks A. Risk Management
For all subcontractors requiring assessment, is there a

72 A.5.2 contract? Yes Third Party Risk Management Service Provider Agreements A. Risk Management

Jump To:
Master
Do contracts with all subcontractors include Non-

74 A.5.2.1 Disclosure/Confidentiality Agreements? Yes Third Party Risk Management Service Provider Agreements A. Risk Management
Do contracts with all subcontractors include ownership of This is included in the DPA, which is in-
2506 A.5.2.2 information, trade secrets and intellectual property? Yes place with all sub-processors. Third Party Risk Management Service Provider Agreements A. Risk Management
Do contracts with all subcontractors include all applicable

4170 A.5.2.3 privacy and security requirements? Yes Third Party Risk Management Service Provider Agreements A. Risk Management
External contracts containing
confidentiality obligations are in place
with high risk vendors that include the
protection of personal and confidential
information. Third-party vendors are
Do contracts with all subcontractors include permitted use and
required to sign a contractual agreement
4171 A.5.2.4 limitations of use of confidential information? Yes Third Party Risk Management Service Provider Agreements A. Risk Management
with Cloudflare during onboarding that
includes protection of personal data (DPA)
if processing the personal data of
European data subjects on behalf of
Cloudflare.
Do contracts with all subcontractors include data breach
81 A.5.2.5 notification? Yes Third Party Risk Management Service Provider Agreements A. Risk Management
Do contracts with all subcontractors include problem reporting

91 A.5.2.6 and escalation procedures? Yes Third Party Risk Management Service Provider Agreements A. Risk Management
78 A.5.2.7 Do contracts with all subcontractors include Right to audit? Yes Third Party Risk Management Service Provider Agreements A. Risk Management
Individual teams are responsible for

Do contracts with all subcontractors include Service Level negotiating and monitoring SLAs with the
82 A.5.2.8 Agreeements? No subprocessor they are contracting. Third Party Risk Management Service Provider Agreements A. Risk Management

Jump To:
Master
Do contracts with all subcontractors include

85 A.5.2.9 Indemnification/Liability? Yes Third Party Risk Management Service Provider Agreements A. Risk Management
Do contracts with all subcontractors include termination/exit

86 A.5.2.10 clause? Yes Third Party Risk Management Service Provider Agreements A. Risk Management
Do contracts with all subcontractors include breach of

4172 A.5.2.11 agreement terms? Yes Third Party Risk Management Service Provider Agreements A. Risk Management
76 A.5.2.12 Do contracts with all subcontractors include audit reporting? Yes Third Party Risk Management Service Provider Agreements A. Risk Management
Do contracts with all subcontractors include privacy and

2524 A.5.2.13 security control requirements for subcontractors? Yes Third Party Risk Management Service Provider Agreements A. Risk Management
Do contracts with Subcontractors require negotiating the

4655 A.5.2.14 extension of contractual obligations to its subcontractors? Yes Third Party Risk Management Service Provider Agreements A. Risk Management
Does the third party risk management program include an

assigned individual or group responsible for capturing, Governance and Risk Team is responsible
maintaining, and tracking subcontractor Information Security, for the risk management program and
3887 A.5.3 Privacy, or other issues? Yes framework. Third Party Risk Management Issue Management A. Risk Management
Does the third party issue management program include risk

3888 A.5.3.1 severity ratings criteria for issues e.g., H/M/L, 1-5, etc.? Yes Third Party Risk Management Issue Management A. Risk Management

Jump To:
Master
Does the third party issue management program include

3889 A.5.3.2 remediation plans? Yes Third Party Risk Management Issue Management A. Risk Management

escalation procedures if the remediation requirements or
3892 A.5.3.2.1 remediation date(s) are not met? Yes Third Party Risk Management Issue Management A. Risk Management
Does the third party issue management program require sign-

3893 A.5.3.3 off when remediation is fully implemented? Yes Third Party Risk Management Issue Management A. Risk Management

3894 A.5.3.4 reporting on remediation? Yes Third Party Risk Management Issue Management A. Risk Management
Does remediation reporting include identification of

3895 A.5.3.4.1 stakeholders? Yes Third Party Risk Management Issue Management A. Risk Management
3896 A.5.3.4.2 Does remediation reporting include reporting frequency? Yes Third Party Risk Management Issue Management A. Risk Management
Does remediation reporting include a process to identify and
log subcontractor information security, privacy and/or data
3901 A.5.3.4.3 breach issues? Yes Third Party Risk Management Issue Management A. Risk Management
Is there a set of information security policies that have been

approved by management, published and communicated to Information Security Policy Information Security Policy
3199 B.1 constituents? Yes Management Management B. Security Policy
Are policies and standards based on industry accepted Information Security Policy Information Security Policy
2482 B.1.1 standards and practices? Yes Management Management B. Security Policy

Jump To:
Master
Is there a management-approved process for handling Information Security Policy Information Security Policy
4414 B.1.2 deviations and exceptions? Yes Management Management B. Security Policy
Do the information security policies set requirements based on

business strategy, regulations, legislation (Including privacy and Information security policies set
civil liberties obligations) and cybersecurity threat requirements based upon ISO 27001 Information Security Policy Information Security Policy
4415 B.1.3 environment? Yes framework. Management Management B. Security Policy
Do the information security policies contain statements

concerning the organization's definition of information
security, objective, and principles to guide all activities relating Information Security Policy Information Security Policy
4416 B.1.4 to information security? Yes Management Management B. Security Policy
Have all policies been assigned to an owner responsible for Information Security Policy Information Security Policy
4173 B.1.5 review and approve periodically? Yes Management Management B. Security Policy
Do owners review and update policies if significant changes Information Security Policy Information Security Policy
4174 B.1.5.1 occur in legal, business, organizational, or technical conditions? Yes Management Management B. Security Policy
Have all information security policies and standards been Information Security Policy Information Security Policy
2471 B.1.6 reviewed in the last 12 months? Yes Management Management B. Security Policy
Are responsibilities for asset protection and for carrying out

specific information security processes clearly identified and Organizational Information
4417 C.1 communicated to the relevant parties? Yes Security Organization Security Responsibilities C. Organizational Security
Do the processes include residual risk acceptance Organizational Information

4418 C.1.7 responsibilities? Yes Security Organization Security Responsibilities C. Organizational Security

Jump To:
Master
Organizational Information
4419 C.1.8 Do the processes include local and site-specific responsibilities? Yes Security Organization Security Responsibilities C. Organizational Security
Does the organization's executive leadership ensure

information security policy is established and aligned with
organizational strategy, and communicated to the entire
4656 C.2 organization? Yes Security Organization Executive Sponsorship C. Organizational Security
Does the organization's executive leadership communicate the

mandate of information security awareness, compliance and
4657 C.2.1 effectiveness to the entire organization? Yes Security Organization Executive Sponsorship C. Organizational Security
Does the organization's board of directors or ownership ensure

information security programs are funded sufficiently to meet
4658 C.2.2 the organization's objectives? Yes Security Organization Executive Sponsorship C. Organizational Security
Does the organization's board of directors or ownership require

management to regularly demonstrate that the information
4659 C.2.3 security program meets its intended objectives? Yes Security Organization Executive Sponsorship C. Organizational Security
Has a qualified individual responsible been designated as a

Chief Information Security Officer (CISO) to oversee and
implement the organization's cybersecurity program and Chief Information Security
4551 C.3 enforce its cybersecurity policy? Yes Security Organization Officer C. Organizational Security
Does the CISO issue a report at least annually on the

organization's cybersecurity program and material
cybersecurity risks to the organization's board of directors,
equivalent body, or senior officer in charge of cybersecurity Chief Information Security
4552 C.3.1 risk? Yes Security Organization Officer C. Organizational Security
Are information security personnel (internal or outsourced) Information Security Personnel

58 C.4 responsible for information security processes? Yes Security Organization Responsibilities C. Organizational Security

Jump To:
Master
Are information security personnel responsible for the design

of information technology systems, processes, and architecture Information Security Personnel
4421 C.4.1 required to meet information security requirements? Yes Security Organization Responsibilities C. Organizational Security
Are information security personnel responsible for the Information Security Personnel
61 C.4.2 creation, and review of information security policies? Yes Security Organization Responsibilities C. Organizational Security
Do information security personnel review the effectiveness of

information security policy implementation and manage
instances of non-compliance with security policies across the Information Security Personnel
4422 C.4.3 entire organization? Yes Security Organization Responsibilities C. Organizational Security
Are information security personnel responsible for the

development and maintenance an overall strategic security Information Security Personnel
65 C.4.4 plan? Yes Security Organization Responsibilities C. Organizational Security
Are information security personnel responsible for the

monitoring of significant changes in the exposure of Information Security Personnel
62 C.4.5 information assets? Yes Security Organization Responsibilities C. Organizational Security
Are information security personnel responsible for the review Information Security Personnel
63 C.4.6 and/or monitoring information security incidents or events? Yes Security Organization Responsibilities C. Organizational Security
Cloudflare is a member of the Cloud

Security Allaince (CSA) and its Head of
Do information security personnel maintain contacts with Security Engagement joined in July to
information security special interest groups, specialist security further our participation in professional Information Security Personnel
2500 C.5 forums or professional associations? Yes associations. Security Organization Qualifications C. Organizational Security
Cloudflare is supportive of all staff,

Do Information security personnel participate in continuing including those on the security team,
education programs e.g., online training, webinars, seminars, maintaining relevant knowledge for their Information Security Personnel
4200 C.5.1 etc.? Yes work. Security Organization Qualifications C. Organizational Security

Jump To:
Master
Information security personnel are
supported by Cloudflare if they wish to
receive or maintain a professional security
certification but this is not viewed as
Do information security personnel maintain professional required for all information security Information Security Personnel
220 C.5.2 security certifications? Yes personnel. Security Organization Qualifications C. Organizational Security
Do all projects involving scoped systems and data go through Project Information Security
4420 C.6 some form of information security assessment? Yes Security Oversight Assessment C. Organizational Security
4180 D.8 Is regulated or confidential scoped data stored electronically? Yes Encryption Scoping D. Asset and Info Management
Is full-disk encryption enabled for all systems that store or

4183 D.8.1 process scoped data? Yes Encryption Disk Encryption D. Asset and Info Management
4184 D.8.2 Is regulated or confidential scoped data stored in a database? Yes Encryption Database Encryption D. Asset and Info Management
Does regulated or confidential scoped data stored in a

4186 D.8.2.1 database include Database Encryption? Yes Encryption Database Encryption D. Asset and Info Management
Does regulated or confidential Scoped data stored in a Cloudflare utilizes full disk encryption and
4187 D.8.2.1.1 database include column/Field Encryption? No not field/column level encryption. Encryption Database Encryption D. Asset and Info Management
Does regulated or confidential scoped data stored in a Cloudflare utilizes full disk encryption and
4188 D.8.2.1.2 database include tablespace Encryption? No not field/column level encryption. Encryption Database Encryption D. Asset and Info Management

Jump To:
Master
4181 D.8.3 Is regulated or confidential scoped data stored in files? No Encryption File/Folder Encryption D. Asset and Info Management
Does regulated or confidential scoped data stored in files Cloudflare utilizes full disk encryption and
4182 D.8.3.1 include file/folder-level encryption enabled? No not field/column level encryption. Encryption File/Folder Encryption D. Asset and Info Management
1806 D.8.4 Are encryption keys managed and maintained for scoped data? Yes Encryption Key Management D. Asset and Info Management
Are encryption keys generated in a manner consistent with key

4192 D.8.4.1 management industry standards? Yes Encryption Key Management D. Asset and Info Management
1815 D.8.4.2 Are encryption keys encrypted at rest and when transmitted? Yes Encryption Key Management D. Asset and Info Management
Is there segregation of duties between personnel responsible Employees responsible for key
for key management duties and those responsible for normal management duties also have normal
1902 D.8.4.3 operational duties? Yes operational duties. Encryption Key Management D. Asset and Info Management
4437 D.8.4.4 Is the use of keys by personnel logged? Yes Encryption Key Management D. Asset and Info Management
A private encyrption key/certificate will

Is encryption key or certificate sharing prohibited between be created within production with a
1865 D.8.4.5 production and non-production systems? Yes public key for non-production. Encryption Key Management D. Asset and Info Management

Jump To:
Master
1814 D.8.4.6 Is there a centralized key management system (KMS)? Yes Encryption Key Management D. Asset and Info Management
Does key generation and management occur in a software

4193 D.8.4.6.1 solution e.g., bouncycastle, OpenSSL? Yes Encryption Key Management D. Asset and Info Management
Does key generation and management occur in a hardware

Encryption Module/hardware Security Module e.g., NIST, FIPS
4194 D.8.4.6.2 140-2? Yes Encryption Key Management D. Asset and Info Management
Supported by Cloudflare's Keyless

SSLproduct, which allows customers to
maintain their private keys while still
Is there an option for clients to manage their own encryption being able to route encrypted traffic
4191 D.8.4.7 keys? Yes through Cloudflare. Encryption Key Management D. Asset and Info Management
Enterprise clients are assigned a unique

key/certificate; customers utilizing self
Are clients provided with the ability to generate a unique service purchase plans may purchase a
3353 D.8.4.7.1 encryption key? Yes unique key/certificate. Encryption Key Management D. Asset and Info Management
Customers can use Keyless SSL, which lets

sites use Cloudflare’s SSL service while
Are clients provided with the ability to rotate their encryption retaining on-premise custody of their
3354 D.8.4.7.2 keys on a scheduled basis? Yes private keys. Encryption Key Management D. Asset and Info Management
The SHA-2/RSA and SHA-1/RSA

certificates utilize a 2048-bit private key
to secure data transmission where SHA-
1860 D.8.5 Is Asymmetric encryption key length a minimum of 2048 bits? Yes 2/ECDSA certificates uses the P-256 curve. Encryption Cryptographic Strength D. Asset and Info Management
Does Symmetric encryption use AES with a key length of at

4438 D.8.5.1 least 128 bits? Yes Encryption Cryptographic Strength D. Asset and Info Management

Jump To:
Master
3548 D.8.6 Are constituents able to view client's unencrypted Data? No Encryption Constituent Access D. Asset and Info Management
Cloudflare technical support employees

have the ability to view customer account
Can constituents view an unencrypted version of regulated or information in order to provide
3219 D.8.6.1 confidential Information? Yes assistance/troubleshooting. Encryption Constituent Access D. Asset and Info Management
Has encryption of any nonpublic information at rest, or in

transit over external networks, been deemed infeasible? If yes,
please describe the unencrypted information in the Additional
4692 D.8.7 Information field. No Encryption Compensating Controls D. Asset and Info Management
Is all unencrypted nonpublic Information secured using

effective alternative compensating controls? Please describe Cloudflare encrypts data over untrusted
4693 D.8.7.1 the compensating controls in the Additional Information field. N/A networks. Encryption Compensating Controls D. Asset and Info Management
Are all controls used to compensate for unencrypted Nonpublic

Information reviewed and approved by the organization's CISO Cloudflare encrypts data over untrusted
4694 D.8.7.1.1 on an annual basis? N/A networks. Encryption Compensating Controls D. Asset and Info Management
Are Human Resource policies approved by management,

communicated to constituents and an owner to maintain and
4195 E.1 review? Yes Human Resource Policy Human Resource Policy E. Human Resource Security
Do Human Resource policies include Constituent background Background Investigation Policy

2538 E.1.1 screening criteria? Yes Human Resource Policy Content E. Human Resource Security
Does Constituent background screening criteria include Background Investigation Policy

148 E.1.1.1 Criminal screening? Yes Human Resource Policy Content E. Human Resource Security

Jump To:
Master
Does Constituent background screening criteria include Credit Only in the US where there is Employee Background Investigation Policy
155 E.1.1.2 checks? No Credit check (if in Finance). Human Resource Policy Content E. Human Resource Security

162 E.1.1.3 Academic verification? Yes Human Resource Policy Content E. Human Resource Security

169 E.1.1.4 Reference verification? Yes Human Resource Policy Content E. Human Resource Security

2539 E.1.1.5 Resume or curriculum vitae verification? Yes Human Resource Policy Content E. Human Resource Security
Does Constituent background screening criteria include Drug Background Investigation Policy
176 E.1.1.6 Screening? No Human Resource Policy Content E. Human Resource Security
183 E.1.2 Are constituents required to sign employment agreements? Yes Human Resource Policy Agreements for Constituents E. Human Resource Security
Do employment agreements include Acknowledgement of

184 E.1.2.1 Acceptable Use policies? Yes Human Resource Policy Agreements for Constituents E. Human Resource Security
Do employment agreements include acknowledgement of

191 E.1.2.2 Code of Conduct/Ethics policies? Yes Human Resource Policy Agreements for Constituents E. Human Resource Security

Jump To:
Master
Do employment agreements include acknowledgement of

205 E.1.2.3 Confidentiality/Non-Disclosure policies? Yes Human Resource Policy Agreements for Constituents E. Human Resource Security
Are constituents required to attend security awareness Security Awareness Training

212 E.1.3 training? Yes Human Resource Policy Program E. Human Resource Security
Does the security awareness training program include security Security Awareness Training
214 E.1.3.1 policies, procedures and processes? Yes Human Resource Policy Program E. Human Resource Security
Does the security awareness training program include Security Awareness Training
4550 E.1.3.2 techniques to recognize phishing attempts? Yes Human Resource Policy Program E. Human Resource Security
Does the security awareness training program include an Security Awareness Training
2536 E.1.3.3 explanation of constituents' security roles and responsibilities? Yes Human Resource Policy Program E. Human Resource Security
Does the security awareness training program include a Security Awareness Training
215 E.1.3.4 competency test? Yes Human Resource Policy Program E. Human Resource Security
Does the security awareness training program include new hire Security Awareness Training
3302 E.1.3.5 and annual participation? Yes Human Resource Policy Program E. Human Resource Security
Does the Human Resource policy include a disciplinary process

293 E.1.4 for non-compliance? Yes Human Resource Policy Disciplinary Process E. Human Resource Security

Jump To:
Master
Does the Human Resource policy include Constituent

accountability for the use and misuse of their access
32 E.1.5 credentials? Yes Human Resource Policy Disciplinary Process E. Human Resource Security
Does the Human Resource policy include Termination and/or

2557 E.1.6 change of status processes? Yes Human Resource Policy Separation Procedures E. Human Resource Security
Is electronic access to systems containing scoped data removed

299 E.2 within 24 hours for terminated constituents? Yes Human Resource Policy Separation Procedures E. Human Resource Security
Does your organization have an employee performance

process that is documented, maintained, and reviewed by
5825 E.3 management periodically? Yes Human Resource Policy Performance Review E. Human Resource Security
Is there a physical security program approved by management,

communicated to constituents, and has an owner been
312 F.1 assigned to maintain and review? Yes Physical Security Program Secured Facility Controls F. Physical and Environmental
26 F.1.1 Does the physical security program include a clean desk policy? Yes Physical Security Program Secured Facility Controls F. Physical and Environmental
Does your clean desk policy include restrictions related to the

5826 F.1.1.1 storage and physical handling of materials that house PII? Yes Physical Security Program Secured Facility Controls F. Physical and Environmental
Are there physical security controls for all secured facilities e.g.,
4714 F.1.2 data centers, office buildings? Yes Physical Security Program Secured Facility Controls F. Physical and Environmental

Jump To:
Master
Do the physical security controls include electronic controlled

387 F.1.2.1 access system (key card, token, fob, biometric reader, etc.)? Yes Physical Security Program Secured Facility Controls F. Physical and Environmental
Do the physical security controls include cipher locks

(electronic or mechanical) to control access within or to the Cloudflare deems this to no longer be an
391 F.1.2.2 Facility? No effective method of access control Physical Security Program Secured Facility Controls F. Physical and Environmental
Do the physical security controls include security guards that

374 F.1.2.3 provide onsite security services? Yes Physical Security Program Secured Facility Controls F. Physical and Environmental
Do the physical security controls include perimeter physical

3288 F.1.2.4 barrier (such as fence or walls)? Yes Physical Security Program Secured Facility Controls F. Physical and Environmental
Do the physical security controls include entry and exit doors

alarmed (forced entry, propped open) and/or monitored by
371 F.1.2.5 security guards? Yes Physical Security Program Secured Facility Controls F. Physical and Environmental
Do the physical security controls include a mechanism to

395 F.1.2.6 prevent Tailgating/Piggybacking? Yes Physical Security Program Secured Facility Controls F. Physical and Environmental
360 F.1.2.7 Do the physical security controls include external lighting? Yes Physical Security Program Secured Facility Controls F. Physical and Environmental
364 F.1.2.8 Do the physical security controls include lighting on all doors? Yes Physical Security Program Secured Facility Controls F. Physical and Environmental

Jump To:
Master
Do the physical security controls include exterior doors with

365 F.1.2.9 external hinge pins? No Hinge pins are internal Physical Security Program Secured Facility Controls F. Physical and Environmental
Not applicable for all office enivornments.

Cloudflare's racks within datacenters are
within secured rooms that do not have
Do the physical security controls include windows with contact windows and are physically separated
358 F.1.2.10 or break alarms on all windows? Yes from perimeter of the building. Physical Security Program Secured Facility Controls F. Physical and Environmental
Physical offices store video for 30 days.

Do the physical security controls include digital CCTV with Data center storage may range between
366 F.1.2.11 video stored at least 90 days? Yes 30-90. Physical Security Program Secured Facility Controls F. Physical and Environmental
Do the physical security controls of all secured facilities require

430 F.1.2.12 walls extending from true floor to true ceiling? Yes Physical Security Program Secured Facility Controls F. Physical and Environmental
Does the design and monitoring of physical security include all

windows or glass walls along the perimeter of all secured
432 F.1.2.13 facilities? Yes Yes for offices; no for datacenters. Physical Security Program Secured Facility Controls F. Physical and Environmental
Are there physical access controls that include restricted access Secured Facility Controls -
381 F.1.2.14 and logs kept of all access? Yes Physical Security Program Access F. Physical and Environmental
Do physical access controls include collection of access

equipment (badges, keys, change pin numbers, etc.) upon Secured Facility Controls -
389 F.1.2.14.1 termination or status change? Yes Physical Security Program Access F. Physical and Environmental
Secured Facility Controls -

382 F.1.2.14.2 Are physical access control procedures documented? Yes Physical Security Program Access F. Physical and Environmental

Jump To:
Master
Applicable only to data centers. All office

staff are permitted in all parts of offices
Do physical access controls include segregation of duties for except IT rooms and other maintenance Secured Facility Controls -
383 F.1.2.14.3 issuing and approving access? Yes facilities. Physical Security Program Access F. Physical and Environmental
Do physical access controls include access reviews at least Secured Facility Controls -
384 F.1.2.14.4 every six months? Yes Physical Security Program Access F. Physical and Environmental
Do physical access controls require reporting of lost or stolen Secured Facility Controls -
390 F.1.2.14.5 access cards/keys? Yes Physical Security Program Access F. Physical and Environmental
Are there environmental controls in secured facilities to

protect computers and other physical assets e.g., Fire detection Environmental Controls -
4715 F.1.3 and suppression? Yes Physical Security Program Computer Hardware F. Physical and Environmental
Is there a process to ensure equipment supporting critical Environmental Controls -

4716 F.1.3.1 computer systems is correctly maintained? Yes Physical Security Program Computer Hardware F. Physical and Environmental
Is there a process to ensure equipment supporting critical

systems is not taken offline or off-site without prior Environmental Controls -
4717 F.1.3.2 authorization? Yes Physical Security Program Computer Hardware F. Physical and Environmental
Is signage required to identify environmental controls within Environmental Controls -

5650 F.1.3.3 the data center? Yes Physical Security Program Computer Hardware F. Physical and Environmental
Environmental Controls -
566 F.1.3.4 Do environmental controls include fluid sensors? Yes Physical Security Program Computer Hardware F. Physical and Environmental

Jump To:
Master
Do environmental controls include HVAC and humidity Environmental Controls -

3297 F.1.3.5 controls? Yes Physical Security Program Computer Hardware F. Physical and Environmental
3298 F.1.3.6 Do environmental controls include heat detectors? Yes Physical Security Program Computer Hardware F. Physical and Environmental
569 F.1.3.7 Do environmental controls include smoke detectors? Yes Physical Security Program Computer Hardware F. Physical and Environmental
3303 F.1.3.8 Do environmental controls include fire suppression? Yes Physical Security Program Computer Hardware F. Physical and Environmental
All data centers have this in place; not all Environmental Controls -
3289 F.1.3.9 Do environmental controls include multiple power feeds? Yes physical offices. Physical Security Program Computer Hardware F. Physical and Environmental
Additional communication strategies are

Do environmental controls include multiple communication being developed in 2020 as part of Environmental Controls -
3290 F.1.3.10 feeds? Yes business continuity exercises. Physical Security Program Computer Hardware F. Physical and Environmental
Do environmental controls include protection of cabling that Environmental Controls -

4718 F.1.3.11 supports critical systems? Yes Physical Security Program Computer Hardware F. Physical and Environmental
396 F.2 Are visitors permitted in the facility? Yes Physical Security Program Visitor Management F. Physical and Environmental

Jump To:
Master
397 F.2.1 Are visitors required to sign in and out? Yes Physical Security Program Visitor Management F. Physical and Environmental
Implemented for data centers, not for

398 F.2.2 Are visitors required to provide a government issued ID? Yes headquarters Physical Security Program Visitor Management F. Physical and Environmental
399 F.2.3 Are visitors required to be escorted through secure areas? Yes Physical Security Program Visitor Management F. Physical and Environmental
Are visitors required to wear badge distinguishing them from

2944 F.2.4 employees? Yes Physical Security Program Visitor Management F. Physical and Environmental
Visitor logs are retained according to local

regulations. This ranges from 30 days to
400 F.2.5 Are visitor logs maintained for at least 90 days? Yes 90 days Physical Security Program Visitor Management F. Physical and Environmental
Applicable to Portland, Oregon data

center and below answers reflect what is
492 F.3 Is there a loading dock at the facility? Yes true for that facility. Loading Dock Controls Secure Workspace Perimeter F. Physical and Environmental
All other data center tenants contract

with the data center and have work
493 F.3.1 Do other tenants use the loading dock? N/A handled by remote hands. Loading Dock Controls Secure Workspace Perimeter F. Physical and Environmental
495 F.3.2 Is there a security guard or digital CCTV at each point of entry? Yes Loading Dock Controls Secure Workspace Perimeter F. Physical and Environmental

Jump To:
Master
513 F.3.3 Are there smoke detectors in all loading docks? Yes Loading Dock Controls Computer Hardware F. Physical and Environmental
514 F.3.4 Are there fire alarms in all loading docks? Yes Loading Dock Controls Computer Hardware F. Physical and Environmental
516 F.3.5 Are fire suppression systems located in all loading docks? Yes Loading Dock Controls Computer Hardware F. Physical and Environmental
Is there Digital CCTV in all loading docks and is the video stored
508 F.3.6 for at least 90 days? Yes Loading Dock Controls Video Monitoring F. Physical and Environmental
Is access restricted to loading docks and are logs kept of all Secure Workspace Access
3203 F.3.7 access? Yes Loading Dock Controls Reporting F. Physical and Environmental
Physical Security Controls -

541 F.4 Is there a battery/UPS room in offices and/or facility? Yes Battery/UPS Room Controls Scoped Data F. Physical and Environmental
543 F.4.1 Does the battery/UPS room include Hydrogen sensors? Yes Battery/UPS Room Controls Computer Hardware F. Physical and Environmental
570 F.4.2 Does the battery/UPS room include a fire alarm? Yes Battery/UPS Room Controls Computer Hardware F. Physical and Environmental

Jump To:
Master
3204 F.4.3 Does the battery/UPS room include fire suppression? Yes Battery/UPS Room Controls Computer Hardware F. Physical and Environmental
Does the battery/UPS room include Digital CCTV and is the Between 30-90 days of stroage for
560 F.4.4 video stored for at least 90 days? Yes CCTV/Video. Battery/UPS Room Controls Video Monitoring F. Physical and Environmental
Does the battery/UPS room include restricted access and are Physical Security Controls -
546 F.4.5 logs kept of all access? Yes Battery/UPS Room Controls Scoped Data F. Physical and Environmental

621 F.5 Is there a generator or generator area in offices and/or facility? Yes Power Generator Controls Scoped Data F. Physical and Environmental
Does the generator or generator area include a fuel supply Environmental Controls -
627 F.5.1 readily available? Yes Power Generator Controls Computer Hardware F. Physical and Environmental
Does the generator or generator area include a power supply Environmental Controls -
628 F.5.2 for at least 48 hours? Yes Power Generator Controls Computer Hardware F. Physical and Environmental
Does the generator or generator area include Restricted access Secure Workspace Access
629 F.5.3 and are logs kept of all access? Yes Power Generator Controls Reporting F. Physical and Environmental
Does the generator or generator area include Digital CCTV with

640 F.5.4 video stored at least 90 days? Yes Kept between 30-90 days Power Generator Controls Video Monitoring F. Physical and Environmental

Jump To:
Master

656 F.6 Is there a mailroom that handles Scoped data? N/A No scoped data is sent by physical mail Mailroom Controls Scoped Data F. Physical and Environmental
Is access restricted to the mailroom and are logs kept of all Secure Workspace Access
660 F.6.1 access? N/A Mailroom Controls Reporting F. Physical and Environmental
Does the mailroom include Digital CCTV with video stored at

3291 F.6.2 least 90 days? N/A Mailroom Controls Video Monitoring F. Physical and Environmental

685 F.7 Is there a media library to store scoped data? N/A Media Library Controls Scoped Data F. Physical and Environmental
Is access to the media library restricted and are logs kept of all Secure Workspace Access
694 F.7.1 access? N/A Media Library Controls Reporting F. Physical and Environmental
Does the media library include Digital CCTV with video stored
3292 F.7.2 at least 90 days? N/A Media Library Controls Video Monitoring F. Physical and Environmental
Telecom Equipment Room Physical Security Controls -

778 F.8 Is there a telecom equipment room? N/A No telecom equipment room Controls Scoped Data F. Physical and Environmental
Does the telecom equipment room include Digital CCTV with Telecom Equipment Room
781 F.8.1 video stored at least 90 days? N/A Controls Video Monitoring F. Physical and Environmental

Jump To:
Master
Is access to the telecom equipment room restricted and are Telecom Equipment Room Secure Workspace Access
786 F.8.2 logs kept of all access? N/A Controls Reporting F. Physical and Environmental
Are your devices located in a locked server cabinet within the Information Technology Device Physical Security Controls -
457 F.9 data center? Yes Physical Security Scoped Data F. Physical and Environmental
Do server cabinets include restricted access and are logs kept Information Technology Device Physical Security Controls -
479 F.9.1 of all access? Yes Physical Security Scoped Data F. Physical and Environmental
Do server cabinets include Digital CCTV and video stored at Information Technology Device
474 F.9.2 least 90 days? Yes Physical Security Video Monitoring F. Physical and Environmental

401 F.10 Do the Scoped systems and data reside in a data center? Yes Data Center Controls Scoped Data F. Physical and Environmental
351 F.10.1 Do other tenants use the data center? Yes Data Center Controls Secure Workspace Perimeter F. Physical and Environmental
Cloudflare owns its own equipment and

Are locking screensavers on unattended system displays or does not have consoles within Physical Security Controls -
4201 F.10.2 locks on consoles required within the data center? N/A racks/cages. Data Center Controls Scoped Data F. Physical and Environmental
Is there a procedure for equipment removal from the data Physical Security Controls -
491 F.10.3 center? Yes Data Center Controls Scoped Data F. Physical and Environmental

Jump To:
Master
Cloudflare does not own data center

facilities, but have SLAs for facility
maintenance. The SLAs are included in the
master agreements and include the crtical Maintenance Contracts for
526 F.10.4 Are maintenance contracts maintained for critical equipment? Yes services outlined below. Data Center Controls Critical Equipment F. Physical and Environmental
Maintenance Contracts for

527 F.10.4.1 Are there active maintenance contracts for all UPS systems? Yes Data Center Controls Critical Equipment F. Physical and Environmental
Are there active maintenance contracts for all physical Security Maintenance Contracts for
528 F.10.4.2 systems? Yes Data Center Controls Critical Equipment F. Physical and Environmental

529 F.10.4.3 Are there active maintenance contracts for all Generators? Yes Data Center Controls Critical Equipment F. Physical and Environmental

530 F.10.4.4 Are there active maintenance contracts for all critical batteries? Yes Data Center Controls Critical Equipment F. Physical and Environmental
Are there active maintenance contracts for all monitored fire Maintenance Contracts for
531 F.10.4.5 alarms? Yes Data Center Controls Critical Equipment F. Physical and Environmental
Are there active maintenance contracts for all fire suppression Maintenance Contracts for
532 F.10.4.6 systems? Yes Data Center Controls Critical Equipment F. Physical and Environmental

533 F.10.4.7 Are there active maintenance contracts for all HVAC systems? Yes Data Center Controls Critical Equipment F. Physical and Environmental

Jump To:
Master
Testing responsibilities are owned by the Physical and Environmental

534 F.10.5 Are tests conducted for any building systems? Yes data centers with which we contract. Data Center Controls Security Testing F. Physical and Environmental
Physical and Environmental

535 F.10.5.1 Are UPS systems tested at least annually? Yes Data Center Controls Security Testing F. Physical and Environmental

536 F.10.5.2 Are all security alarm systems tested at least annually? Yes Data Center Controls Security Testing F. Physical and Environmental

537 F.10.5.3 Are all fire alarms tested at least annually? Yes Data Center Controls Security Testing F. Physical and Environmental

538 F.10.5.4 Are all fire suppression systems tested at least annually? Yes Data Center Controls Security Testing F. Physical and Environmental

539 F.10.5.5 Are all generators tested at least monthly? Yes Data Center Controls Security Testing F. Physical and Environmental

540 F.10.5.6 Are all generators full load tested at least monthly? Yes Data Center Controls Security Testing F. Physical and Environmental
Operational Procedures and

2582 G.1 Are management approved operating procedures utilized? Yes Responsibilities IT Operational Procedures G. IT Operations Management

Jump To:
Master
Are operating procedures documented, maintained, and made Operational Procedures and
2583 G.1.1 available to all users? Yes Responsibilities IT Operational Procedures G. IT Operations Management
Cloudflare does not currently benchmark
its IT management processes against an
industry standard/benchmark. However,
Is the maturity of IT management processes formally evaluated Cloudflare undergoes external audits for
at least annually using an established benchmark e.g., COBIT the following: SOC 2 Type 2, ISO 27001
3633 G.2 maturity models? No and ISO 27701. IT Governance Maturity Benchmarking G. IT Operations Management
Is there an operational Change Management/Change Control

policy or program that has been documented, approved by
management, communicated to appropriate constituents and Operational Procedures and
816 G.3 assigned an owner to maintain and review the policy? Yes Responsibilities Change Control G. IT Operations Management
Does the operational Change Management/Change Control Operational Procedures and

829 G.3.1 policy or program include Pre-implementation testing? Yes Responsibilities Change Control G. IT Operations Management

830 G.3.2 policy or program include Post-implementation testing? Yes Responsibilities Change Control G. IT Operations Management
Does the operational Change Management/Change Control

policy or program include a review for potential security Operational Procedures and
824 G.3.3 impact? Yes Responsibilities Change Control G. IT Operations Management

policy or program include a review for potential operational Operational Procedures and
826 G.3.4 impact? Yes Responsibilities Change Control G. IT Operations Management

policy or program include communication of changes to all Operational Procedures and
2593 G.3.5 relevant constituents? Yes Responsibilities Change Control G. IT Operations Management

Jump To:
Master

831 G.3.6 policy or program include Rollback procedures? Yes Responsibilities Change Control G. IT Operations Management

policy or program include Documentation and logging of Operational Procedures and
841 G.3.7 changes? Yes Responsibilities Change Control G. IT Operations Management

policy or program include Secure Code Analysis performed by
qualified personnel, other than the author of the relevant code, Operational Procedures and
837 G.3.8 prior to introduction to the production environment? Yes Responsibilities Change Control G. IT Operations Management

policy or program include Information security's approval Operational Procedures and
839 G.3.9 required prior to implementing changes? Yes Responsibilities Change Control G. IT Operations Management
Do changes to the production environment including network,

systems, application updates, and code changes subject to the Operational Procedures and
832 G.3.10 Change Control process? Yes Responsibilities Change Control G. IT Operations Management
Does the Change Control process include segregation of duties

between those requesting, approving and implementing a Operational Procedures and
838 G.3.10.1 change? Yes Responsibilities Change Control G. IT Operations Management
Does the Change Control process include a formal process to Customers are notified if change is known
ensure clients are notified prior to changes being made which to impact customers; however, process Operational Procedures and
3401 G.3.10.2 may impact their service? Yes requires refinement. Responsibilities Change Control G. IT Operations Management
Does the Change Control process include a scheduled Operational Procedures and
3406 G.3.10.3 maintenance window? Yes Responsibilities Change Control G. IT Operations Management

Jump To:
Master
Does the Change Control process include a scheduled No planned client downtime during Operational Procedures and
3412 G.3.10.3.1 maintenance window which results in client downtime? No service windows Responsibilities Change Control G. IT Operations Management
Cloudflare's online status page provides

Does the Change Control process include an online status information about the availability of its
portal, which provides information for outlines planned and network: https://www.cloudflarestatus. Operational Procedures and
3418 G.3.10.4 unplanned outages? Yes com/ Responsibilities Change Control G. IT Operations Management
Cloudflare does not give customers the

option of running deprecated versions of
Does the Change Control process include an option for clients its services since updates are rolled out to Operational Procedures and
3425 G.3.10.5 to opt-in or opt-out of specific features in releases? No its entire fleet of servers. Responsibilities Change Control G. IT Operations Management
Does the change control process require evidence that

Information security activities will not adversely affect existing
systems, particularly at peak processing times, such as month Operational Procedures and
2880 G.3.10.6 end? Yes Responsibilities Change Control G. IT Operations Management

policy or program include requirements governing software IT Operational Procedures and
4719 G.3.10.7 installation? Yes Responsibilities Change Control G. IT Operations Management
Does the operational Change Management/change control

policy or program ensure approved changes have been IT Operational Procedures and
4720 G.3.10.8 implemented as approved? Yes Responsibilities Change Control G. IT Operations Management
Are Information Security requirements specified and

implemented when new systems are introduced, upgraded, or Operational Procedures and
4439 G.4 enhanced? Yes Responsibilities System Acceptance Criteria G. IT Operations Management
Are new, upgraded or enhanced systems required to include a

determination of security requirements based on the Operational Procedures and
2666 G.4.1 sensitivity of the data? Yes Responsibilities System Acceptance Criteria G. IT Operations Management

Jump To:
Master
Are Information Security specifications for new, upgraded or

enhanced systems identified using requirements from policies
and regulations, threat modeling, incident reviews, or use of Operational Procedures and
4440 G.4.2 vulnerability thresholds? Yes Responsibilities System Acceptance Criteria G. IT Operations Management
Are security specifications implemented prior to the

introduction of a new information system, upgrade, or Operational Procedures and
4441 G.4.3 enhancement to the environment? Yes Responsibilities System Acceptance Criteria G. IT Operations Management
Are controls and associated processes related to security

specifications such as authentication, access control,
provisioning, and training considered for new, upgraded or Operational Procedures and
4205 G.4.4 enhanced systems? Yes Responsibilities System Acceptance Criteria G. IT Operations Management
Is testing for validation of all implemented controls required for Operational Procedures and
4209 G.4.5 new, upgraded or enhanced systems? Yes Responsibilities System Acceptance Criteria G. IT Operations Management
Are business continuity requirements considered for new, Operational Procedures and
2879 G.4.6 upgraded or enhanced systems? Yes Responsibilities System Acceptance Criteria G. IT Operations Management
Are performance and computer capacity requirements Operational Procedures and

2874 G.4.7 considered for new, upgraded or enhanced systems? Yes Responsibilities System Acceptance Criteria G. IT Operations Management
Are system resources monitored to ensure adequate capacity is Operational Procedures and
2595 G.4.8 maintained for new, upgraded or enhanced systems? Yes Responsibilities System Acceptance Criteria G. IT Operations Management
Are integrity, availability and confidentiality specifications Operational Procedures and

4206 G.4.9 considered for new, upgraded or enhanced systems? Yes Responsibilities System Acceptance Criteria G. IT Operations Management

Jump To:
Master
Is a risk assessment required to analyze the impact of needed

changes and specified security controls for new, upgraded or Operational Procedures and
Are error recovery and restart procedures required for new, Operational Procedures and
2875 G.4.11 upgraded or enhanced systems? Yes Responsibilities System Acceptance Criteria G. IT Operations Management
Are preparation and testing of operating procedures required Operational Procedures and
2876 G.4.12 for new, upgraded or enhanced systems? Yes Responsibilities System Acceptance Criteria G. IT Operations Management
Are effective manual procedures required for new, upgraded or Operational Procedures and
Do systems and network devices utilize a common time Operational Procedures and
1272 G.5 synchronization service? Yes Responsibilities Time Synchronization G. IT Operations Management
Do you have a problem management life cycle process for Organizational Procedures and
5827 G.6 tracking, reviewing, and solving issues in a timely manner? Yes Responsibilities Problem Management G. IT Operations Management
Does your organization have a customer contact and Organizational Procedures and
5828 G.7 communication process? Yes Responsibilities Customer Communications G. IT Operations Management
Do service level agreements include specific requirements for Organizational Procedures and
5829 G.8 customer contact and communication procedures? Yes Responsibilities Customer Communications G. IT Operations Management

Jump To:
Master
Is there an access control program that has been approved by

management, communicated to constituents and an owner to
1903 H.1 maintain and review the program? Yes Access Control Policies and Procedures H. Access Control
Are access control procedures reviewed periodically to keep up

with changes in business environment, people, processes and
4721 H.1.1 technology? Yes Access Control Policies and Procedures H. Access Control
Cloudflare provisions access based on the
principles of least privilege and need to
know. Additional access must be
requested via our internal ticketing
system and it requires both a legitimate
business reason and manager approval.
3543 H.2 Are constituents able to access Scoped data? Yes Access Control Constituent Access H. Access Control
Cloudflare does not share a list of
employees who have been granted access
to customer account information, as this
is confidential information. However,
Can clients receive a list of personnel who have access to their
3554 H.2.1 Scoped systems and data? No Access Control Constituent Access H. Access Control
Customer cannot restrict which
employees access data but Cloudflare can
Can clients receive a role-based access list of personnel with provide more information about its access
3555 H.2.1.1 access to their scoped systems and data? No management practices. Access Control Constituent Access H. Access Control
Logging and Monitoring Policy requires
logging of activities in critical systems. We
perform quarterly access reviews for
Cloudflare does not currently permit its
privileged access
customers to select specific employees
Can clients require their written approval for all personnel with who can/cannot
Cloudflare's 24/7access customer
Detection account
and Response
3556 H.2.2 access to their scoped systems and data? No information.
team monitors logs/alerts for malicious Access Control Constituent Access H. Access Control
activity on both servers and endpoints.
Are Policy controls in place to prevent access to client scoped

3547 H.2.3 data? Please explain. Yes Access Control Constituent Access H. Access Control
Are Preventative controls in place to prevent access to client

3544 H.2.4 scoped data e.g., technical? Please explain. Yes Access Control Constituent Access H. Access Control
Cloudflare's 24/7 Detection and Response

Are Detective controls in place to prevent access to client team monitors logs/alerts for malicious
3545 H.2.5 scoped data? Please explain. No activity on both servers and endpoints. Access Control Constituent Access H. Access Control

Jump To:
Master
Are Corrective controls in place to prevent access to client
3546 H.2.6 scoped data? Please explain. No Access Control Constituent Access H. Access Control
Logging and Monitoring Policy requires
Customers utilize the administrative
logging of activities in critical systems. We
dashboard (dash.cloudflare.com) to
perform quarterly access reviews for
manage their account. This includes
privileged access.
granting/rovoking access, changing
settings, viewing logs and other
Are clients allowed to manage access to their own systems and
administrative functions. Cloudflare is
4722 H.3 data? Yes Access Control Client Access Control H. Access Control
responsible for the management of the
systems/hardware that delivers services.
Is a standards-based federated ID capability available to clients

3355 H.3.1 e.g., SAML, OpenID, Single Sign On? Yes Access Control Client Access Control H. Access Control
dashboard (dash.cloudflare.com) to
manage their account. This includes
granting/rovoking access, changing
Is there an internet-accessible self-service portal available that
settings, viewing logs and other
allows clients to provision, audit, modify, and remove user
administrative functions. Cloudflare is
4238 H.3.2 entitlements? Yes Access Control Client Access Control H. Access Control
responsible for the management of the
systems/hardware that delivers services.
Is the use of system utilities restricted to authorized users only

e.g., remote access software, administrative interfaces, security
2657 H.4 interfaces? Yes Access Control System Utility Access Control H. Access Control
Is there a set of rules governing the way IDs are created and
4723 H.5 assigned? Yes Access Provisioning Identity Management H. Access Control
Are unique IDs required for authentication to applications,

1911 H.5.1 operating systems, databases and network devices? Yes Access Provisioning Identity Management H. Access Control
Are user IDs that identify roles or Access levels, or contain

personal information other than name or email address (i.e.
SSN, Access Level, Admin role) prohibited? If no, please
1913 H.5.1.1 describe in Additional Information field. Yes Access Provisioning Identity Management H. Access Control

Jump To:
Master
Is there a process to request and receive approval for access to

systems transmitting, processing or storing scoped systems and
1916 H.5.2 data? Yes Access Provisioning Access Approval H. Access Control
Is access to applications, operating systems, databases, and

network devices provisioned according to the principle of least
1908 H.5.2.1 privilege? Yes Access Provisioning Access Approval H. Access Control
Is there segregation of duties for granting access and approving

842 H.5.2.2 access to scoped systems and data? Yes Access Provisioning Access Approval H. Access Control
Is there segregation of duties for approving and implementing

845 H.5.2.3 access requests for scoped systems and data? Yes Access Provisioning Access Approval H. Access Control
Where segregation of duties between personnel that grant,

approve, and implement access is not feasible, are activity
monitoring, audit trail, and/or management supervision
4443 H.5.2.4 controls in place? Yes Access Provisioning Access Approval H. Access Control
Are requests for granting access documented, retained and

1922 H.5.2.5 retrievable for audit purposes for a minimum of a year? Yes Access Provisioning Access Approval H. Access Control
1939 H.6 Is access to systems that store or process scoped data limited? Yes Authentication Access Restrictions H. Access Control
Is access to systems that store or process scoped data limited Cloudflare does not currently employ time
1940 H.6.1 by time of day? No of day restrictions for its systems. Authentication Access Restrictions H. Access Control

Jump To:
Master
Cloudflare does blacklist certain countries

Is access to systems that store or process scoped data limited from where employees cannot access
1943 H.6.2 by physical location? Yes systems containing scoped data. Authentication Access Restrictions H. Access Control
Is access to systems that store or process scoped data limited

1945 H.6.3 by network subnet? Yes SSH required to access production. Authentication Access Restrictions H. Access Control
4408 H.7 Are passwords used? Yes Authentication Password Policy H. Access Control
Is there a password policy for systems that transmit, process or

store scoped systems and data that has been approved by
management, communicated to constituents, and enforced on
all platforms and network devices? If no, please explain in the
1949 H.7.1 Additional Information field. Yes Authentication Password Policy H. Access Control
Does the password policy apply to both Constituent and client

passwords? If no, please explain in the Additional Information
4724 H.7.1.1 field. Yes Authentication Password Policy H. Access Control
Does the password policy apply to all server platforms? If no,

4222 H.7.1.2 please explain in the Additional Information field. Yes Authentication Password Policy H. Access Control
Does the password policy apply to all network devices including

routers, switches, and firewalls? If no, please explain in the
4223 H.7.1.3 Additional Information field. Yes Authentication Password Policy H. Access Control
Does the password policy apply to all Web and File Transfer
Services? If no, please explain in the Additional Information
4224 H.7.1.4 field. Yes Authentication Password Policy H. Access Control

Jump To:
Master
Does the password policy apply to all workstation platforms

including desktops and laptops? If no, please explain in the
4225 H.7.1.5 Additional Information field. Yes Authentication Password Policy H. Access Control
Does the password policy define specific length and complexity

4725 H.7.2 requirements for passwords? Yes Authentication Password Policy - Complexity H. Access Control
Does the password policy require a minimum password length

4227 H.7.2.1 of at least eight characters? Yes Authentication Password Policy - Complexity H. Access Control
4726 H.7.2.2 Are client passwords of up to at least 64 characters permitted? Yes Authentication Password Policy - Complexity H. Access Control
Are complex passwords required on systems transmitting,

processing, or storing Scoped data e.g., mix of upper-case
1975 H.7.2.3 letters, lower case letters, numbers, and special characters? Yes Authentication Password Policy - Complexity H. Access Control
Does the password policy prohibit a PIN or secret question as a

4232 H.7.2.4 possible stand-alone method of authentication? Yes Authentication Password Policy - Complexity H. Access Control
Does the password policy define requirements for provisioning Password Policy - Provisioning
4727 H.7.3 and resetting passwords? Yes Authentication and Reset H. Access Control
Does the password policy require initial and temporary Password Policy - Provisioning
4230 H.7.3.1 passwords to be changed upon next login? Yes Authentication and Reset H. Access Control

Jump To:
Master
Does the password policy require initial and temporary Password Policy - Provisioning
4231 H.7.3.2 passwords to be random and complex? Yes Authentication and Reset H. Access Control
Does password policy require a password history of at least 12 Password Policy - Provisioning
4229 H.7.3.3 iterations before reuse? Yes Authentication and Reset H. Access Control
Is password reset authority restricted to authorized persons Password Policy - Provisioning

2971 H.7.3.4 and/or an automated password reset tool? Yes Authentication and Reset H. Access Control
Does password policy require a minimum age before a Password Policy - Provisioning
1570 H.7.3.5 password can be reset? Yes Authentication and Reset H. Access Control
Cloudflare does not use recovery hints or
questions but does send reset links to the
email that is registerd to the account.
Are password hints or password recovery questions used for Additional verification of identity is
client or Constituent passwords? If yes, please describe in the required if the user does not have access Password Policy - Provisioning
4728 H.7.3.6 Additional Information field. No to their email address. Authentication and Reset H. Access Control
Clooudflare requires complex passwords
and the use of two factor authentication
for its personnel. Passwords are not
compared against a list of compromised
Are all new passwords tested against a list that contains values passwords. However, certain passwords Password Policy - Provisioning
4729 H.7.3.7 known to be commonly used, expected or compromised? Yes not permitted. Authentication and Reset H. Access Control
Cloudflare does not enforce password

rotation. Cloudflare requires complex
Does the password policy require changing passwords at passwords and the use of two factor
1978 H.7.4 regular intervals? No authentication for its personnel. Authentication Password Policy - Expiration H. Access Control
Cloudflare does not enforce password

rotation. Clooudflare requires complex
Does password policy require password expiration within 90 passwords and the use of two factor
4228 H.7.4.1 days or less? No authentication for its personnel. Authentication Password Policy - Expiration H. Access Control

Jump To:
Master
Does the password policy require keeping passwords Password Policy - Password
2661 H.7.5 confidential? Yes Authentication Security H. Access Control
Does the password policy prohibit users from sharing Password Policy - Password
1974 H.7.5.1 passwords? Yes Authentication Security H. Access Control
Does the password policy prohibit keeping an unencrypted Password Policy - Password
2662 H.7.5.2 record of passwords (paper, software file or handheld device)? Yes Authentication Security H. Access Control
Does the password policy prohibit including unencrypted

passwords in automated logon processes e.g., stored in a Password Policy - Password
1979 H.7.5.3 macro or function key? Yes Authentication Security H. Access Control
Does the password policy require passwords to be encrypted in Password Policy - Password
4233 H.7.5.4 transit? Yes Authentication Security H. Access Control
Does the password policy require passwords to be encrypted or Password Policy - Password
4234 H.7.5.5 hashed in storage? Yes Authentication Security H. Access Control
Does the password policy require passwords to be hashed

using a Key Derivation Function (PBKDF2, Scrypt, BALLOON) Password Policy - Password
5651 H.7.5.5.1 and a 32-bit random salt? Yes Authentication Security H. Access Control
Does the password policy require passwords be masked when Password Policy - Password
4235 H.7.5.6 entered and displayed by default? Yes Authentication Security H. Access Control

Jump To:
Master
Are password files and application data stored in different file Password Policy - Password
2008 H.7.5.7 systems? Yes Authentication Security H. Access Control
Are user IDs and passwords communicated/distributed via User IDs are set/communicated by email. Password Policy - Password
3212 H.7.5.8 separate media e.g., e-mail and phone? N/A Passwords are set by individual users. Authentication Security H. Access Control
Does the password policy require changing passwords when

there is an indication of possible system or password Password Policy - Password
1977 H.7.5.9 compromise? Yes Authentication Security H. Access Control
Does the password policy require system configuration to lock Password Policy - Password
4236 H.7.5.10 an account when five or more invalid login attempts are made? Yes Authentication Security H. Access Control
Does password policy require Administrative Intervention on Password Policy - Password

4237 H.7.5.10.1 Lockout? Yes Authentication Security H. Access Control
Does the organization have a policy restricting the reuse of

5830 H.7.6 user IDs for systems storing or processing scoped data? Yes Access Control Policies and Procedures H. Access Control
1910 H.8 Is Multi-factor Authentication deployed? Yes Authentication Multi-Factor Authentication H. Access Control
Is Multi-factor Authentication required for Privileged System

4447 H.8.1 Access? Yes Authentication Multi-Factor Authentication H. Access Control

Jump To:
Master
Is Multi-factor Authentication required for scoped systems and

4448 H.8.2 data access? Yes Authentication Multi-Factor Authentication H. Access Control
4730 H.8.3 Is Multi-Factor Authentication available for client accounts? Yes Authentication Multi-Factor Authentication H. Access Control
Does system policy require terminating or securing active

1981 H.9 sessions when finished? Yes Authentication User Session Controls H. Access Control
Does system policy require logoff from terminals, PC or servers

2664 H.9.1 when the session is finished? Yes Authentication User Session Controls H. Access Control
Cloudflare does not currently limit the
number of concurrent sessions for SSO
(and thus systems behind SSO), but we do
require username, password and
hardware Time-based One Time two
For scoped systems, are limits enforced on the number of
factor authentication. Additionally, users
4731 H.9.2 concurrent interactive sessions per user? No Authentication User Session Controls H. Access Control
are notified when there is a second login.
4732 H.10 Are documented log-on banner requirements maintained? Yes Authentication Log-On Banners H. Access Control
Upon log-on failure, does the user receive an error message

describing the specific nature of the failure rather than a
2006 H.10.1 generic failure message e.g., invalid password, invalid user ID? Yes Authentication Log-On Banners H. Access Control
Upon successful log-on, does a message indicate the last time

2007 H.10.2 of successful logon? Yes Authentication Log-On Banners H. Access Control

Jump To:
Master
Are log-on banners used to ensure users are informed of

4733 H.10.3 system and data restrictions? Yes Authentication Log-On Banners H. Access Control
Do log-on banners include a description of the authorized uses

4734 H.10.3.1 of the system? No Authentication Log-On Banners H. Access Control
Do log-on banners state that information system usage may be

4735 H.10.3.2 monitored and subject to audit? Yes Authentication Log-On Banners H. Access Control
Do log-on banners state that unauthorized use of information

systems is prohibited and subject to criminal and civil
4736 H.10.3.3 penalties? Yes Authentication Log-On Banners H. Access Control
Do log-on banners state that use of information systems

4737 H.10.3.4 indicates consent to monitoring and recording? Yes Authentication Log-On Banners H. Access Control
Is the log-on banner or notification message left on-screen until

users acknowledge the usage conditions and take explicit
4738 H.10.3.5 actions to log on to or further access the information system? Yes Authentication Log-On Banners H. Access Control
Do log-on banners display system use information

4739 H.10.3.6 requirements before granting further access? Yes Authentication Log-On Banners H. Access Control
Do log-on banners display references, if any, to monitoring,

recording, or auditing that are consistent with privacy
accommodations for such systems that generally prohibit those
4740 H.10.3.7 activities? Yes Authentication Log-On Banners H. Access Control

Jump To:
Master
Do log-on banners state that users are accessing a U.S. Cloudflare does not have access to
4741 H.10.3.8 Government information system? N/A government systems. Authentication Log-On Banners H. Access Control
4742 H.11 Is there a process for reviewing access? Yes Access Reviews Entitlement Reviews H. Access Control
3207 H.11.1 Are user access rights reviewed periodically? Yes Access Reviews Entitlement Reviews H. Access Control
4444 H.11.1.1 Are user access rights reviewed at least quarterly? Yes Access Reviews Entitlement Reviews H. Access Control
3208 H.11.1.2 Are privileged user access rights reviewed periodically? Yes Access Reviews Entitlement Reviews H. Access Control
4445 H.11.1.2.1 Are privileged user access rights reviewed at least quarterly? Yes Access Reviews Entitlement Reviews H. Access Control
2654 H.11.2 Are access rights reviewed when a constituent's role changes? Yes Access Reviews Entitlement Reviews H. Access Control
Is the service provider responsible for performing all user

entitlement audits of constituents with access to scoped
3391 H.11.3 systems and data? If no, please explain. Yes Access Reviews Entitlement Reviews H. Access Control

Jump To:
Master
Are inactive constituent user IDs disabled and deleted after

4743 H.12 defined periods of inactivity? Yes Access Reviews Inactivity Controls H. Access Control
3205 H.12.1 Are inactive constituent user IDs disabled within 90 days? Yes Access Reviews Inactivity Controls H. Access Control
4442 H.12.1.1 Are inactive constituent user IDs deleted within 120 days? Yes Access Reviews Inactivity Controls H. Access Control
Does your organization have a process to protect system access

5831 H.13 from unauthorized boot procedures? Yes Access Control Unauthorized Access H. Access Control
Has your organization established controls for client user

5832 H.14 access to in-scope information systems? Yes Access Control Client Access Control H. Access Control
Does your organization have a process for end users to Cloudflare IT does not utilize remote
acknowledge and accept remote desktop support prior to desktop tools to take over its personnel
5833 H.15 another user taking control of their system? N/A machines. Access Provisioning Access Acceptance H. Access Control

Are applications used to transmit, process or store scoped dashboard found on dash.cloudflare.com
4240 I.1 data? Yes to manage their account/services. Application Security Scoping I. Application Security
Is there an individual or group responsible for Application Application Security Roles and Application Security
3945 I.1.1 Security? Yes Responsibilities Responsibility I. Application Security

Jump To:
Master
Application Security Roles and

3957 I.1.2 Is there formal software security training for developers? Yes Responsibilities Developer Training I. Application Security
Do application security experts work with developers for every Application Security Roles and
3958 I.1.2.1 application? Yes Responsibilities Secure DevOps I. Application Security
Cloudflare does not currently outsource Application Security Roles and

3959 I.1.2.2 Are outside development resources utilized? No development. Responsibilities External Developers I. Application Security
Do all outside development resources comply with the SDLC Cloudflare does not currently outsource Application Security Roles and
3960 I.1.2.2.1 (Software Development Life Cycle)? N/A development. Responsibilities External Developers I. Application Security
Is there a process to require supervision and monitoring of the Cloudflare does not currently outsource Application Security Roles and
4744 I.1.2.2.2 activity of outsourced system development? N/A development. Responsibilities External Developers I. Application Security
Do changes to applications or application code go through a Secure Architectural Design New Platform Secure
2164 I.1.3 risk assessment? Yes Standards Architecture Risk Analysis I. Application Security
Is a security architecture risk analysis performed when new Secure Architectural Design New Platform Secure
3946 I.1.3.1 applications are designed? Yes Standards Architecture Risk Analysis I. Application Security
Do security architecture risk analyses of applications include a

security feature review (i.e., authentication, access controls, Secure Architectural Design New Platform Secure
3947 I.1.3.2 use of cryptography, etc.)? Yes Standards Architecture Risk Analysis I. Application Security

Jump To:
Master
Do security architecture risk analyses of applications include a Secure Architectural Design New Platform Secure
3948 I.1.3.3 security architecture design review for high risk applications? Yes Standards Architecture Risk Analysis I. Application Security
Do security architecture risk analyses of applications include

threat Modeling into the business requirements/design process Secure Architectural Design New Platform Secure
3949 I.1.3.4 of the SDLC? Yes Standards Architecture Risk Analysis I. Application Security
Are security architecture risk analyses of applications reviewed Secure Architectural Design New Platform Secure
3950 I.1.3.5 when major changes are introduced into applications? Yes Standards Architecture Risk Analysis I. Application Security
Do security architecture risk analyses assign applications risk

ratings that reflect the types of data accessed (e.g., high, Secure Architectural Design New Platform Secure
3943 I.1.3.6 medium, low)? Yes Standards Architecture Risk Analysis I. Application Security
Are the risks from internal and external sources clearly Secure Architectural Design New Platform Secure
3944 I.1.4 understood based on risk exposure? Yes Standards Architecture Risk Analysis I. Application Security
Annual PCI DSS audit, which includes a

Is an independent security evaluation conducted or requirement for quarterly vulnerability
certification maintained for applications that transmit, store, or scans as well as annual network and Secure Architectural Design Independent Security
2198 I.1.5 process scoped data? Yes application penetration testing. Standards Evaluation I. Application Security
We follow our own Cloudflare SDLC,

Is a formal application methodology used (e.g., Agile, DSDM, which borrows ideas from many formal Secure Architectural Design
2111 I.1.6 XP, FDD, LD)? If yes, please list in Additional Information. Yes methodologies. Standards Design Methodology I. Application Security
Secure Architectural Design

2125 I.1.7 Is every data transaction maintained in an authenticated state? Yes Standards State Management I. Application Security

Jump To:
Master

2126 I.1.8 Is there a means for secure session management? Yes Standards Session Management I. Application Security

2129 I.1.9 Is there comprehensive, secure error handling? Yes Standards Secure Error Handling I. Application Security

1269 I.1.10 Do audit log failures generate an alert? Yes Standards Application Logging I. Application Security

2144 I.1.11 Do applications provide granular and comprehensive logging? Yes Standards Application Logging I. Application Security
Cloudflare's dashboard has a session

timeout of 24 hours, but customers can
Are application sessions set to time out within 15 minutes or use SSO to leverage their own session Secure Architectural Design
2070 I.1.12 less? No timeout. Standards Session Timeout I. Application Security
Are system, vendor, or service accounts disallowed for normal Secure Architectural Design
2970 I.1.13 operations and monitored for usage? Yes Standards Service Account Management I. Application Security
Are web applications configured to follow best practices or Secure Architectural Design
2081 I.1.14 security guidelines (e.g., OWASP)? Yes Standards Web Security Standards I. Application Security

2109 I.1.15 Is data input into applications validated? Yes Standards Application Data Integrity I. Application Security

Jump To:
Master
Are development, test, and staging environment separate from Secure Architectural Design Application Environment
2182 I.1.16 the production environment? Yes Standards Segmentation I. Application Security
Are development, test, and staging environment separated Secure Architectural Design Application Environment
849 I.1.16.1 from the production environment logically? Yes Standards Segmentation I. Application Security
Are development, test, and staging environment separated Secure Architectural Design Application Environment
850 I.1.16.2 from the production environment physically? Yes Standards Segmentation I. Application Security
Do applications have separate source code repositories for Secure Architectural Design Application Environment
847 I.1.17 production and non-production environments? Yes Standards Segmentation I. Application Security
Access is only granted to personnel who

Do IT support personnel have access to application source have a legitimate business justification as Secure Architectural Design Application Source Library
2668 I.1.18 libraries? Yes well as manager approval. Standards Access Control I. Application Security
Secure Architectural Design Application Source Library

2669 I.1.19 Is all access to application source libraries logged? Yes Standards Access Control I. Application Security
Are audit logs maintained and reviewed for all application Secure Architectural Design Application Source Library
2683 I.1.19.1 source library updates? Yes Standards Access Control I. Application Security

Are developers permitted to access production environments, have a legitimate business justification as Secure Architectural Design
2020 I.1.20 including read only access? Yes well as manager approval. Standards Developer Access Control I. Application Security

Jump To:
Master
Are developers permitted to access systems and applications Access is only granted to personnel who
based on established profiles that define responsibilities or job have a legitimate business justification as Secure Architectural Design
1909 I.1.20.1 functions? Yes well as manager approval. Standards Developer Access Control I. Application Security

Are developers required to request or obtain access outside an have a legitimate business justification as Secure Architectural Design
2027 I.1.20.2 established role (emergency access)? Yes well as manager approval. Standards Developer Access Control I. Application Security
Are Scoped systems and data used in the test, development, or Customer Account Information is not used Secure Architectural Design
2169 I.1.21 QA environments? No outisde of production. Standards Test Data Access Control I. Application Security
Is authorization required when production data is copied to the Customer Account Information is not used Secure Architectural Design
2672 I.1.21.1 test environment? N/A outisde of production. Standards Test Data Access Control I. Application Security
Customer Account Information is not used Secure Architectural Design

2171 I.1.21.2 Is test data destroyed following the testing phase? N/A outisde of production. Standards Test Data Access Control I. Application Security

2170 I.1.21.3 Is test data masked or obfuscated during the testing phase? N/A outisde of production. Standards Test Data Access Control I. Application Security

2673 I.1.21.4 Is copying to the test environment logged? N/A outisde of production. Standards Test Data Access Control I. Application Security
Are access control procedures the same for both the test and Customer Account Information is not used Secure Architectural Design
2674 I.1.21.5 production environment? N/A outisde of production. Standards Test Data Access Control I. Application Security

Jump To:
Master
2058 I.2 Is application development performed? Yes SDLC Scoping I. Application Security
Is there a formal Software Development Life Cycle (SDLC)

2059 I.2.1 process? Yes SDLC SDLC I. Application Security
Does the SDLC process include integration testing, and

4450 I.2.1.1 acceptance testing? Yes SDLC SDLC I. Application Security
4451 I.2.1.2 Does the SDLC process include peer code review? Yes SDLC SDLC I. Application Security
Is there a secure software development lifecycle policy that has

been approved by management, communicated to appropriate
3920 I.2.2 constituents and an owner to maintain and review the policy? Yes SDLC SDLC I. Application Security
Is there a documented change management/change control

2204 I.2.3 process for applications with scoped data? Yes SDLC Application Change Control I. Application Security
Some teams (like the Firewall Team) will

Are applications released to production on a fixed schedule? make changes on an at-least weekly basis.
Identify the schedule in the Additional Information field (e.g., Others will make changes on an Ad-hoc
3427 I.2.3.1 Daily, Weekly, Monthly, Ad Hoc). Yes basis. SDLC Application Change Control I. Application Security
Does the application Change Management/Change Control

process include change control procedures required for all
2670 I.2.3.2 changes to the production environment? Yes SDLC Application Change Control I. Application Security

Jump To:
Master

2206 I.2.3.3 process include testing prior to deployment? Yes SDLC Application Change Control I. Application Security

2207 I.2.3.4 process include management approval prior to deployment? Yes SDLC Application Change Control I. Application Security
For the vast majority of our systems, this

question is not applicable. For those
systems where this would apply, we have
Does the application Change Management/Change Control transactional services which allow for
2208 I.2.3.5 process include establishment of restart points? N/A rollback and/or restart points. SDLC Application Change Control I. Application Security

2209 I.2.3.6 process include management approval for changes? Yes SDLC Application Change Control I. Application Security

process include review of code changes by information
2210 I.2.3.7 security? Yes SDLC Application Change Control I. Application Security
Does the application change management/change control

2676 I.2.3.8 process include stakeholder communication and/or approvals? Yes SDLC Application Change Control I. Application Security

process include a list of individuals authorized to approve
2677 I.2.3.9 changes? Yes SDLC Application Change Control I. Application Security

process include an impact assessment to review all affected
2678 I.2.3.10 systems and applications? Yes SDLC Application Change Control I. Application Security

Jump To:
Master

2679 I.2.3.11 process include documentation for all system changes? Yes SDLC Application Change Control I. Application Security

2680 I.2.3.12 process include version control for all software? Yes SDLC Application Change Control I. Application Security

2681 I.2.3.13 process include logging of all Change Requests? Yes SDLC Application Change Control I. Application Security
Cloudflare specifies times during which

Does the application Change Management/Change Control changes cannot be made. Additionally, we
process include changes only take place during specified and follow a follow-the-sun model for critical
2682 I.2.3.14 agreed upon times (green zone)? Yes teams allowing 24/7/365 support. SDLC Application Change Control I. Application Security

process include modifications and changes to software are
2212 I.2.3.15 strictly controlled? Yes SDLC Application Change Control I. Application Security
Are applications evaluated from a security perspective prior to Application Security QA_UAT
3962 I.2.4 promotion to production? Yes SDLC Process I. Application Security
Do pre-production application security reviews include testing

procedures to determine whether security features are Application Security QA_UAT
3964 I.2.4.1 effective? Yes SDLC Process I. Application Security
Are pre-production application security reviews derived by Application Security QA_UAT

3965 I.2.4.1.1 obtaining a list of security features by the architecture group? Yes SDLC Process I. Application Security

Jump To:
Master
Do pre-production application security reviews include abuse Application Security QA_UAT

3967 I.2.4.2 case test scripts? Yes SDLC Process I. Application Security
Is code obtained from external sources reviewed for security Reviews of Code Obtained from
3987 I.2.5 flaws and backdoors prior to use in production? Yes SDLC External Sources I. Application Security
Is code obtained from external sources identified in application Reviews of Code Obtained from
4119 I.2.5.1 documentation as external code? Yes SDLC External Sources I. Application Security
Is code obtained from external sources reviewed for new Reviews of Code Obtained from
4120 I.2.5.2 versions at least every 6 months? Yes SDLC External Sources I. Application Security
4121 I.2.5.3 Is any code obtained from external sources open source? Yes SDLC Open Source Software Security I. Application Security
Is open source software or libraries used to transmit, process

4452 I.2.5.3.1 or store Scoped data? Yes SDLC Open Source Software Security I. Application Security
Are information security reviews conducted and approved for

the use or installation of open source software e.g., Linux,
1795 I.2.5.3.1.1 Apache, etc.? Yes SDLC Open Source Software Security I. Application Security
Cloudflare has liability insurance which

includes coverage for data breach, cyber
Do you cover the legal liability for the use of open source extorition, and other threats to our
4453 I.2.5.3.1.2 software or libraries in providing the scoped services? No security as a technology company. SDLC Open Source Software Security I. Application Security

Jump To:
Master
3936 I.2.6 Is a Secure Code Review performed regularly? Yes SDLC Secure Code Review I. Application Security
Is there a full Secure Code Review for each release? If no,

please explain the Secure Code Review schedule and scope in
3970 I.2.6.1 the additional information field. Yes SDLC Secure Code Review I. Application Security
Are Secure Code Reviews performed against the entire code

base in the development phase? If not, please explain in the
3953 I.2.6.2 additional information field. Yes SDLC Secure Code Review I. Application Security
Do Secure Code Reviews include validation checks for the most

critical web application security flaws including Cross Site
2110 I.2.6.3 Scripting, SQL injection (e.g., OWASP Top 10 vulnerabilities)? Yes SDLC Secure Code Review I. Application Security
Do Secure Code Reviews include regular analysis of

3990 I.2.6.4 vulnerability to recent attacks? Yes SDLC Secure Code Review I. Application Security
Do Secure Code Reviews include edge/boundary value

3963 I.2.6.5 condition testing? Yes SDLC Secure Code Review I. Application Security
Do Secure Code Reviews include dynamic scanning against Cloudflare does not yet perform dynamic
3966 I.2.6.6 web-based applications while in the Q/A phase? No scans. SDLC Secure Code Review I. Application Security
Do Secure Code Reviews include testing against common code

3952 I.2.6.7 vulnerabilities? Yes SDLC Secure Code Review I. Application Security

Jump To:
Master
Are Secure Code Reviews performed by individuals qualified to

3954 I.2.6.8 identify and correct code security flaws? Yes SDLC Secure Code Review I. Application Security
Is source code security reviewed manually? If yes, identify the

frequency in the additional information field (e.g., Daily,
3445 I.2.6.9 Weekly, Monthly, Ad Hoc). Yes SDLC Secure Code Review I. Application Security
3955 I.2.6.10 Is an automated secure source code review conducted? Yes SDLC Secure Code Review I. Application Security
Do automated secure source code tools include Static

4269 I.2.6.10.1 Application Security Testing (SAST)? Yes SDLC Secure Code Review I. Application Security
Do automated secure source code tools include Dynamic

4270 I.2.6.10.2 Application Security Testing (DAST)? No Cloudflare does not currently use DAST. SDLC Secure Code Review I. Application Security
Do automated secure source code tools include Interactive

4271 I.2.6.10.3 Application Security Testing (IAST)? No Cloudflare does not currently use IAST. SDLC Secure Code Review I. Application Security
Do automated secure source code tools include the ability to

crawl and test Rich Internet Applications (RIA) - (e.g., Cloudflare does not currently use perform
4272 I.2.6.10.4 JavaScript, Ajax frameworks)? No this type of test. SDLC Secure Code Review I. Application Security
Do secure code reviews include Fuzz testing (e.g., small

numbers, large numbers, negative values, binary sequences,
3969 I.2.6.11 command line inputs, random values, etc.)? Yes SDLC Secure Code Review I. Application Security

Jump To:
Master
Are identified security vulnerabilities remediated prior to

3968 I.2.7 promotion to production? Yes SDLC Vulnerability Remediation I. Application Security
Cloudflare adheres to PCI DSS

Requirement 11.2.2 and conducts annual
Does the SDLC process include Remediation of Penetration Test penetraton testing of the network and
3979 I.2.7.1 issues relevant to the application under review? Yes application SDLC Vulnerability Remediation I. Application Security
All findings are communicated to the
engineering teams. The information
security team works with engineers to
resolve the issue and to assign H/M/L risk
Does the SDLC process include communicating discovered ratings. Any issues not fixed are added to
3982 I.2.7.2 vulnerabilities to developers? Yes the Risk Register for future evaluation. SDLC Vulnerability Remediation I. Application Security
Does the SDLC process include communicating known un-

remediated vulnerabilities to the Security Monitoring and
3986 I.2.7.3 Response group for awareness and monitoring? Yes SDLC Vulnerability Remediation I. Application Security
Does the SDLC process include tracking vulnerabilities

identified in production through the same mechanisms used to
3991 I.2.7.4 track and remediate results from Penetration Tests? Yes SDLC Vulnerability Remediation I. Application Security
Does the SDLC process include metrics on security flaws and

2180 I.2.7.5 release incidents? Yes SDLC Vulnerability Remediation I. Application Security
Is a web site supported, hosted or maintained that has access

2230 I.3 to scoped systems and data? Yes Web Server Security Scoping I. Application Security
Do you have logical or Physical segregation between web,

application and database components? (i.e., Internet, DMZ,
2076 I.3.1 Database)? Yes Web Server Security Configuration Management I. Application Security

Jump To:
Master
Are Web Servers used for transmitting, processing or storing

4241 I.3.2 scoped data? Yes Web Server Security Scoping I. Application Security
Are security configuration standards documented for web

4242 I.3.2.1 server software? Yes Web Server Security Web Server Security Standards I. Application Security
Are web server software security configuration standards

reviewed and/or updated at least annually to account for any
changes in environment, available security features and/or
4243 I.3.2.2 leading practices? Yes Web Server Security Web Server Security Standards I. Application Security
Are reviews performed to validate compliance with

4244 I.3.2.3 documented web server software security standards? Yes Web Server Security Web Server Security Standards I. Application Security
4245 I.3.2.4 Is HTTPS enabled for all web pages? Yes Web Server Security Web Encryption Security I. Application Security
Cloudflare internally uses TLS 1.2 or 1.3.
Customers are responsible for configuring
the TLS level used across their web
properties using the Cloudflare Dashboard
(Crypto Tab), which includes the option to
Are either TLS 1.2 or 1.3 used for encrypting all web pages
use less secure TLS versions. This is
4246 I.3.2.4.1 used? Yes Web Server Security Web Encryption Security I. Application Security
offered to provide flexibility to our broad
customer base, however, we recommend
that customers use the highest level of
TLS they can support.
Are web server certificates centrally managed and kept

4247 I.3.2.4.2 current? Yes Web Server Security Web Encryption Security I. Application Security
Are all unnecessary/unused services in web server software Administrative and File Sharing
4248 I.3.2.5 uninstalled or disabled? Yes Web Server Security Service Security I. Application Security

Jump To:
Master
Cloudflare utilizes standard ports for its

internal administrative interphases.
Do administrative and file sharing interfaces for web server File sharing interphases are not utilized Administrative and File Sharing
4249 I.3.2.6 software run on non-standard ports (e.g., Not 21, 80 and 443)? No for managing our systems. Web Server Security Service Security I. Application Security
Are all remote administration and file sharing services on web

server software configured to require authentication and Administrative and File Sharing
4250 I.3.2.7 encryption? Yes Web Server
File sharing interphases are not utilized for managing ourSecurity
systems. Service Security I. Application Security
Is a dedicated virtual directory structure used for each Cloudflare is not hosting websites on
4251 I.3.2.8 website? N/A behalf of customers. Web Server Security Web Server Hardening I. Application Security
Are sample applications and scripts removed from web

4252 I.3.2.9 servers? Yes Web Server Security Web Server Hardening I. Application Security
Are all web server software files maintained separate from the
4253 I.3.2.10 Operating System? Yes Web Server Security Web Server Hardening I. Application Security
Are available high-risk web server software security patches Web Server Vulnerability
4254 I.3.2.11 applied and verified at least monthly? Yes Web Server Security Management I. Application Security
Are all web server software patching exceptions documented Web Server Vulnerability
4255 I.3.2.12 and approved by information security or senior management? Yes Web Server Security Management I. Application Security
Are web server software patches, service packs, and hot fixes Web Server Vulnerability
4256 I.3.2.12.1 tested prior to installation? Yes Web Server Security Management I. Application Security

Jump To:
Master
Are web server software vulnerabilities evaluated and Web Server Vulnerability
4257 I.3.2.12.2 prioritized? Yes Web Server Security Management I. Application Security
Web Server Vulnerability

4259 I.3.2.12.3 Are web server software patch successes and failures logged? Yes Web Server Security Management I. Application Security
Are third party alert services used to keep up to date with the Web Server Vulnerability
4260 I.3.2.12.4 latest web server software vulnerabilities? Yes Web Server Security Management I. Application Security
Are web server software versions that no longer have security Web Server Vulnerability
4261 I.3.2.12.5 patches released prohibited? Yes Web Server Security Management I. Application Security
Are web server software configuration options restricted to Web Server Configuration
4262 I.3.2.13 authorized users? Yes Web Server Security Management I. Application Security
Is sufficient detail contained in Web Server and application logs

to support incident investigation, including successful and
failed login attempts and changes to sensitive configuration Web Server Auditing and
4264 I.3.2.14 settings and files? Yes Web Server Security Logging I. Application Security
Are web server software events relevant to supporting incident Web Server Auditing and
4265 I.3.2.14.1 investigation retained for a minimum of one year? Yes Web Server Security Logging I. Application Security
Are system notifications generated in the event the system fails Web Server Auditing and
4266 I.3.2.14.2 to write a web server software event to an audit log? Yes Web Server Security Logging I. Application Security

Jump To:
Master
Are events relevant to supporting incident investigation stored Web Server Auditing and
4267 I.3.2.14.3 on alternate systems? Yes Web Server Security Logging I. Application Security
Are Web Server and application logs relevant to supporting

incident investigation protected against modification, deletion, Web Server Auditing and
4268 I.3.2.14.4 and/or inappropriate access? Yes Web Server Security Logging I. Application Security
Are compilers, editors or other development tools present in

2684 I.3.3 production web server environments? No Web Server Security Development Tool Security I. Application Security
Is Runtime Application Self Protection (RASP) enabled on web

4277 I.3.4 servers? No Web Server Security Web Application Firewall I. Application Security
4278 I.3.5 Is a Web Application Firewall (WAF) enabled on web servers? Yes Web Server Security Web Application Firewall I. Application Security
Is an Application Programming Interface (API) available to

3490 I.3.6 clients? Yes API Security Scoping I. Application Security
Is there a formal security program established to include API

3491 I.3.6.1 security reviews? Yes API Security API Security I. Application Security
Do application security reviews include a security review of API

3492 I.3.6.1.1 design? Yes API Security API Security I. Application Security

Jump To:
Master
Is manual code security testing on APIs performed by qualified

personnel with expertise in both development and code
4275 I.3.6.1.2 security? Yes API Security API Security I. Application Security
Do application security reviews include an API Permission

3494 I.3.6.1.3 model review? Yes API Security API Security I. Application Security
3495 I.3.6.2 Are APIs tested for security weaknesses? Yes API Security API Security I. Application Security
3496 I.3.6.2.1 Does API security testing include Data scoping? Yes API Security API Vulnerability Testing I. Application Security
3497 I.3.6.2.2 Does API security testing include XSS? Yes API Security API Vulnerability Testing I. Application Security
3498 I.3.6.2.3 Does API security testing include SQL injection? Yes API Security API Vulnerability Testing I. Application Security
3499 I.3.6.2.4 Does API security testing include Session abuse? Yes API Security API Vulnerability Testing I. Application Security
3500 I.3.6.2.5 Does API security testing include Replay attack? Yes API Security API Vulnerability Testing I. Application Security

Jump To:
Master
3501 I.3.6.2.6 Does API security testing include DoS? Yes API Security API Vulnerability Testing I. Application Security
3502 I.3.6.2.7 Does API security testing include Data Leakage? Yes API Security API Vulnerability Testing I. Application Security
Does API security testing include OWASP top 10 or CWE Top 25

4276 I.3.6.2.8 security issues? Yes API Security API Vulnerability Testing I. Application Security
Clients can make all changes to their
Cloudflare Account via the Dashboard, or
via API. For full documentation on the
capabilities of Cloudflare's API see the
following documentation: https://api.
cloudflare.com/#getting-started-
3503 I.3.6.3 Can a client manage access to the APIs? Yes endpoints API Security API Access I. Application Security
Is there a self-service kill switch available to clients to disable Customers can revoke API tokens if they
3510 I.3.6.4 an API in the event of a security incident (e.g., DoS)? Yes suspect these are being misused. API Security API Kill Switch I. Application Security
Is scoped data encrypted in transit within the API for both

3512 I.3.6.5 request and response? Yes API Security Encryption I. Application Security
Is there an option for the API request and response calls to be

3514 I.3.6.6 digitally signed? No API Security Signing I. Application Security
Are mobile applications that access scoped systems and data Cloudflare does not currently provide
3826 I.4 developed? No mobile applications. Mobile Application Security Scoping I. Application Security

Jump To:
Master
Are any actions performed by the mobile application to access, Cloudflare does not currently provide
3829 I.4.1 process, transmit or locally store scoped systems and data? N/A mobile applications. Mobile Application Security Scoping I. Application Security
Is dynamic code analysis performed on mobile applications Cloudflare does not currently provide
4102 I.4.2 (including fuzzing)? N/A mobile applications. Mobile Application Security Secure Code Analysis I. Application Security
Is there an established Incident Management Program that has The Security Incident Response Plan is
been approved by management, communicated to appropriate approved by management, posted on
constituents and an owner to maintain and review the company Intranet, and is owned and Cybersecurity Incident
2241 J.1 program? Yes maintained by Information Security. Management Governance J. Incident Event & Comm Mgmt
Cloudflare's Customer Support Team and
SRE Teams are follow-the-sun model
ensuring that there is always someone on
call in the event of an incident or
customer issue. The Security Incident
Response Team (SIRT) also is available
24/7/365 to respond to incidents, and is
comprised of top level management and Cybersecurity Incident
2276 J.1.1 Is an Incident/Event Response team available 24x7x365? Yes experienced engineers. Management Cybersecurity Governance J. Incident Event & Comm Mgmt
Does the Incident Management Program include an individual Incident Management is owned by the Cybersecurity Incident
4455 J.1.2 program owner? Yes Head of Engineering. Management Cybersecurity Governance J. Incident Event & Comm Mgmt
Staffing and resources for Security

Does the Incident Management Program include adequacy of Incident Response are included in Cybersecurity Incident
4456 J.1.3 resources including people, technology and funding? Yes company budget requirements. Management Cybersecurity Governance J. Incident Event & Comm Mgmt
Does documentation exist defining which personnel are External communications are limited to Cybersecurity Incident
4745 J.1.4 authorized to speak with the public during adverse events? Yes approved representatives of the company Management Cybersecurity Governance J. Incident Event & Comm Mgmt
Does documentation exist defining which personnel are External communications are limited to
assigned to repair reputational damage and communicate with approved representatives of the company Cybersecurity Incident
4746 J.1.5 external stakeholders after adverse events? Yes by company policy Management Cybersecurity Governance J. Incident Event & Comm Mgmt

Jump To:
Master
Is the Incident Response Plan and changes to the plan The Security Incident Response Plan is Cybersecurity Incident
4747 J.1.6 distributed to defined stakeholders and organizations? Yes posted on company Intranet. Management Cybersecurity Governance J. Incident Event & Comm Mgmt
Continous improvement of the Security

Does the Incident Management Program include reporting of Incident Response Plan inlcudes reporting Cybersecurity Incident
4457 J.1.7 key program activity and value metrics? Yes and metrics Management Cybersecurity Governance J. Incident Event & Comm Mgmt
Does the Incident Management Program include results of Feedback and observations from audits Cybersecurity Incident
4458 J.1.8 program audits and reviews, including those of key customers? Yes are included in continuous improvement. Management Cybersecurity Governance J. Incident Event & Comm Mgmt
Does the Incident Management Program include lessons Cybersecurity Incident

4459 J.1.9 learned and actions arising from disruptive incidents? Yes Management Cybersecurity Governance J. Incident Event & Comm Mgmt
Cybersecurity Incident Cybersecurity Incident

2246 J.2 Is there a formal Incident Response Plan? Yes Management Response Plan J. Incident Event & Comm Mgmt
Does the Incident Response Plan include guidance for Cybersecurity Incident Cybersecurity Incident
2251 J.2.1 containment? Yes Management Response Plan J. Incident Event & Comm Mgmt
2256 J.2.2 remediation? Yes Management Response Plan J. Incident Event & Comm Mgmt
2250 J.2.3 notification of stakeholders? Yes Management Response Plan J. Incident Event & Comm Mgmt

Jump To:
Master
Does the Incident Response Plan include guidance for status Cybersecurity Incident Cybersecurity Incident
2253 J.2.4 tracking? Yes Management Response Plan J. Incident Event & Comm Mgmt
Does the Incident Response Plan include guidance for repair Cybersecurity Incident Cybersecurity Incident
2254 J.2.5 procedures? Yes Management Response Plan J. Incident Event & Comm Mgmt
Does the Incident Response Plan include guidance for recovery Cybersecurity Incident Cybersecurity Incident
The Head of Engineering runs a weekly

Incident Management meeting to review
all P0/P1 incidents, including a feedback
Does the Incident Response Plan include guidance for feedback session to derive lessons from the Cybersecurity Incident Cybersecurity Incident
2257 J.2.7 and lessons learned reviews? Yes handling and fix to the incident. Management Response Plan J. Incident Event & Comm Mgmt
Does the Incident Response Plan include unique, specific,

applicable data breach notification requirements, including
timing of notification (HIPAA/HITECH, state breach laws, client Cybersecurity Incident Cybersecurity Incident
3046 J.2.8 contracts)? Yes Management Response Plan J. Incident Event & Comm Mgmt
Does the Incident Response Plan include guidance for privacy Cybersecurity Incident Cybersecurity Incident
3234 J.2.9 incidents? Yes Management Response Plan J. Incident Event & Comm Mgmt
2699 J.2.10 escalation procedure? Yes Management Response Plan J. Incident Event & Comm Mgmt
Does the Incident Response Plan include procedures to collect

and maintain a chain of custody for evidence during incident Cybersecurity Incident Cybersecurity Incident
2280 J.2.11 investigation? Yes Management Response Plan J. Incident Event & Comm Mgmt

Jump To:
Master
Does the Incident Response Plan include feedback process to

ensure those reporting information security events are notified Cybersecurity Incident Cybersecurity Incident
2702 J.2.12 of the results after the issue has been dealt with and closed? Yes Management Response Plan J. Incident Event & Comm Mgmt
Does the Incident Response Plan include event reporting

mechanism to support the reporting action, and to list all Cybersecurity Incident Cybersecurity Incident
2703 J.2.13 necessary actions in case of an information security Event? Yes Management Response Plan J. Incident Event & Comm Mgmt
Does the Incident Response Plan include actions to be taken in Cybersecurity Incident Cybersecurity Incident
2704 J.2.14 the event of an information security event? Yes Management Response Plan J. Incident Event & Comm Mgmt
Does the Incident Response Plan include formal disciplinary Cybersecurity Incident Cybersecurity Incident
2705 J.2.15 process for dealing with those who commit a security breach? Yes Management Response Plan J. Incident Event & Comm Mgmt
Does the Incident Response Plan include a process for assessing

and executing client and third party notification requirements Cybersecurity Incident Cybersecurity Incident
2273 J.2.16 (legal, regulatory and contractual)? Yes Management Response Plan J. Incident Event & Comm Mgmt
Does the Incident Response Plan require notifying the client Notification is subject to Cloudlfare's
when unauthorized access to scoped systems and data is incident management policy and any Cybersecurity Incident Cybersecurity Incident
4239 J.2.17 confirmed? Yes contractual obligations. Management Response Plan J. Incident Event & Comm Mgmt
Do the Incident Response Plan notification procedures include Cybersecurity Incident Cybersecurity Incident
4748 J.2.17.1 any customer/client-specific notification requirements? Yes Management Response Plan J. Incident Event & Comm Mgmt
Do Incident Response Plan notification procedures require
notifying any required government, self-regulatory, or other
supervisory bodies within 72 hours from the determination Cloudflare will notify relevant parties
that a Cybersecurity Event with a reasonable likelihood of (government entities and customers)
materially harming any material part of normal business according to appropriate laws and Cybersecurity Incident Cybersecurity Incident
4749 J.2.17.2 operations has occurred? No regulations. Customers will Management Response Plan J. Incident Event & Comm Mgmt

Jump To:
Master
Does the Incident Response Plan include a postmortem review

including root cause analysis and remediation plan, provided to Cybersecurity Incident Cybersecurity Incident
2275 J.2.18 leadership? Yes Management Response Plan J. Incident Event & Comm Mgmt
Does the Incident Response Plan include annual testing of the Cybersecurity Incident Cybersecurity Incident
Does the Incident Response Plan include events relevant to

supporting incident investigation regularly reviewed using a Cybersecurity Incident Cybersecurity Incident
4460 J.2.20 specific methodology to uncover potential incidents? Yes Management Response Plan J. Incident Event & Comm Mgmt
Does the Incident Response Plan include procedures

documenting when and by whom, contact with relevant Cybersecurity Incident Cybersecurity Incident
4461 J.2.21 authorities is required (e.g., law enforcement)? Yes Management Response Plan J. Incident Event & Comm Mgmt
Does the Incident Response Plan require identifying and

mitigating all vulnerabilities that were exploited, removing all
malware, inappropriate materials and other components, and
remediating any affected systems discovered after incident Cybersecurity Incident Cybersecurity Incident
4750 J.2.22 closure? Yes Management Response Plan J. Incident Event & Comm Mgmt
Are personnel, processes and technologies budgeted and in-

place to adequately support remediation of issues identified Cybersecurity Incident Cybersecurity Incident
4751 J.2.22.1 after incident containment? Yes Management Response Plan J. Incident Event & Comm Mgmt
Does the Incident Response Plan require returning systems to

an operationally ready state, confirming that the affected
systems are functioning normally and if necessary, implement Cybersecurity Incident Cybersecurity Incident
4752 J.2.23 additional monitoring to look for future related activity? Yes Management Response Plan J. Incident Event & Comm Mgmt
Are personnel, processes and technologies budgeted and in-

place to adequately support recovery and restoration of Cybersecurity Incident Cybersecurity Incident
4753 J.2.23.1 systems and data after incident containment? Yes Management Response Plan J. Incident Event & Comm Mgmt

Jump To:
Master
Is the Incident Response Plan protected from unauthorized Cybersecurity Incident Cybersecurity Incident
4754 J.2.24 disclosure and modification? Yes Management Response Plan J. Incident Event & Comm Mgmt
Cybersecurity Incident
2709 J.3 Is the scope of the Incident Management Program defined? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include loss of service incident Cybersecurity Incident
2710 J.3.1 procedures (equipment or facility)? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include system malfunction or Cybersecurity Incident
2711 J.3.2 overload incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include human error incident Cybersecurity Incident
2712 J.3.3 procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include non-compliance with Cybersecurity Incident
2713 J.3.4 policy or guidelines incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include breach of physical Cybersecurity Incident
2714 J.3.5 security arrangement incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include Uncontrolled system Cybersecurity Incident
2715 J.3.6 change incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt

Jump To:
Master
Does the Incident Response Plan include malfunction of Cybersecurity Incident

2716 J.3.7 software or hardware incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include access violation Cybersecurity Incident
2272 J.3.8 incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include physical asset loss or Cybersecurity Incident
2265 J.3.9 theft incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include unauthorized physical Cybersecurity Incident
2266 J.3.10 access incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include information system Cybersecurity Incident
2259 J.3.11 failure or loss of service incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include denial of service Cloudflare's DDoS mitigation product is Cybersecurity Incident
2260 J.3.12 incident procedures? Yes applied to internal services as well. Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include errors resulting from Cybersecurity Incident
2707 J.3.13 incomplete or inaccurate business data incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include breach or loss of Cybersecurity Incident
2262 J.3.14 confidentiality incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt

Jump To:
Master
Does the Incident Response Plan include system exploit Cybersecurity Incident
2261 J.3.15 incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
Does the Incident Response Plan include unauthorized logical Cybersecurity Incident
2267 J.3.16 access or use of system resources incident procedures? Yes Management Incident Definition J. Incident Event & Comm Mgmt
The Enterprise Support Team is available

Is there a 24x7x365 staffed phone number available to by dedicated phoneline to Enterprise Cybersecurity Incident Incident Response
3426 J.4 customers/clients to report security incidents? Yes customers. Management Communications J. Incident Event & Comm Mgmt
Is there an email address or web form available for clients to Cybersecurity Incident Incident Response
4281 J.4.1 report security incidents response time? Yes support@cloudflare.com Management Communications J. Incident Event & Comm Mgmt
Are events on scoped systems or systems containing scoped

data relevant to supporting incident investigation regularly
reviewed using a specific methodology to uncover potential
4462 J.5 incidents? Yes Security Event Monitoring Incident Detection J. Incident Event & Comm Mgmt
Cloudflare's Detection and Response team

Is there an automated system to review and correlate log has built a SIEM internally to ingest logs,
4463 J.5.1 and/or behavioral events (e.g., SIEM)? Yes which will be fully implemented in 2020. Security Event Monitoring Incident Detection J. Incident Event & Comm Mgmt
Do personnel monitor security alerts related to scoped systems

4464 J.5.2 and data at least daily? Yes Security Event Monitoring Incident Detection J. Incident Event & Comm Mgmt
Are security events related to scoped systems and data

4465 J.5.3 monitored continuously 24x7x365? Yes Security Event Monitoring Incident Detection J. Incident Event & Comm Mgmt

Jump To:
Master
Are all changes to user access rights logged on scoped systems

4755 J.5.4 and data? Yes Access Reviews Incident Detection - Access J. Incident Event & Comm Mgmt
Does regular security monitoring include all changes to

privileged user access rights on all scoped systems and systems
4756 J.5.5 with scoped data? Yes Access Reviews Incident Detection - Access J. Incident Event & Comm Mgmt
4466 J.5.6 Does regular security monitoring include Network IDS events? Yes Security Event Monitoring Incident Detection - NIDS J. Incident Event & Comm Mgmt
Does regular security monitoring include behavioral activity Incident Detection - Botnet
4467 J.5.7 indicating botnet traffic? Yes Security Event Monitoring Traffic J. Incident Event & Comm Mgmt
Does regular security monitoring include network device Incident Detection - Network
4337 J.5.8 security events? Yes Security Event Monitoring Devices J. Incident Event & Comm Mgmt
Does regular security monitoring include server security

4382 J.5.9 events? Yes Security Event Monitoring Incident Detection - Servers J. Incident Event & Comm Mgmt
Does regular security monitoring include hypervisor security Incident Detection -

3654 J.5.10 events? N/A Cloudflare doesn't use a hypervisor Security Event Monitoring Hypervisors J. Incident Event & Comm Mgmt
Does regular security monitoring include application, Web Incident Detection -

4468 J.5.11 Server, and Database security events? Yes Security Event Monitoring Applications J. Incident Event & Comm Mgmt

Jump To:
Master
Does regular security monitoring include malware activity

4385 J.5.12 alerts such as uncleaned infections and suspicious activity? Yes Security Event Monitoring Incident Detection - Malware J. Incident Event & Comm Mgmt
Incident Detection -
Is 24x7x365 security monitoring of the hosting environment Virtualized/ Cloud
3596 J.6 performed? Yes Security Event Monitoring Environments J. Incident Event & Comm Mgmt
Cloudflare monitors traffic to customer
web properities which are using our
service. Only those requests which go
through Cloudflare will be monitored (i.e. Incident Detection -
Does security event monitoring include inbound traffic from not requests related to customer Virtualized/ Cloud
3597 J.6.1 the Internet to the Client environment? Yes properties not on Cloudflare). Security Event Monitoring Environments J. Incident Event & Comm Mgmt
Does security event monitoring include outbound traffic from Virtualized/ Cloud
3598 J.6.2 the Internet to the Client environment? No Security Event Monitoring Environments J. Incident Event & Comm Mgmt
Does security event monitoring include outbound traffic from Virtualized/ Cloud
4553 J.6.3 the Client environment to Internet? Yes Security Event Monitoring Environments J. Incident Event & Comm Mgmt
Does security event monitoring include traffic from the Service Incident Detection -
Provider administrative environment to the Client Virtualized/ Cloud
3599 J.6.4 environment? N/A Security Event Monitoring Environments J. Incident Event & Comm Mgmt
Does security event monitoring include traffic from the Client Incident Detection -
environment to the Service Provider administrative Virtualized/ Cloud
3600 J.6.5 environment? N/A Security Event Monitoring Environments J. Incident Event & Comm Mgmt
Does security event monitoring include Monitoring between Virtualized/ Cloud
3601 J.6.6 each Tenant's Client environments? N/A Security Event Monitoring Environments J. Incident Event & Comm Mgmt

Jump To:
Master
Is there an established Business Resiliency Program that has

constituents, and an owner to maintain and review the Business Resilience Governance
2719 K.1 program? Yes Program Resilience Program Governance K. Business Resiliency
Does the Business Resiliency Program include an individual Business Resilience Governance
4014 K.1.1 program owner with full responsibility and accountability? Yes Program Resilience Program Governance K. Business Resiliency
Have appropriate actions been taken to ensure that a person(s)

(either external or internal) working under the Business Business Resilience Governance
4026 K.1.2 Resiliency Program have or acquire the desired competencies? Yes Program Business Resilience Roles K. Business Resiliency
Does the Business Resiliency Program include a formal annual

(or more frequent) executive management review of business
continuity scope, key performance indicators, Business Resilience Governance
2341 K.1.3 accomplishments, and risks? Yes Program Business Resilience Metrics K. Business Resiliency
Does the Business Resiliency Program's annual review include

adequacy of resources including people, technology, support Business Resilience Governance
4018 K.1.3.1 services, and budget? Yes Program Business Resilience Metrics K. Business Resiliency

reporting of key program activity, short term and long term Business Resilience Governance
4019 K.1.3.2 objective attainment, and performance? Yes Program Business Resilience Metrics K. Business Resiliency

results of program examination, audits and reviews, including Business Resilience Governance
4020 K.1.3.3 those of key suppliers and partners where appropriate? Yes Program Business Resilience Metrics K. Business Resiliency
Does the Business Resiliency Program's annual review include a

review of ensuring the program is reflective of the current Business Resilience Governance
5780 K.1.3.3.1 business environment? Yes Program Resilience Program Governance K. Business Resiliency

Jump To:
Master
Does the Business Resiliency Program's annual review include Business Resilience Governance
4021 K.1.3.4 results of exercising and testing? Yes Program Business Resilience Metrics K. Business Resiliency
4023 K.1.3.5 lessons learned and actions arising from disruptive incidents? Yes Program Business Resilience Metrics K. Business Resiliency
5855 K.1.3.6 results of training and awareness efforts? Yes Program Business Resilience Metrics K. Business Resiliency
Has formal documentation and reference information relevant

to the Business Resiliency Program and procedures been Business Resilience Governance Business Resilience
4027 K.1.4 created? Yes Program Documentation K. Business Resiliency
Does business resiliency documentation include controls to Business Resilience Governance Business Resilience
4028 K.1.4.1 ensure its availability when and where it is needed? Yes Program Documentation K. Business Resiliency
Is version and change control managed for business resiliency

documentation that provides a history of changes and related Business Resilience Governance Business Resilience
4030 K.1.4.2 approvals? Yes Program Documentation K. Business Resiliency
Do the products and/or services specified in the scope of this

assessment fall within the scope of the business resiliency Business Resilience Governance
2765 K.1.5 program? Yes Program Service Resilience K. Business Resiliency
2329 K.2 Has a business impact analysis been conducted? Yes Business Continuity Planning Business Impact Analysis K. Business Resiliency

Jump To:
Master
Is the business impact analysis validated and/or refreshed at

4035 K.2.1 least annually? Yes Business Continuity Planning Business Impact Analysis K. Business Resiliency
Does the business impact analysis include business activity or

business process criticality (e.g., high, medium, low or
numerical rating) that distinguishes the relative importance of
2334 K.2.2 each activity or process? Yes Business Continuity Planning Business Impact Analysis K. Business Resiliency
Does the business impact analysis include identification of

critical assets including: application systems, data, equipment,
facilities, personnel, supplies and paper documents necessary
2299 K.2.3 for recovery? Yes Business Continuity Planning Business Impact Analysis K. Business Resiliency
Does the business impact analysis include an identification of

5781 K.2.4 asset/resource single points of failure? Yes Business Continuity Planning Business Impact Analysis K. Business Resiliency
Does the business impact analysis include maximum acceptable

outage/maximum tolerable period of disruption for each
2338 K.2.5 business activity or business process? Yes Business Continuity Planning Business Impact Analysis K. Business Resiliency
Does the business impact analysis include recovery time

objectives for all essential application systems, network
2335 K.2.6 services, third party services, and other resources? Yes Business Continuity Planning Business Impact Analysis K. Business Resiliency
Does the business impact analysis include recovery point

2337 K.2.7 objective for all essential data? Yes Business Continuity Planning Business Impact Analysis K. Business Resiliency
Does the business impact analysis include impact to

clients/customers as an element of determining business
2760 K.2.8 function/activity criticality? Yes Business Continuity Planning Business Impact Analysis K. Business Resiliency

Jump To:
Master
Does the business impact analysis (or other process) include

identification of those data assets requiring enhanced data
resilience to assure recoverability following a successful data-
5782 K.2.9 compromising cyber-attack (e.g., ransomware)? Yes Business Continuity Planning Business Impact Analysis K. Business Resiliency
Has the business impact analysis determined that information

security operations is a critical business function/activity,
assigned it a maximum tolerable downtime/maximum
tolerable period of disruption value, and identified its critical
5783 K.2.10 assets/resources and recovery objectives? Yes Business Continuity Planning Business Impact Analysis K. Business Resiliency
Does the business impact analysis include analysis of internal

systems and business functions, including services, production
processes, hardware, software, and application programming
5856 K.2.11 interfaces, data, and vital records? Yes Business Continuity Planning Business Impact Analysis K. Business Resiliency
Does the business impact analysis include analysis of third

5857 K.2.11.1 party service providers, key suppliers, and business partners? Yes Business Continuity Planning Business Impact Analysis K. Business Resiliency
Does the business impact analysis include analysis of

5858 K.2.11.2 telecommunications single points of failure? Yes Business Continuity Planning Business Impact Analysis K. Business Resiliency
Does the business impact analysis include analysis of power

5859 K.2.11.3 single points of failure? Yes Business Continuity Planning Business Impact Analysis K. Business Resiliency
Is there a formal process focused on identifying and addressing

4038 K.3 risks of disruptive events to business operations? Yes Business Continuity Planning Operational Risk Assessment K. Business Resiliency
Do operational risk assessments include foreseeable hazards

including natural, technological, and adversarial/human-
5784 K.3.1 caused? Yes Business Continuity Planning Operational Risk Assessment K. Business Resiliency

Jump To:
Master
Do operational risk assessments include identifying risks

associated with unavailability or loss of critical assets/resources
including: application systems, data, equipment, facilities,
5785 K.3.2 personnel, and paper documents? Yes Business Continuity Planning Operational Risk Assessment K. Business Resiliency
Do operational risk assessments include analysis of risks

4040 K.3.3 identified and determination of those requiring treatment? Yes Business Continuity Planning Operational Risk Assessment K. Business Resiliency
Do operational risk assessments include assigning responsibility

4041 K.3.4 and acting on approved treatments? Yes Business Continuity Planning Operational Risk Assessment K. Business Resiliency
Are specific response and recovery strategies defined for the Business Activity Recovery
4042 K.4 prioritized business activities? Yes Business Continuity Planning Planning K. Business Resiliency
Are specific response and recovery strategies defined for loss Business Activity Recovery
4044 K.4.1 and unavailability of critical personnel (40% or more)? Yes Business Continuity Planning Planning K. Business Resiliency
Are specific response and recovery strategies defined for loss Business Activity Recovery
4045 K.4.2 or unavailability of critical data? Yes Business Continuity Planning Planning K. Business Resiliency
Are specific response and recovery strategies defined for loss

or unavailability of critical Information and Communication Business Activity Recovery
4046 K.4.3 Technology (ICT)? Yes Business Continuity Planning Planning K. Business Resiliency
Are specific response and recovery strategies defined for

critical workplaces/buildings and related electrical power Business Activity Recovery
4047 K.4.4 systems? Yes Business Continuity Planning Planning K. Business Resiliency

Jump To:
Master
Are specific response and recovery strategies defined for loss

or unavailability of critical third party services (e.g., partners Business Activity Recovery
4048 K.4.5 and suppliers)? Yes Business Continuity Planning Planning K. Business Resiliency
Do the response and recovery strategies defined for the

unavailability of resources address short-, medium-, and long- Business Activity Recovery
5860 K.4.6 term (> 90 days) disruption scenarios? Yes Business Continuity Planning Planning K. Business Resiliency
Do the response and recovery strategies defined for the

unavailability of resources address scalability to accommodate Business Activity Recovery
5861 K.4.7 full transaction volumes? Yes Business Continuity Planning Planning K. Business Resiliency
Are formal business continuity procedures developed and

4049 K.5 documented? Yes Business Continuity Planning Business Continuity Procedures K. Business Resiliency
Do formal business continuity procedures include specific

actions to be taken in response to a disruptive event for each
business activity/process supporting the products and/or
4050 K.5.1 services specified in the scope of this assessment? Yes Business Continuity Planning Business Continuity Procedures K. Business Resiliency
Do the formal business continuity procedures include manual

5862 K.5.2 steps for critical functions, as applicable? Yes Business Continuity Planning Business Continuity Procedures K. Business Resiliency
Do formal business continuity procedures include the

continuity of information security activities and processes e.g.,
4052 K.5.3 intrusion detection, vulnerability management, log collection? Yes Business Continuity Planning Business Continuity Procedures K. Business Resiliency
Do formal business continuity procedures include the

continuity of IT operations activities and processes (e.g.,
4053 K.5.4 network operations, data center operations, help desk)? Yes Business Continuity Planning Business Continuity Procedures K. Business Resiliency

Jump To:
Master
Business Recovery
Has senior management assigned the responsibility for the Management and
4054 K.6 overall management of critical response and recovery efforts? Yes Business Continuity Planning Communications K. Business Resiliency
Does the overall management of critical response and recovery

include a virtual or physical command center where Business Recovery
management can meet, organize, and manage emergency Management and
2342 K.6.1 operations in a secure setting? Yes Business Continuity Planning Communications K. Business Resiliency
Does the overall management of critical response and recovery Business Recovery
include conditions for activating the plan(s), and the associated Management and
2289 K.6.2 roles and responsibilities? Yes Business Continuity Planning Communications K. Business Resiliency
Does the overall management of critical response and recovery Business Recovery
include roles and responsibilities for those who invoke and Management and
2294 K.6.3 execute response and recovery plans? Yes Business Continuity Planning Communications K. Business Resiliency
Business Recovery
Does the overall management of critical response include Management and
2303 K.6.4 multiple mechanisms to communicate with personnel? Yes Business Continuity Planning Communications K. Business Resiliency
Business Recovery
Does the overall management of critical response include Management and
5786 K.6.5 multiple mechanisms to communicate with customer/clients? Yes Business Continuity Planning Communications K. Business Resiliency
Does the overall management of critical response and recovery

include notification and escalation to external stakeholders Business Recovery
including regulatory agencies, emergency responders, and law Management and
2728 K.6.6 enforcement? Yes Business Continuity Planning Communications K. Business Resiliency
Are primary and alternative personnel assigned to each

recovery role to assure availability of sufficiently skilled
5863 K.6.6.1 personnel? Yes Business Continuity Planning Crisis Management K. Business Resiliency

Jump To:
Master
Are roles and responsibilities defined for but not limited to

senior management, facilities management, human resources,
media relations, finance and accounting, legal and compliance,
5864 K.6.6.1.1 and information technology? Yes Business Continuity Planning Crisis Management K. Business Resiliency
Is there a periodic (at least annual) review of your business Business Continuity Plan
2286 K.7 resiliency procedures? Yes Business Continuity Planning Management K. Business Resiliency
Does periodic review of business resiliency procedures include Business Continuity Plan
4055 K.7.1 updates to the procedures as necessary after the review? Yes Business Continuity Planning Management K. Business Resiliency
Does periodic review of business resiliency procedures include

changes in business activities, dependencies and related Business Continuity Plan
4056 K.7.2 recovery objectives? Yes Business Continuity Planning Management K. Business Resiliency
4057 K.7.3 changes in organizational structure and personnel changes? Yes Business Continuity Planning Management K. Business Resiliency
4058 K.7.4 emerging threats and identified new risks? Yes Business Continuity Planning Management K. Business Resiliency
4059 K.7.5 warning and communication procedures and capabilities? Yes Business Continuity Planning Management K. Business Resiliency
Does periodic review of business resiliency procedures include

updates from the inventory of information and communication Business Continuity Plan
2300 K.7.6 technology (ICT) assets? Yes Business Continuity Planning Management K. Business Resiliency

Jump To:
Master
Please see the full list of Cloudflare sub-
processors on our website, which includes
country/location and activity performed:
https://www.cloudflare.
Are there any dependencies on critical third party service
Whether or not a sub-processor is used
2729 K.8 providers? Yes Business Continuity Planning Critical Vendors K. Business Resiliency
will depend on the product being utilized.
Has contact information for key service provider personnel

2308 K.8.1 been documented? Yes Business Continuity Planning Critical Vendors K. Business Resiliency
Are all suppliers of critical hardware, network services and Cloudflare includes suppliers in our BCP
facility services involved in annual continuity and recovery and DRP, but does not conduct joint tests
3632 K.8.2 tests? Yes with these entities. Business Continuity Planning Critical Vendors K. Business Resiliency
Is the contact information for key service provider personnel

4060 K.8.2.1 reviewed and updated at least annually? Yes Business Continuity Planning Critical Vendors K. Business Resiliency
Do business resiliency test scenarios contain fail-over across Cloudflare does not curerntly conduct
3635 K.8.2.2 critical vendors? No tests with its sub-processors. Business Continuity Planning Critical Vendors K. Business Resiliency
Are there requirements to review and update the Business

Continuity Plan (BCP) for each significant business change to
3636 K.8.2.3 the critical supporting vendors? Yes Business Continuity Planning Critical Vendors K. Business Resiliency
Have the notification and escalation protocols for key service

2295 K.8.3 provider personnel been established? Yes Business Continuity Planning Critical Vendors K. Business Resiliency
Has the organization established processes and formal

agreements for third party service providers to provide
immediate notification in the event of a disruption that impacts
2730 K.8.4 delivery of the products and/or services they provide? Yes Business Continuity Planning Critical Vendors K. Business Resiliency

Jump To:
Master
Cloudflare has not performed tests that

include our sub-processors/providers, but
Have planned responses to business disruptions been does track contact information for these
5873 K.8.5 coordinated with key service providers? No parties. Business Continuity Planning Critical Vendors K. Business Resiliency
When business resiliency procedures have been modified that

affect key service provider personnel, has a process been
2731 K.8.6 implemented to notify them? Yes Business Continuity Planning Critical Vendors K. Business Resiliency
5793 K.8.7 Are there at least two network paths to all critical vendors? Yes Business Continuity Planning Critical Vendors K. Business Resiliency
Are third parties in possession of or have access to data held to

the same level of risk control requirements around data
confidentiality, integrity and availability as are applicable
5794 K.8.8 internally? Yes Business Continuity Planning Critical Vendors K. Business Resiliency
Please see the full list of Cloudflare sub-
processors on our website, which includes
country/location and activity performed:
https://www.cloudflare.
Is a critical vendor dependency chart or list made available to
Whether or not a sub-processor is used
3605 K.8.9 clients? No Business Continuity Planning Critical Vendors K. Business Resiliency
will depend on the product being utilized.
Cloudflare does not share a list of all of its

vendors.
Cloudflare contractually requires its sub-
Are third parties required to perform, at a minimum, an annual processors to maintain Disaster Recovery
3606 K.8.10 functional disaster recovery test for the service provided? Yes programs. Business Continuity Planning Critical Vendors K. Business Resiliency
Are test results and remediation action plans provided by third Cloudflare does not collect BCP test
5795 K.8.11 parties after each test? No results from all of its sub-processors. Business Continuity Planning Critical Vendors K. Business Resiliency
Are clients/customers permitted to actively participate in third Cloudflare does not allow customers to
5796 K.8.12 party planned tests? No participate in its tests. Business Continuity Planning Critical Vendors K. Business Resiliency

Jump To:
Master
Are specific availability or service level requirements defined

5797 K.8.13 for those third party provided products and/or services? Yes Business Continuity Planning Critical Vendors K. Business Resiliency
Are those requirements specified in the terms of the

5798 K.8.13.1 contract/agreement with each third party? Yes Business Continuity Planning Critical Vendors K. Business Resiliency
Is third party performance against the service level Individual teams are responsible for
requirements measured and monitored with remediation monitoring their vendor's performance
5799 K.8.13.2 actions taken to address under performance? Yes against Cloudflare internal requirements. Business Continuity Planning Critical Vendors K. Business Resiliency
Do contracts with critical service providers include a penalty or

remediation clause for breach of availability and continuity
3639 K.8.13.3 Service Level Agreements (SLAs)? Yes Business Continuity Planning Critical Vendors K. Business Resiliency
Are there formal, documented disaster recovery procedures

5874 K.9 that are maintained and reviewed periodically? Yes Disaster Recovery Governance Disaster Recovery Procedures K. Business Resiliency
Is the disaster recovery location more than 100 miles from the
5875 K.9.1 production data center? Yes Disaster Recovery Governance Disaster Recovery Location K. Business Resiliency
Do the formal disaster recovery procedures include specific

actions to be taken in response to a data center disruptive
event for each data center (internal and external) supporting
the products and/or services specified in the scope of this
5876 K.9.2 assessment? Yes Disaster Recovery Governance Disaster Recovery Procedures K. Business Resiliency
Do the formal disaster recovery procedures address the

5877 K.9.3 recovery of critical networks and systems? Yes Disaster Recovery Governance Disaster Recovery Procedures K. Business Resiliency

Jump To:
Master
Does the recovery of critical networks and systems include

5878 K.9.3.1 backup types (e.g., physical, and/or virtual)? Yes Disaster Recovery Governance Disaster Recovery Procedures K. Business Resiliency

5879 K.9.3.2 backup levels (full, incremental, or differential)? Yes Disaster Recovery Governance Disaster Recovery Procedures K. Business Resiliency

5880 K.9.3.3 update and retention cycle frequencies? Yes Disaster Recovery Governance Disaster Recovery Procedures K. Business Resiliency

5881 K.9.3.4 software and hardware compatibility reviews? Yes Disaster Recovery Governance Disaster Recovery Procedures K. Business Resiliency
Does the recovery of critical networks and systems include data

5882 K.9.3.5 transmission controls? Yes Disaster Recovery Governance Disaster Recovery Procedures K. Business Resiliency
Does the recovery of critical networks and systems include data

5883 K.9.3.6 repository maintenance? Yes Disaster Recovery Governance Disaster Recovery Procedures K. Business Resiliency
Are procedures defined for restoring backlogged activity or lost

transactions to identify how transaction records will be brought
5884 K.9.4 current within expected recovery time frames? Yes Disaster Recovery Governance Disaster Recovery Procedures K. Business Resiliency
Is there a formal, documented information technology disaster Disaster Recovery Testing

2343 K.10 recovery exercise and testing program in place? Yes Disaster Recovery Testing Scope K. Business Resiliency

Jump To:
Master
Does the disaster recovery exercise and testing program have a

designated program owner with full responsibility and Disaster Recovery Testing
5865 K.10.1 accountability? Yes Disaster Recovery Testing Governance K. Business Resiliency
Does disaster recovery testing include specific exercises and Disaster Recovery Testing
2346 K.10.2 tests that address the unavailability of specific IT resources? Yes Disaster Recovery Testing Scope K. Business Resiliency
Does information technology disaster recovery testing include Disaster Recovery Testing
4061 K.10.3 production data center(s)? Yes Disaster Recovery Testing Scope K. Business Resiliency
4062 K.10.4 data stores? Yes Disaster Recovery Testing Scope K. Business Resiliency
4064 K.10.5 recovery of critical network infrastructure? Yes Disaster Recovery Testing Scope K. Business Resiliency
Are measurable recovery objectives defined for each exercise Disaster Recovery Testing
4071 K.10.6 and test? Yes Disaster Recovery Testing Criteria K. Business Resiliency
Are the recovery objective attainment results and the issues

identified evaluated with improvement actions identified and Disaster Recovery Testing Issue
4074 K.10.7 acted upon? Yes Disaster Recovery Testing Management K. Business Resiliency
Does measurable recovery objective attainment include

recovery time objectives for all essential application systems, Disaster Recovery Testing
4072 K.10.8 network services and other resources? Yes Disaster Recovery Testing Criteria K. Business Resiliency

Jump To:
Master
Does measurable recovery objective attainment include Disaster Recovery Testing

4073 K.10.9 recovery point objectives for all essential application systems? Yes Disaster Recovery Testing Criteria K. Business Resiliency
Is there an annual schedule of planned disaster recovery Disaster Recovery Testing Issue
2779 K.10.10 exercises and tests? Yes Disaster Recovery Testing Management K. Business Resiliency
Do information technology disaster recovery testing scenarios

include reconstructing material financial transactions sufficient Cloudflare dis not providing financial Disaster Recovery Testing
4757 K.10.10.1 to support normal operations and obligations? N/A transaction services. Disaster Recovery Testing Scope - Scenarios K. Business Resiliency
Disaster Recovery Testing Issue

2351 K.10.11 Do business continuity exercises include evacuation drills? Yes Disaster Recovery Testing Management K. Business Resiliency
Do business continuity exercises include notification procedure Disaster Recovery Testing Issue
2352 K.10.12 and mechanism tests? Yes Disaster Recovery Testing Management K. Business Resiliency

2354 K.10.13 Do disaster recovery tests include application recovery tests? Yes Disaster Recovery Testing Management K. Business Resiliency

2355 K.10.14 Do disaster recovery tests include remote access tests? Yes Disaster Recovery Testing Management K. Business Resiliency
Do disaster recovery tests include full scale exercises/end-to- Disaster Recovery Testing Issue
2357 K.10.15 end? Yes Disaster Recovery Testing Management K. Business Resiliency

Jump To:
Master
Do disaster recovery tests include production transaction Disaster Recovery Testing Issue
4076 K.10.16 processing? Yes Disaster Recovery Testing Management K. Business Resiliency
Do disaster recovery tests include typical business volumes/full Disaster Recovery Testing Issue
4077 K.10.17 capacity? Yes Disaster Recovery Testing Management K. Business Resiliency
Do business continuity tests include business relocation Disaster Recovery Testing Issue
2762 K.10.18 testing? Yes Disaster Recovery Testing Management K. Business Resiliency

2763 K.10.19 Do disaster recovery tests include data center failover testing? Yes Disaster Recovery Testing Management K. Business Resiliency
Are critical service providers included in disaster recovery Disaster Recovery Testing Issue
2764 K.10.20 testing? Yes Disaster Recovery Testing Management K. Business Resiliency
Do disaster recovery tests include recovery and continuity of

information security controls to assure that controls in the DR
environment are equivalent to those normally in the Disaster Recovery Testing Issue
4078 K.10.21 production environment? Yes Disaster Recovery Testing Management K. Business Resiliency
Cloudflare will track and remediate

Are re-tests scheduled to ensure initial test deficiencies were deficiencies identified during tests. Re- Disaster Recovery Testing Issue
5866 K.10.22 remediated? Yes tests will only be conducted as necessary. Disaster Recovery Testing Management K. Business Resiliency
Is there a process for documenting disaster recovery test Disaster Recovery Test Scripts -
5867 K.11 scripts and exercises? Yes Disaster Recovery Testing Documentation K. Business Resiliency

Jump To:
Master
Does the disaster recovery exercise and test script

documentation include applications, business processes, Disaster Recovery Test Scripts -
5868 K.11.1 systems, and/or facilities tested? Yes Disaster Recovery Testing Documentation K. Business Resiliency

documentation include employee and external party Disaster Recovery Test Scripts -
5869 K.11.2 procedures to be followed? Yes Disaster Recovery Testing Documentation K. Business Resiliency

documentation include procedures in the event a manual Disaster Recovery Test Scripts -
5870 K.11.3 work-around is needed? Yes Disaster Recovery Testing Documentation K. Business Resiliency
Does the disaster recovery exercise and test script Disaster Recovery Test Scripts -
5871 K.11.4 documentation include a detailed schedule for completion? Yes Disaster Recovery Testing Documentation K. Business Resiliency

documentation include a process for participants to record Disaster Recovery Test Scripts -
5872 K.11.5 results, quantifiable metrics, and possible issues? Yes Disaster Recovery Testing Documentation K. Business Resiliency
Does business continuity testing include recovery supporting Business Continuity Testing
4063 K.12 critical loss or unavailability of personnel (40% or more)? Yes Business Continuity Testing Scope K. Business Resiliency
Does business continuity testing include specific business

activity exercises and tests that address the unavailability of Business Continuity Testing
4065 K.12.1 specific resources (i.e., realistic scenarios)? Yes Business Continuity Testing Scope - Scenarios K. Business Resiliency
Do business continuity testing exercise scenarios include loss of Business Continuity Testing
4066 K.12.2 critical information and communication technology? Yes Business Continuity Testing Scope - Scenarios K. Business Resiliency

Jump To:
Master
4067 K.12.3 service due to dedicated denial of service/cyber attacks? Yes Business Continuity Testing Scope - Scenarios K. Business Resiliency
4068 K.12.4 critical workplaces/buildings? Yes Business Continuity Testing Scope - Scenarios K. Business Resiliency
4069 K.12.5 critical personnel? Yes Business Continuity Testing Scope - Scenarios K. Business Resiliency
4070 K.12.6 critical third party services (e.g., partners and suppliers)? Yes Business Continuity Testing Scope - Scenarios K. Business Resiliency
Clooudflare does not notiify customers
when it performs tests of its BCP.
However, we do have a public site for

Do business continuity testing exercises include notification tracking any disruptions to our service Business Continuity Testing -
5787 K.12.7 procedure and mechanism tests? Yes https://www.cloudflarestatus.com/ Business Continuity Testing Notification Procedures K. Business Resiliency
Do business continuity testing exercises include recovery and

continuity of information security operational processes and
controls that may be impacted by a non-disaster recovery
event (e.g., loss of physical workplace, reduction in available IS Business Continuity Testing
4079 K.12.8 personnel)? Yes Business Continuity Testing Scope - IT/IS Operations K. Business Resiliency
Do business continuity testing exercises include recovery and

continuity of IT operational processes and controls that may be
impacted by a non-disaster recovery event (e.g., loss of
physical workplace, reduction in available IT operations Business Continuity Testing
4080 K.12.9 personnel)? Yes Business Continuity Testing Scope - IT/IS Operations K. Business Resiliency
Are the results of testing exercises conducted internally shared Business Continuity Testing
4082 K.12.10 with customers? No Business Continuity Testing Scope - IT/IS Operations K. Business Resiliency

Jump To:
Master
Are joint testing exercises conducted in partnership with Business Continuity Testing
4083 K.12.11 customers? No Business Continuity Testing Scope - IT/IS Operations K. Business Resiliency
Are there established business resiliency testing exercise Business Resiliency Testing - Cyber Resilience Scenario
4084 K.13 scenarios addressing cyber resilience? Yes Exercises Testing K. Business Resiliency
Business Resiliency Testing - Cyber Resilience Scenario

4085 K.13.1 Does cyber resilience testing include malware scenarios? Yes Exercises Testing K. Business Resiliency
Business Resiliency Testing - Cyber Resilience Scenario

4086 K.13.2 Does cyber resilience testing include insider threat scenarios? Yes Exercises Testing K. Business Resiliency
Does cyber resilience testing include data or system Business Resiliency Testing - Cyber Resilience Scenario
4087 K.13.3 destruction and corruption scenarios? Yes Exercises Testing K. Business Resiliency
Does cyber resilience testing include communications Business Resiliency Testing - Cyber Resilience Scenario
4088 K.13.4 infrastructure disruption scenarios including DDOS attacks? Yes Exercises Testing K. Business Resiliency
Does cyber resilience testing include simultaneous attack Business Resiliency Testing - Cyber Resilience Scenario
4089 K.13.5 scenarios? Yes Exercises Testing K. Business Resiliency
2305 K.14 Is there a pandemic/infectious disease outbreak plan? Yes Business Resiliency Governance Pandemic Planning K. Business Resiliency

Jump To:
Master
Does the pandemic plan include a preventive program to

reduce the likelihood that an organization's operations will be
5788 K.14.1 significantly affected by a pandemic event? Yes Business Resiliency Governance Pandemic Planning K. Business Resiliency
Does the pandemic plan include a documented strategy that

provides for scaling the institution's pandemic efforts, so they
are consistent with the effects of a stage of a pandemic
5789 K.14.2 outbreak? Yes Business Resiliency Governance Pandemic Planning K. Business Resiliency
Does the pandemic plan include procedures for social

distancing to minimize staff contact, telecommuting,
conducting operations from alternative sites, and advising
customers/clients on alternative means of conducting
5790 K.14.3 business? Yes Business Resiliency Governance Pandemic Planning K. Business Resiliency
Does the pandemic plan include a testing program to ensure

that the institution's pandemic planning practices and There are no formal tests of the pandemic
capabilities are effective and will allow critical operations to plan, but our plan was put to the test
5791 K.14.4 continue? Yes during COVID-19 pandemic. Business Resiliency Governance Pandemic Planning K. Business Resiliency
Does the pandemic plan include an oversight program to

ensure ongoing review and updates to the pandemic plan so
that policies, standards, and procedures include up-to-date,
5792 K.14.5 relevant information provided by governmental sources? Yes Business Resiliency Governance Pandemic Planning K. Business Resiliency
Is priority access to resources from suppliers contractually

ensured in the event of an adverse situation, affecting multiple
3647 K.14.6 customers of suppliers (e.g., fuel oil, recovery center space)? Yes Business Continuity Planning Critical Vendors K. Business Resiliency
Do formal business continuity procedures include the ability to

reconstruct material financial and customer fulfilment
transactions sufficient to support normal operations and
4758 K.15 obligations? Yes Business Continuity Planning Business Continuity Procedures K. Business Resiliency
Are networks fully redundant, with at least two network paths

to any node, and for every network device, at least one other Capacity Management and
3637 K.16 redundant network device of the same type? Yes Redundancy Network Redundancy K. Business Resiliency

Jump To:
Master
Is there sufficient redundancy capacity to ensure services are

not impacted in multi-tenancy environments during peak usage Capacity Management and Computing Capacity
3638 K.17 and above? Yes Redundancy Management K. Business Resiliency
Is there sufficient volume or disk partitioning to prevent

inadvertent resource bottlenecks from guest operating Capacity Management and
3679 K.18 systems? Yes Redundancy Disk Capacity Management K. Business Resiliency
Business Continuity Procedures

922 K.19 Are backups of scoped systems and data performed? Yes Business Resiliency Governance - Backup Policy and Procedures K. Business Resiliency

923 K.19.1 Is there a policy or process for the backup of production data? Yes Business Resiliency Governance - Backup Policy and Procedures K. Business Resiliency
Are backup integrity and related restoration procedures tested Business Continuity Procedures
2602 K.19.1.1 at least annually? Yes Business Resiliency Governance - Backup Policy and Procedures K. Business Resiliency
Is backup media tracked and reviewed for compliance to data Business Continuity Procedures
4211 K.19.1.2 retention/destruction requirements at least annually? Yes Business Resiliency Governance - Backup Policy and Procedures K. Business Resiliency
Are backup and replication errors reviewed and resolved as Business Continuity Procedures
4469 K.19.2 required? Yes Business Resiliency Governance - Backup Policy and Procedures K. Business Resiliency
Are backup and replication errors reviewed and resolved at Business Continuity Procedures
4212 K.19.2.1 least weekly? Yes Business Resiliency Governance - Backup Policy and Procedures K. Business Resiliency

Jump To:
Master

4470 K.19.2.2 Are backup and replication errors reviewed and resolved daily? Yes Business Resiliency Governance - Backup Policy and Procedures K. Business Resiliency

951 K.19.3 Is scoped data backed up and stored offsite? Yes Business Resiliency Governance - Backup Policy and Procedures K. Business Resiliency
Are backups containing scoped data stored in an environment

where the security controls protecting them are equivalent to Business Continuity Procedures
4219 K.19.4 production environment security controls? Yes Business Resiliency Governance - Backup Policy and Procedures K. Business Resiliency

- Data Retention Policy and
5800 K.19.5 Is there a data retention policy? Yes Business Resiliency Governance Procedures K. Business Resiliency
Does the data retention policy define retention history Business Continuity Procedures
parameters based on information security provided guidance - Data Retention Policy and
5801 K.19.5.1 about dormant malware? Yes Business Resiliency Governance Procedures K. Business Resiliency

- Data Retention Policy and
5802 K.19.5.2 Does all scoped data fully adhere to the data retention policy? Yes Business Resiliency Governance Procedures K. Business Resiliency
Are offline data backups protected from destructive malware Business Continuity Procedures
or other threats that may corrupt production and online - Data Retention Policy and
5803 K.19.5.3 backup versions of data? Yes Business Resiliency Governance Procedures K. Business Resiliency
Is there a plan (typically separate from a traditional disaster

recovery plan) for managing a data recovery effort in the Business Continuity Procedures
aftermath of a successful data compromising cyberattack (e.g., - Data Retention Policy and
5804 K.19.5.4 ransomware, data wiper malware)? Yes Business Resiliency Governance Procedures K. Business Resiliency

Jump To:
Master
Are the organization's insurance coverages defined and

5805 K.20 outlined within its business resiliency plan? Yes Business Resiliency Governance Business Insurance K. Business Resiliency
Does the organization have a process to ensure the

5806 K.20.1 organization has adequate coverage limits? Yes Business Resiliency Governance Business Insurance K. Business Resiliency
Does the organization have a process to review the terms,
5807 K.20.2 conditions, and exclusions? Yes Business Resiliency Governance Business Insurance K. Business Resiliency
Is software, configuration settings, and related documentation

5808 K.21 kept in an off-site repository? Yes Business Resiliency Governance Business Insurance K. Business Resiliency
Internal policies require

Are there policies and procedures to ensure compliance with compliance with applicable
applicable legislative, regulatory and contractual laws in the jurisidicitons in
4759 L.1 requirements? Yes which Cloudflare operates. Governance L. Compliance
Is there a documented process to identify and assess

regulatory changes that could significantly affect the delivery of
4760 L.1.1 products and services? Yes Compliance Management Governance L. Compliance
Does the regulatory change management process include

receiving, monitoring, tracking/logging, and where necessary,
implementing changes required to comply with applicable new
4152 L.1.1.1 regulations and regulatory alerts? Yes Compliance Management Governance L. Compliance
Are business licenses, permits, or registrations maintained in all

4127 L.1.2 jurisdictions where required? Yes Compliance Management Governance L. Compliance
Does the organization have a process for identifying potential

legal sanctions related to the processing of scoped systems
5834 L.1.3 and/or data? Yes Compliance Management Governance L. Compliance

Jump To:
Master
For employees with access to scoped data and/or scoped

Systems, is training on legislative and regulatory requirements Developer training and privacy trainings
4124 L.2 provided and updated on a regular basis? Yes are conducted annually Compliance Management Compliance Training L. Compliance
Is there an internal audit, risk management, or compliance

department, or similar management oversight unit with
responsibility for assessing, identifying and tracking resolution
2826 L.3 of outstanding regulatory issues? Yes Compliance Management Compliance Organization L. Compliance
Cloudflare employs third party auditors

Does the audit function have independence from the lines of who evaluate our compliance with
4122 L.3.1 business? Yes applicable laws, regulations, or standards. Compliance Management Compliance Organization L. Compliance
The Governance, Risk, and Compliance

Is there non-audit staff dedicated to compliance and risk team oversees compliance and risk
4123 L.3.2 responsibilities? Yes responsibilities. Compliance Management Compliance Organization L. Compliance
Are audits performed to ensure compliance with applicable

2376 L.3.3 statutory, regulatory, contractual or industry requirements? Yes Compliance Management Compliance Audits L. Compliance
Is there a process to ensure that audit procedures are designed

4761 L.3.3.1 to minimize operational disruptions? Yes Compliance Management Compliance Audits L. Compliance
Is there a set of policies and procedures that address required

4762 L.4 records management and compliance reporting? Yes Compliance Management Compliance Reporting L. Compliance
Are compliance issues logged, tracked, and reported to

4763 L.4.1 management? Yes Compliance Management Compliance Reporting L. Compliance

Jump To:
Master
Are internal management reporting and/or external reporting

to government agencies maintained in accordance with
4125 L.4.2 applicable law? Yes Compliance Management Compliance Reporting L. Compliance
Are regulatory alerts and updates on changes in applicable law

or regulations reported routinely to management and if
4554 L.4.3 appropriate, to the Board of Directors? Yes Compliance Management Compliance Reporting L. Compliance
Does the delivery of the products or services require handling With the exception of Cloudflare Stream,
of digital media such as photos or videos that could include we do not require customers to Compliance Training - Digital
4764 L.5 personal information? No send/receive digital media. Compliance Management Content Handling L. Compliance
Are personnel are trained in legal and appropriate handling of Compliance Training - Digital
4579 L.5.1 digital content? Yes Compliance Management Content Handling L. Compliance
Are personnel trained on reporting the receipt of illegal digital Compliance Training - Digital
4580 L.5.2 content to management? Yes Compliance Management Content Handling L. Compliance
Does a policy exist that sets requirements around the types of Compliance Training - Digital
4581 L.5.3 digital media that must have metadata scrubbed? Yes Compliance Management Content Handling L. Compliance
Is metadata scrubbed from digital media as mandated by Compliance Training - Digital

4582 L.5.4 policy? Yes Compliance Management Content Handling L. Compliance
Are all individuals that need access to inspect a facility,

property, vehicle, or other asset in-person required to provide
photo ID and credentials, including name and account number Compliance Training - Onsite
4578 L.6 or other corroborating information? Yes Compliance Management Inspection Requirements L. Compliance

Jump To:
Master
Are there policies and procedures to address bribery,

corruption, the prohibition of providing monetary offers or
preventing improper actions that create advantage in practices Business Ethics and Corporate Anti-Bribery and Anti-
4765 L.7 with individuals and corporate representatives? Yes Compliance Corruption L. Compliance
For public companies, are there policies and procedures to

address accounting provisions as outlined under Foreign Business Ethics and Corporate Anti-Bribery and Anti-
4766 L.7.1 Corrupt Practices Act (FCPA)? Yes Compliance Corruption L. Compliance
Do employees receive training that covers Anti-Bribery and Business Ethics and Corporate Anti-Bribery and Anti-
4767 L.7.2 Anti-Corruption topics? Yes Compliance Corruption L. Compliance
Does Anti-Bribery and Anti-Corruption training include an

evaluative component/testing to ensure employees Business Ethics and Corporate Anti-Bribery and Anti-
4768 L.7.2.1 understood the concepts? Yes Compliance Corruption L. Compliance
Is obtaining or retaining business on behalf of client's part of Cloudflare does not find leads on behalf of Business Ethics and Corporate Anti-Bribery and Anti-
4769 L.7.3 the scope of services offered? No its customers. Compliance Corruption L. Compliance
Cloudflare will evaluate its candidates
work history for the last 7 years, which
includes work for governmental entities.
Are prospective employees screened for their connections to However, it does not evaluate employees
government officials? If no, please describe in additional for family/friend connections is Business Ethics and Corporate Anti-Bribery and Anti-
4770 L.7.4 information field. No government posistions. Compliance Corruption L. Compliance
The link shows a list of subprocessors,

which includes Cloudflare subsidiaries,
and the services they provide:
Will any subsidiaries provide any scoped services on your https://www.cloudflare. Business Ethics and Corporate Anti-Bribery and Anti-
4771 L.7.5 behalf? If yes, please explain in the additional information field. Yes com/gdpr/subprocessors/ Compliance Corruption L. Compliance
Prior to assigning any management or other key staff directly
to the account, are their government affiliations screened for
any potential violations of the Anti-Bribery and Anti-Corruption
laws applicable in the jurisdiction(s) where the individuals
support the delivered services? If no, please explain in the Business Ethics and Corporate Anti-Bribery and Anti-
4772 L.7.6 Additional Information field. Yes Compliance Corruption L. Compliance

Jump To:
Master
Is Anti-Bribery & Anti-Corruption training mandatory for all Business Ethics and Corporate Anti-Bribery and Anti-
4773 L.7.7 staff? Yes Compliance Corruption L. Compliance
Does each employee complete Anti-Bribery & Anti-Corruption Business Ethics and Corporate Anti-Bribery and Anti-
4774 L.7.7.1 training when first starting their role? Yes Compliance Corruption L. Compliance
Is each employee required to retake Anti-Bribery & Anti- Business Ethics and Corporate Anti-Bribery and Anti-
4775 L.7.7.2 Corruption training annually? Yes Compliance Corruption L. Compliance
Is Anti-Bribery & Anti-Corruption training tailored for Business Ethics and Corporate Anti-Bribery and Anti-
4776 L.7.7.3 employees' specific roles? Yes Compliance Corruption L. Compliance
Is Anti-Bribery & Anti-Corruption training actively monitored Business Ethics and Corporate Anti-Bribery and Anti-
4777 L.7.7.4 for completion? Yes Compliance Corruption L. Compliance
Do consequences exist for non-completion of Anti-Bribery & Business Ethics and Corporate Anti-Bribery and Anti-
4778 L.7.7.5 Anti-Corruption training? Yes Compliance Corruption L. Compliance
Does Anti-Bribery & Anti-Corruption training have an Business Ethics and Corporate Anti-Bribery and Anti-
4779 L.7.7.6 evaluative or testing component? Yes Compliance Corruption L. Compliance
The third party/subcontractors are

responsible for providing this training to
Are third parties and subcontractors required to take Anti- their employees. Cloudflare only provides Business Ethics and Corporate Anti-Bribery and Anti-
4780 L.7.7.7 Bribery & Anti-Corruption training? No this trianing to its own personnel. Compliance Corruption L. Compliance
Are due diligence procedures (e.g., screening of subcontractors
and third parties) included in the Anti-Bribery and Anti- Business Ethics and Corporate Anti-Bribery and Anti-
4781 L.7.8 Corruption policies and procedures? Yes Compliance Corruption L. Compliance

Jump To:
Master
Are Anti-Bribery and Anti-Corruption violation reporting

mechanisms, including whistleblowing procedures included in Business Ethics and Corporate Anti-Bribery and Anti-
4782 L.7.9 the Anti-Bribery and Anti-Corruption policies and procedures? Yes Compliance Corruption L. Compliance
Is Anti-Bribery and Anti-Corruption violation monitoring

included in the Anti-Bribery and Anti-Corruption policies and Business Ethics and Corporate Anti-Bribery and Anti-
4783 L.7.10 procedures? Yes Compliance Corruption L. Compliance
Is prohibition of facilitation payment reviews included in the Business Ethics and Corporate Anti-Bribery and Anti-
4784 L.7.11 Anti-Bribery and Anti-Corruption policies and procedures? Yes Compliance Corruption L. Compliance
Do you ever make or receive payments in cash? If yes, please

describe the types of payments made in cash, how cash
payments are recorded, and in which countries cash payments Cloudflare does not receive payments in Business Ethics and Corporate Anti-Bribery and Anti-
4785 L.7.12 will be made in the additional information field. No cash. Compliance Corruption L. Compliance
Are there documented recordkeeping procedures for recording Cloudflare does not receive payments in Business Ethics and Corporate Anti-Bribery and Anti-
4786 L.7.13 cash transactions? N/A cash. Compliance Corruption L. Compliance
Are there policies and standards to address cash payment

requirements and prohibitions across international Cloudflare does not receive payments in Business Ethics and Corporate Anti-Bribery and Anti-
4787 L.7.14 boundaries? N/A cash. Compliance Corruption L. Compliance
Do any subcontractors make or receive payments in cash? If

yes, please describe the circumstances in the additional Cloudflare does not receive payments in Business Ethics and Corporate Anti-Bribery and Anti-
4788 L.7.15 information field. N/A cash. Compliance Corruption L. Compliance
Is a written contract required for all subcontractors that Business Ethics and Corporate Anti-Bribery and Anti-
4789 L.7.16 perform services under this contract? Yes Compliance Corruption L. Compliance

Jump To:
Master
Are Anti-bribery representations and warranties included in all

contracts with subcontractors that make or receive payments Business Ethics and Corporate Anti-Bribery and Anti-
4790 L.7.16.1 on behalf of the organization? No Compliance Corruption L. Compliance
Are anti-bribery and anti-corruption audit rights included in all

agreements with subcontractors that make or receive Business Ethics and Corporate Anti-Bribery and Anti-
4791 L.7.16.2 payments on behalf of the organization? No Compliance Corruption L. Compliance
Is the use of sub-agents without your client's prior consent

contractually prohibited for all subcontractors that make or Business Ethics and Corporate Anti-Bribery and Anti-
4792 L.7.16.3 receive payments on behalf of the organization? Yes Compliance Corruption L. Compliance
Is there a contractual requirement that payments be made in Business Ethics and Corporate Anti-Bribery and Anti-
4793 L.7.16.4 the country where services are to be performed? Yes Compliance Corruption L. Compliance
Are right to terminate clauses in all contracts with

subcontractors that make or receive payments on behalf of the Business Ethics and Corporate Anti-Bribery and Anti-
4794 L.7.16.5 organization? Yes Compliance Corruption L. Compliance
Are all subcontractors that make or receive payments on behalf

of the organization contractually required to verify payments, Business Ethics and Corporate Anti-Bribery and Anti-
4795 L.7.16.6 to ensure they match contractual terms or invoice amounts? N/A Compliance Corruption L. Compliance

of the organization contractually required to ensure that Business Ethics and Corporate Anti-Bribery and Anti-
4796 L.7.16.7 payments are fixed, instead of based on success fees? N/A Compliance Corruption L. Compliance
Are all subcontractors contractually prohibited from creating Business Ethics and Corporate Anti-Bribery and Anti-
4797 L.7.16.8 discounts? N/A Compliance Corruption L. Compliance

Jump To:
Master

of the organization contractually required to provide and verify Business Ethics and Corporate Anti-Bribery and Anti-
4798 L.7.16.9 invoices for services rendered? N/A Compliance Corruption L. Compliance
Is there a compliance program or set of policies and procedures

that address Anti-Trust and Anti-Competitive Business Business Ethics and Corporate Anti-Trust & Anti-Competitive
4799 L.8 Practices? Yes Compliance Business Practices L. Compliance
Is training on Anti-Trust and Anti-Competitive Business Business Ethics and Corporate Anti-Trust & Anti-Competitive
4800 L.8.1 Practices for all relevant constituents? Yes Compliance Business Practices L. Compliance
Is training on Anti-Trust and Anti-Competitive Business Business Ethics and Corporate Anti-Trust & Anti-Competitive
4801 L.8.1.1 Practices conducted on an annual basis? Yes Compliance Business Practices L. Compliance
Does the organization provide and communicate guidance and Business Ethics and Corporate
5652 L.9 requirements for operating in a socially responsible manner? Yes Compliance Corporate Social Responsibility L. Compliance
Business Ethics and Corporate

4802 L.10 Is there a documented policy for Ethical Sourcing? Yes Compliance Ethical Sourcing L. Compliance
Is there a defined supplier code of conduct required of all Business Ethics and Corporate
4803 L.10.1 suppliers? Yes Compliance Ethical Sourcing L. Compliance
Are their defined standards in the sourcing process to address Business Ethics and Corporate
4804 L.10.2 sustainability? Yes Compliance Ethical Sourcing L. Compliance

Jump To:
Master
Is there a documented internal compliance and ethics program Cloudflare has an HR compliance team
to ensure professional ethics and business practices are which is part of the Legal Compliance Business Ethics and Corporate
3733 L.11 implemented and maintained? Yes organization. Compliance Ethics L. Compliance
Has the organization established its standards of conduct

concerning integrity and ethical values that are understood by Business Ethics and Corporate
4557 L.11.1 all levels and by outsourced service providers? Yes Compliance Ethics L. Compliance
Is there a whistleblowing policy and/or separate

communication channel procedure to report compliance Business Ethics and Corporate
4128 L.11.2 issues? Yes Compliance Ethics L. Compliance
Do employees undergo annual training regarding company

expectations related to non-disclosure of insider information,
code of conduct, conflicts of interest, and compliance and Business Ethics and Corporate
4558 L.11.3 ethics responsibilities? Yes Compliance Ethics L. Compliance
Does the organization publish an annual statement each

financial year setting out the steps the company has taken to
address slavery and human trafficking in the organization and
that of its supply chain? If yes, please insert a link to the most https://www.cloudflare.com/modern- Business Ethics and Corporate Modern Slavery & Human
4805 L.12 current statement in the additional information field. Yes slavery-act-statement/ Compliance Trafficking L. Compliance
Are there documented policies relating to modern slavery and

human trafficking, including due diligence and auditing Business Ethics and Corporate Modern Slavery & Human
4806 L.12.1 processes? Yes Compliance Trafficking L. Compliance
Is training on modern slavery and human trafficking policies,

procedures and risks provided to those in supply chain
management and the rest of the organization, commensurate Business Ethics and Corporate Modern Slavery & Human
4807 L.12.2 to their roles? Yes Compliance Trafficking L. Compliance
Are relevant metrics tracked and managed around compliance

with and performance of modern slavery and human trafficking Business Ethics and Corporate Modern Slavery & Human
4808 L.12.3 policies and procedures? Yes Compliance Trafficking L. Compliance

Jump To:
Master
Is regular due diligence performed on all relevant suppliers to

ensure they meet your requirements around addressing Business Ethics and Corporate Modern Slavery & Human
4809 L.12.4 modern slavery and human trafficking? Yes Compliance Trafficking L. Compliance
Business Ethics and Corporate

5642 L.13 Is there a defined policy or guidelines for social media conduct? Yes Compliance Social Media L. Compliance
Cloudflare does not provide call center

4810 L.14 Will this engagement include any call center related services? No products/services for customers. Call Center Controls Governance L. Compliance
Are there documented Call Center physical security policies and

4811 L.14.1 procedures? N/A Call Center Controls Physical Security L. Compliance
Will the security controls for the Call Center include a Security
4812 L.14.1.1 Guard force? N/A Call Center Controls Physical Security L. Compliance
Will the security controls for the Call Center include Electronic
4813 L.14.1.2 Access? N/A Call Center Controls Physical Security L. Compliance
Will the security controls for the Call Center include a defined
4814 L.14.1.3 visitor's control process? Please explain. N/A Call Center Controls Physical Security L. Compliance
4815 L.14.1.4 Will the security controls for the Call Center include CCTV? N/A Call Center Controls Physical Security L. Compliance

Jump To:
Master
Is the Call Center telephony service hosted within the

4816 L.14.2 organization's own facilities? N/A Call Center Controls Telephony L. Compliance
Is the Call Center telephony service maintained by a third

4817 L.14.3 party? N/A Call Center Controls Telephony L. Compliance
4818 L.14.4 Does the Call Center use Voice Over IP? N/A Call Center Controls Telephony L. Compliance
Is administrative access to the PBX (Private Branch Exchange)

4819 L.14.5 reviewed and validated periodically, no less than annually? N/A Call Center Controls Telephony L. Compliance
Is the call support team physically segregated from teams

4820 L.14.6 servicing other clients? N/A Call Center Controls Personnel L. Compliance
Do any Call Center personnel who would support this account

4821 L.14.7 work offshore (outside the client's country)? N/A Call Center Controls Personnel L. Compliance
4822 L.14.8 Can Customer Service Representatives (CSR) work remotely? N/A Call Center Controls Personnel L. Compliance
Do any Call Center personnel dedicated to this account work

4823 L.14.9 for other accounts? N/A Call Center Controls Personnel L. Compliance

Jump To:
Master
Will call monitoring, including electronic, mechanical or other

device to intercept oral communications, be used as part of this
4825 L.14.10 service? N/A Call Center Controls Call Monitoring and Recording L. Compliance
4826 L.14.10.1 Are the call recordings stored in a secured data center? N/A Call Center Controls Call Monitoring and Recording L. Compliance
4827 L.14.10.2 Are recorded calls stored for over 30 days? N/A Call Center Controls Call Monitoring and Recording L. Compliance
Are calls related to this account recorded in a separate

4828 L.14.10.3 environment (separate server, tape)? N/A Call Center Controls Call Monitoring and Recording L. Compliance
Are there access controls regarding access to the server where
4829 L.14.10.4 recorded calls are stored? N/A Call Center Controls Call Monitoring and Recording L. Compliance
Is the call recording system equipped with a supervisory

4830 L.14.10.5 override feature? N/A Call Center Controls Call Monitoring and Recording L. Compliance
Can associates get access to review recorded calls (i.e., remote

4831 L.14.10.6 access, tape is mailed)? N/A Call Center Controls Call Monitoring and Recording L. Compliance
Can you provide reports on who has access to monitor calls and
4832 L.14.10.7 whose calls they monitor? N/A Call Center Controls Call Monitoring and Recording L. Compliance
4833 L.14.10.8 Is speech analytics conducted on call recordings? N/A Call Center Controls Call Monitoring and Recording L. Compliance

Jump To:
Master
Is a documented methodology for caller authentication used e.

4834 L.14.11 g., secret questions, etc.? N/A Call Center Controls Caller Authentication L. Compliance
Are associates trained to handle threatening calls, including

4824 L.15 bomb threats? N/A Call Center Controls Personnel L. Compliance
Are marketing or selling activities conducted directly to Client's

4135 L.16 customers? No Consumer Protection Marketing and Sales Practices L. Compliance
Is there a documented consumer protection compliance

4157 L.16.1 program? N/A Consumer Protection Marketing and Sales Practices L. Compliance
Is training conducted for constituents who have direct

customer contact regarding consumer protection compliance CLoudflare does not interact with our
4136 L.16.2 responsibilities? N/A customers end users/consumers. Consumer Protection Marketing and Sales Practices L. Compliance
Are processes in place to periodically review call center scripts,

call monitoring, and/or email marketing to identify compliance
4137 L.16.3 issues? N/A Consumer Protection Marketing and Sales Practices L. Compliance
Is there an incentive or compensation program for constituents

who directly sell/market to Client customers? If yes, please CLoudflare does not interact with our
4138 L.16.4 describe in the additional information field. N/A customers end users/consumers. Consumer Protection Marketing and Sales Practices L. Compliance
Are there documented policies and procedures to ensure

compliance with applicable laws and regulations including CLoudflare does not interact with our
4140 L.16.5 Unfair, Deceptive, or Abusive Acts or Practices? N/A customers end users/consumers. Consumer Protection Marketing and Sales Practices L. Compliance

Jump To:
Master
Are calls for telemarketing purposes recorded and retained? If

yes, please provide the retention period in the additional
4144 L.16.6 information field. N/A Consumer Protection Marketing and Sales Practices L. Compliance
Are collections activities conducted directly to Client's Cloudflare does not perform collections
4835 L.17 customers? N/A activities on behalf of customers. Consumer Protection Collections Practices L. Compliance
Are calls for collections' purposes recorded and retained? If

yes, please provide the retention period in the additional
4836 L.17.1 information field. N/A Consumer Protection Collections Practices L. Compliance
Cloudflare's website provides product

Is a web site(s) maintained or hosted for the purpose of information to customers and prospective
advertising, offering, managing, or servicing accounts, products customers. Our blog also includes more
4150 L.18 or services to clients' customers? Yes details about individual products. Consumer Protection Offer & Terms Compliance L. Compliance
Are documented terms and conditions, software licensing

agreements maintained and available online for enabling
compliance with applicable legal, regulatory, and/or
contractual obligations related to product or service
4560 L.18.1 specifications? N/A Consumer Protection Offer & Terms Compliance L. Compliance
Are terms of sale, dispute and/or return of goods procedures CLoudflare does not interact with our
4561 L.18.2 available online? N/A customers end users/consumers. Consumer Protection Offer & Terms Compliance L. Compliance
4141 L.19 Are there direct interactions with your client's customers? No Consumer Protection Complaint Management L. Compliance
Is there a documented process for receiving and responding to

inquiries, complaints and requests directly from individuals or
5653 L.19.1 the client's customers? N/A Consumer Protection Complaint Management L. Compliance

Jump To:
Master
Is there a documented process to provide periodic summary

reports to management regarding types and resolution of
4837 L.19.2 complaints? N/A Consumer Protection Complaint Management L. Compliance
Is there a documented process to provide periodic summary

reports to your applicable clients regarding types and
4142 L.19.3 resolution of complaints? N/A Consumer Protection Complaint Management L. Compliance
Is there a documented process to receive and respond to

complaints, inquiries and requests from business or trade
associations (e.g., BBB, GMOs, chambers of commerce, PCI
Council) and from government agencies, including state
4143 L.19.4 attorneys general? Yes Consumer Protection Complaint Management L. Compliance
Is there a documented escalation and resolution process to

4146 L.19.5 address specific complaints to management and the client? Yes Consumer Protection Complaint Management L. Compliance
Are documented policies and procedures maintained to

enforce applicable legal, regulatory or contractual Cybersecurity Regulatory Cybersecurity Compliance
4147 L.20 cybersecurity obligations? Yes Compliance Controls L. Compliance
Are all systems regularly reviewed for compliance with all Cybersecurity Regulatory Cybersecurity Compliance
4838 L.20.1 cybersecurity legal, contractual, and policy requirements? Yes Compliance Controls L. Compliance
Is cryptography enabled in accordance with all legal and Cybersecurity Regulatory Cybersecurity Compliance
4839 L.20.2 contractual requirements? Yes Compliance Controls L. Compliance
Are any entities involved in the delivery of scoped services Cloudflare has not obtained a license from
licensed or regulated by the New York Department of Financial NYDFS since Cloudflare does not provide Cybersecurity Regulatory
4840 L.21 Services (NYDFS)? N/A insurance to customers. Compliance NYDFS 23 NYCRR 500 L. Compliance

Jump To:
Master
Do Incident Response Plan Notification Procedures include
notifying the New York Department of Financial Services
(NYDFS) Superintendent as promptly as possible, but in no
event later than 72 hours from a determination that a
Cloudflare has not obtained a license from
Cybersecurity Event with a reasonable likelihood of materially
NYDFS since Cloudflare does not provide Cybersecurity Regulatory
harming any material part of normal business operations has
4841 L.21.1 N/A insurance to customers. Compliance NYDFS 23 NYCRR 500 L. Compliance
occurred?
Are audit trails designed to designed to reconstruct material Cybersecurity Regulatory

4584 L.21.2 financial transactions retained for 5 years? Yes Compliance NYDFS 23 NYCRR 500 L. Compliance
Are audit trails designed to detect and respond to Cloudflare retains data only for as long as Cybersecurity Regulatory
4583 L.21.3 Cybersecurity events retained for 3 years? No required/limited by laws and regulations. Compliance NYDFS 23 NYCRR 500 L. Compliance
Is there a program in place to adhere to all applicable

environmental, air emission, water, waste, chemical and Environmental Risk
4842 L.22 hazardous materials management regulatory requirements? No Management Governance L. Compliance
Do you have a documented environmental risk management Environmental Risk

4843 L.22.1 policy? No Management Governance L. Compliance
Do you provide environmental risk management training to all

employees required by all applicable legal/regulatory
requirements? Please list the topics covered in the additional Environmental Risk
4844 L.22.2 information field. No Management Governance L. Compliance
Are periodic self-assessments, testing, or inspections for all

applicable environmental legal/regulatory requirements, Environmental Risk
4845 L.22.3 hazards or violations conducted by the organization? No Management Governance L. Compliance
Is there an independent validation process in place to ensure

environmental risk compliance? If yes, please note the
responsible independent organization(s) in the additional Environmental Risk
4846 L.22.4 information field. No Management Governance L. Compliance

Jump To:
Master
Has the organization ever been cited for regulatory non-

compliance by an environmental regulator/agency? If yes, Environmental Risk
4847 L.22.5 please explain in the additional information field. No Management Citations L. Compliance
3379 L.23 Are client audits and/or risk assessments permitted? No External Assurance and Audit Client Audit Requirements L. Compliance
3380 L.23.1 Are onsite audits or risk assessments by clients permitted? No External Assurance and Audit Client Audit Requirements L. Compliance
Are virtual audits or risk assessments by clients permitted and

facilitated by guided live video streaming for physical risk Cloudflare does not permit customers to
4608 L.23.2 assessment activities and interviews? No perform virtual audits. External Assurance and Audit Client Audit Requirements L. Compliance
Are clients provided with copies of program documentation

3381 L.23.3 describing their audit or assessment roles and responsibilities? N/A External Assurance and Audit Client Audit Requirements L. Compliance
Is evidence of internal controls available during a client

3385 L.23.4 assessment? Yes External Assurance and Audit Client Audit Requirements L. Compliance
Are system and network topology and architecture diagrams

3386 L.23.4.1 available during a client risk assessment or audit? Yes High-level network topology External Assurance and Audit Client Audit Requirements L. Compliance
Are Data Flow/System Interface diagrams available during a High-level data flows can be shared, or
3387 L.23.4.2 client risk assessment or audit? Yes described External Assurance and Audit Client Audit Requirements L. Compliance

Jump To:
Master
Is a list of ports that are open externally available during a Cloudflare publicly lists which ports are
3388 L.23.4.3 client risk assessment or audit? Yes open externally External Assurance and Audit Client Audit Requirements L. Compliance
Are system configuration standards available during a client

3389 L.23.4.4 risk assessment or audit? No External Assurance and Audit Client Audit Requirements L. Compliance
Are standard operating procedures available during a client risk

3390 L.23.4.5 assessment or audit? No External Assurance and Audit Client Audit Requirements L. Compliance
Are controls validated by independent, third party auditors or

3383 L.23.5 information security professionals? Yes External Assurance and Audit Independent Audits L. Compliance
Has a proactive Shared Assessments Standardized Control

4285 L.23.5.1 Assessment (SCA) been performed within the last 12 months? No External Assurance and Audit Independent Audits L. Compliance
Has a SOC™ 1 audit been performed within the last 12

4286 L.23.5.2 months? No External Assurance and Audit Independent Audits L. Compliance
4287 L.23.5.3 Has a SOC 2 audit been performed within the last 12 months? Yes External Assurance and Audit Independent Audits L. Compliance
4288 L.23.5.4 Has a SOC 3 audit been performed within the last 12 months? Yes External Assurance and Audit Independent Audits L. Compliance

Jump To:
Master
Has an ISO 27001 control assessment been performed within

4289 L.23.5.5 the last 12 months? Yes External Assurance and Audit Independent Audits L. Compliance

4290 L.23.5.6 the last 12 months? No External Assurance and Audit Independent Audits L. Compliance

Has a NIST 800 53 control assessment been performed within

Has a PCI DSS control assessment been performed within the

4293 L.23.5.9 last 12 months? Yes External Assurance and Audit Independent Audits L. Compliance
Has a HITRUST CSF control assessment been performed within

Has a Multi-tiered cloud computing Security - Singapore (MCTS)

4295 L.23.5.11 assessment been performed within the last 12 months? No External Assurance and Audit Independent Audits L. Compliance
Have any other audits, risk or control assessments been

performed within the last 12 months by an independent firm
with transparent standardized audit criteria? If yes, please
4296 L.23.5.12 list/describe in the Additional Information field. N/A External Assurance and Audit Independent Audits L. Compliance

Jump To:
Master
Is any of the software included in the delivery of service

regulated by the FDA? If yes, please list the systems and their At this moment, Cloudflare services are
4597 L.24 purpose in the Additional Information field. N/A not regulated by the FDA. FDA Compliance Governance L. Compliance
Is there a Quality Assurance or other organization that ensures

software integrity and adherence to internal processes for
4598 L.24.1 software development for FDA-regulated systems? N/A FDA Compliance Governance L. Compliance
Do all personnel who develop, maintain, or use FDA-regulated

electronic systems have the education, training, and
experience to perform their assigned tasks according to FDA
4599 L.24.2 requirements? N/A FDA Compliance Governance L. Compliance
Are personnel properly trained on proper use of FDA-regulated

systems and requirements, and are appropriate training
records available for review if required? If yes, please describe
4600 L.24.2.1 the training program in the additional information field. N/A FDA Compliance Governance L. Compliance
Is any software included in the delivery of service required to

be validated under FDA guidance for software validation? If
yes, please list the systems and their purpose in the Additional
4601 L.24.3 Information field. N/A FDA Compliance Validated Systems L. Compliance
If you are hosting or providing software, do you provide

validation services and/or validation documentation for the
software (i.e., test protocols, traceability matrix, validation
summary reports)? If yes, please describe the validation
4602 L.24.3.1 services in the Additional Information field. N/A FDA Compliance Validated Systems L. Compliance
Is all FDA-regulated software included in the delivery of service

used by at least one other FDA-regulated company? If no,
4603 L.24.3.2 please explain in the Additional Information field. N/A FDA Compliance Validated Systems L. Compliance
Has any entity involved in delivering scoped services ever been

cited for regulatory non-compliance by the FDA? If yes, please
4848 L.24.4 explain in the Additional Information field. N/A FDA Compliance Citations L. Compliance

Jump To:
Master
Is any of the software included in the delivery of service

required to be compliant with 21 CFR Part 11 requirements
(Electronic Records/Electronic Signatures)? If yes, please list
the systems and their purpose in the Additional Information
4604 L.24.5 field. N/A FDA Compliance 21 CFR Part 11 Compliance L. Compliance
Are all requirements related to 21 FDA CFR Part 11 enforced

and documented, including controls over system
documentation, closed systems, and requirements related to
4605 L.24.5.1 electronic signatures? N/A FDA Compliance 21 CFR Part 11 Compliance L. Compliance
Are written policies enforced to hold individuals accountable
4606 L.24.5.2 for actions initiated under their electronic signatures? N/A FDA Compliance 21 CFR Part 11 Compliance L. Compliance
Is there a compliance program or set of policies and procedures

that address internal and external Fraud Detection and Fraud
4849 L.25 Prevention? Yes Financial Crimes and Anti-Fraud Anti-Fraud L. Compliance
Do fraud assessments consider various types of fraud including

misappropriation of assets, altered reporting records,
concealment of unauthorized receipts and payments such as
4556 L.25.1 bribes, or other corrupt or fraudulent acts? Yes Financial Crimes and Anti-Fraud Anti-Fraud L. Compliance
Are there mechanisms in place to notify affected clients for

4134 L.25.2 suspected or actual fraudulent activity? Yes Financial Crimes and Anti-Fraud Anti-Fraud L. Compliance
Are there documented and defined monitoring and oversight

4133 L.25.3 functions for suspected fraud instances or fraud investigations? Yes Financial Crimes and Anti-Fraud Anti-Fraud L. Compliance
Cloudflare's product includes monitoring

Are customer account activities monitored for unusual or of traffic to customer web-properties to
4155 L.25.4 suspicious activity? Yes thwart DDoS and other attacks. Financial Crimes and Anti-Fraud Anti-Fraud L. Compliance
Clooudflare is not providing services that

Is there a set of policies and procedures that address Anti- involve handling customer's financial
4850 L.26 Money Laundering obligations? N/A assets. Financial Crimes and Anti-Fraud Anti-Money Laundering L. Compliance

Jump To:
Master
Clooudflare is not providing services that

Do employees receive training on Anti-Money Laundering if involve handling customer's financial
4851 L.26.1 applicable to the services provided? N/A assets. Financial Crimes and Anti-Fraud Anti-Money Laundering L. Compliance
Is there a documented identify theft prevention program

approved by management in place to detect, prevent, and
4476 L.27 mitigate identify theft? N/A Financial Crimes and Anti-Fraud Identity Theft Prevention L. Compliance
The customer dictates what types of data
Cloudflare will process on its behalf.
Cloudflare is mostly used for website
properties, making the general scope of
Is client-scoped data collected, transmitted, processed or
our services to include any data that
stored that can be defined as a Covered Account under Identity Identity Theft Prevention - Red
would be requested from your web
3861 L.28 Theft Red Flags Rules? Yes Financial Crimes and Anti-Fraud Flags Rule L. Compliance
assets.
Are transactions for Covered Accounts accessed, modified, or

processed, including address changes and discrepancies? If yes, Identity Theft Prevention - Red
3729 L.28.1 please describe in the additional information field. N/A Not applicable to the service. Financial Crimes and Anti-Fraud Flags Rule L. Compliance
Are there documented policies and procedures for identifying

and responding to relevant Red Flags on Covered Accounts, Identity Theft Prevention - Red
3731 L.28.2 including address changes and discrepancies? N/A Financial Crimes and Anti-Fraud Flags Rule L. Compliance
4852 L.29 Do you have a documented health and safety policy? No Health & Safety Governance L. Compliance
Is there a compliance program and procedures that address

4853 L.29.1 health and safety risks? Yes Health & Safety Governance L. Compliance
Do you provide health and safety training to all employees

commensurate to their roles and responsibilities? Please list
4854 L.29.2 the topics covered in the Additional Information field. No Health & Safety Governance L. Compliance

Jump To:
Master
Is there a process in place to independently ensure compliance

with all applicable legal/regulatory requirements related to
health and safety in all geographic and jurisdictional
4855 L.29.3 obligations? Yes Health & Safety Governance L. Compliance
Is there an independent validation process in place to ensure Cloudflare is not providing services that
health and safety compliance? If no, please explain in the require its employees to be onsite at
4856 L.29.4 additional information field. N/A customer locations. Health & Safety Governance L. Compliance
Are periodic self-assessments, testing, or inspections for all Cloudflare is not providing services that
health and safety legal/regulatory requirements, hazards or require its employees to be onsite at
4857 L.29.5 violations conducted by the organization? N/A customer locations. Health & Safety Governance L. Compliance
Have you had any serious and/or recordable accidents, injuries Cloudflare is not providing services that
or illness in the last 5 years? If yes, please explain in the require its employees to be onsite at
4858 L.29.6 Additional Information field. N/A customer locations. Health & Safety Recordable Accidents L. Compliance
Has the organization been cited for regulatory non-compliance Cloudflare is not providing services that
by a health or safety regulator/Agency? If yes, please explain in require its employees to be onsite at
4859 L.29.7 the Additional Information field. N/A customer locations. Health & Safety Citations L. Compliance
Are there documented policies and procedures in place to Cloudflare is not providing services that
address recordkeeping, reporting, and posting for OSHA require its employees to be onsite at
4860 L.29.8 Compliance? N/A customer locations. Health & Safety OSHA Compliance L. Compliance
Are there documented policies and procedures to ensure

trademark and intellectual property compliance within the
4861 L.30 product or service offering? Yes Intellectual Property Governance L. Compliance
Do the policies and procedures include intellectual property

4862 L.30.1 rights for business processes? Yes Intellectual Property Governance L. Compliance
Do the policies and procedures include intellectual property

4863 L.30.2 rights for information technology software products? Yes Intellectual Property Governance L. Compliance

Jump To:
Master
Are there policies and procedures that define trademark use

4864 L.30.3 applicable to the products or services? Yes Intellectual Property Trademark Use L. Compliance
Is there a set of policies and procedures that address

4865 L.31 International Trade and Export Compliance? Yes International Trade and Export Governance L. Compliance
Are there policies and procedures to maintain compliance with

international requirements for import and/or export of goods
4131 L.31.1 or services? Yes International Trade and Export Governance L. Compliance
Are there policies and procedures to maintain compliance with
implemented trade partner restrictions based on international
4555 L.31.2 requirements? Yes International Trade and Export Governance L. Compliance
Are there policies and procedures to ensure any international

sourcing using third party customs brokers maintain
4866 L.31.3 International Trade and Export Compliance? Yes International Trade and Export Governance L. Compliance
Are accounts opened, financial transactions initiated or other

account maintenance activity (e.g., applying payments, address
changes, receiving payments, transferring funds, etc.) through
either electronic, telephonic, written or in-person requests
4154 L.32 made on behalf of your clients' customers? No Payments Compliance Governance L. Compliance
Are there policies and procedures to address payments

compliance in the delivery of the product or services if required
4867 L.32.1 by regulation? Yes Payments Compliance Governance L. Compliance
Do the services provided require the collection, remittance,

processing, clearing, settlement of checks or check-related
4868 L.32.2 data? No Payments Compliance Check Processing L. Compliance
Are policies and procedures maintained for check image

capture, remittance, and processing that address Federal Cloudflare does not provide check image
4869 L.32.2.1 Reserve Bank standards e.g., ANSI or X9? N/A capture capabilities. Payments Compliance Check Processing L. Compliance

Jump To:
Master
Are processes maintained for the balancing and reconciliation Cloudflare is not providing financial
4870 L.32.2.2 of transactions? N/A products. Payments Compliance Check Processing L. Compliance
Do the services require the organization to generate direct

debits or credits to accounts via the Automated Clearing House Cloudflare is not providing financial
4871 L.32.2.3 (ACH) system? N/A products. Payments Compliance Check Processing L. Compliance
Does the organization maintain policies and procedures that

address National Automated Clearinghouse Association Cloudflare is not providing financial
4872 L.32.2.3.1 (NACHA) Operating Rules? N/A products. Payments Compliance Check Processing L. Compliance
Does the organization conduct an annual audit to assess Cloudflare is not providing financial
4873 L.32.2.3.2 compliance to NACHA Operating Rules? N/A products. Payments Compliance Check Processing L. Compliance
For recurring ACH transactions, is there a mechanism to gain Cloudflare is not providing financial
4874 L.32.2.3.3 authorization to debit the account? N/A products. Payments Compliance Check Processing L. Compliance
For recurring ACH transactions, are processes maintained to Cloudflare is not providing financial
4875 L.32.2.3.3.1 respond to requests to discontinue the recurring transactions? N/A products. Payments Compliance Check Processing L. Compliance
Are electronic commerce web sites or applications used to

2649 L.32.3 transmit, process or store Scoped systems and data? No Payments Compliance eCommerce Security L. Compliance
Do any electronic commerce sites, applications and systems

4284 L.32.3.1 transmit, process or store non-scoped data? N/A Payments Compliance eCommerce Security L. Compliance
Are all transaction details (i.e., payment card info and

information about the parties conducting transactions,
2652 L.32.3.2 prohibited from being stored in the Internet facing DMZ)? Yes Payments Compliance eCommerce Security L. Compliance
Do the services require receiving or processing credit or debit

card data? If yes, indicate the PCI Level in the additional
4876 L.32.4 information field (Level 1, 2, 3 or 4). Yes Payments Compliance Payment Card Processing L. Compliance

Jump To:
Master
Does your credit and debit card process comply with PCI
4877 L.32.4.1 Standards? Yes Payments Compliance Payment Card Processing L. Compliance
Cloudflare utilizes Stripe and Braintree to

Excluding merchant banks, are credit and debit card payments process payments through an iFrame on
4878 L.32.4.2 processed internally? No the Cloudflare Dash. Payments Compliance Payment Card Processing L. Compliance
Excluding merchant banks, are credit and debit card payments

4879 L.32.4.3 processed by a subcontractor? Yes Payments Compliance Payment Card Processing L. Compliance
Are all connections to payment card processors, including APIs,

4880 L.32.4.4 transferred over an encrypted connection? Yes Payments Compliance Payment Card Processing L. Compliance
Will the actual credit or debit card information (account

4881 L.32.4.5 number, expiration data, security code, etc.) be stored locally? No Payments Compliance Payment Card Processing L. Compliance
Cloudflare utilizes Stripe and Braintree to

process payments through an iFrame on
Will the actual credit or debit card information (account the Cloudflare Dash. All full credit or debit
number, expiration data, security code, etc.) be stored at a card information is stored by our payment
4882 L.32.4.6 subcontractor's location? Yes processors. Payments Compliance Payment Card Processing L. Compliance
Is there a records retention policy covering paper and

electronic records, including email in support of applicable
2837 L.33 regulations, standards and contractual requirements? Yes Records Retention Governance L. Compliance
Are all business records protected in accordance with all legal

4883 L.33.1 and contractual requirements? Yes Records Retention Governance L. Compliance

Jump To:
Master
Are there procedures for managing conflicting regulatory

record retention and deletion requirements as part of
eDiscovery obligations (e.g., managing legal holds or
4884 L.33.2 preservation requests pending vs. deletion schedules)? Yes Records Retention eDiscovery L. Compliance
Does the organization have a policy for retaining previous

versions of its privacy policies and procedures in accordance to
5835 L.33.3 the organization's document retention schedule? Yes Records Retention Governance L. Compliance
Are policies and procedures in place to restrict activities or

4885 L.34 transactions for sanctioned countries (e.g., country blocking)? Yes Sanction Compliance Governance L. Compliance
Does the organization take a risk-based approach when

4886 L.34.1 designing or updating the sanction compliance program? Yes Sanction Compliance Governance L. Compliance
Is the organization capable of adjusting rapidly to changes

published by required sanctions organizations such as OFAC,
including updates to SDN, SSI, and other lists, new, amended,
or updated sanctions programs or prohibitions, and general
4887 L.34.2 licenses? Yes Sanction Compliance Governance L. Compliance
Has Senior Management reviewed and approved the

organization's Sanctions Compliance Program (SCP) and does it
4888 L.34.3 reevaluate it on a regular basis? Yes Sanction Compliance Governance L. Compliance
Has Senior Management ensured its sanctions compliance

units are delegated sufficient authority and autonomy, with
direct reporting lines between the SCP function and senior
management, including routine and periodic meetings between
4889 L.34.3.1 these two elements of the organization? Yes Sanction Compliance Governance L. Compliance
Does Senior Management ensure that the organization's

sanctions compliance units receive adequate resources
including budget for personnel, training, operations and
4890 L.34.3.2 technology? Yes Sanction Compliance Governance L. Compliance

Jump To:
Master
4891 L.34.4 Is there a dedicated sanctions compliance officer? Yes Sanction Compliance Governance L. Compliance
Are personnel dedicated to the Sanctions Control Program with

the appropriate technical knowledge and expertise, including
the ability to understand complex financial and commercial
activities, sufficient experience, and an appropriate position
4892 L.34.5 within the organization? Yes Sanction Compliance Governance L. Compliance
Are sanctions compliance checks included in company Merger

4893 L.34.6 & Acquisition Processes? Yes Sanction Compliance Governance L. Compliance
Is a sanctions risk assessment performed on all relevant entities

within the organization on a periodic basis, with results shared Organizational Sanction
4894 L.34.7 with management? Yes Sanction Compliance Compliance Risk Assessment L. Compliance
Has the organization performed a holistic review of the

organization from top-to-bottom (including customers,
products and services, and geographic location) to identify, Organizational Sanction
4895 L.34.7.1 analyze, and address Sanctions risks? Yes Sanction Compliance Compliance Risk Assessment L. Compliance
Is a sanctions risk assessment performed on a periodic basis, Organizational Sanction

4896 L.34.7.2 with results shared with management? Yes Sanction Compliance Compliance Risk Assessment L. Compliance
Do sanction compliance program audits assess the

effectiveness of current processes and check for Organizational Sanction
4897 L.34.8 inconsistencies between these and day-to-day operations? Yes Sanction Compliance Compliance Audit L. Compliance
Is the sanction compliance program testing or audit function

accountable to senior management, independent of the
audited activities and functions, and does it have sufficient
authority, skills, expertise, resources, and authority within the Organizational Sanction
4898 L.34.8.1 organization to affect change? Yes Sanction Compliance Compliance Audit L. Compliance

Jump To:
Master
Is there a sanction compliance training program that
periodically (and at a minimum, annually) provides job-specific
knowledge based on need, communicates the sanctions
compliance responsibilities for each employee, and holds
employees accountable for sanctions compliance training
4899 L.34.9 through assessments? Yes Sanction Compliance Training L. Compliance
Is the sanction compliance Training Program further tailored to

4900 L.34.9.1 high-risk employees within the organization? Yes Sanction Compliance Training L. Compliance
Are there compliance and sanction checks (e.g., Office of

Foreign Assets Controls - OFAC) performed against customers,
3905 L.34.10 suppliers and third parties? Yes This is overseen by Legal Compliance Sanction Compliance Third Party Due Diligence L. Compliance
Are there policies and procedures to address ongoing due

diligence of business partners including guidelines for periodic
5654 L.34.10.1 screening? Yes Sanction Compliance Third Party Due Diligence L. Compliance
Is there a sanctions compliance program or set of policies and

procedures that address obligations for Office of Foreign Assets
4901 L.34.11 Controls (OFAC) requirements? Yes Sanction Compliance OFAC Compliance L. Compliance
Are End User Devices (desktops, laptops, tablets, smartphones)

4297 M.1 used for transmitting, processing or storing Scoped data? Yes End User Device Security Scoping M. End User Device Security
Are end user device security configuration standards Security Configuration

4298 M.1.1 documented? Yes End User Device Security Standards M. End User Device Security
Are end user device security configuration standards reviewed

and/or updated at least annually to account for any changes in Security Configuration
4299 M.1.1.1 environment, available security features and/or best practices? Yes End User Device Security Standards M. End User Device Security

Jump To:
Master
Are end user device security reviews performed to validate Security Configuration
4300 M.1.1.2 compliance with documented standards? Yes End User Device Security Standards M. End User Device Security
Are all unnecessary/unused services uninstalled or disabled for Access is reviewed quarterly and user
devices used for accessing, transmitting, processing, or storing access is revoked if systems are not
4301 M.1.2 Scoped data on end user devices? Yes regularly accessed. End User Device Security End User Device Hardening M. End User Device Security
Are all remote access and file sharing services configured to

4302 M.1.3 require authentication and encryption on end user devices? Yes End User Device Security End User Device Hardening M. End User Device Security
Are end user device operating system executables/binaries

4303 M.1.4 stored on a separate drive from Scoped data? Yes End User Device Security End User Device Hardening M. End User Device Security
Are end user devices configured to lock screens after 15

4304 M.1.5 minutes of inactivity? Yes This is system dependent End User Device Security End User Device Hardening M. End User Device Security
Are all available high-risk security patches applied and verified Patching and Vulnerability
4305 M.1.6 at least monthly on all end-user devices? Yes End User Device Security Management M. End User Device Security
Are all end user device patching exceptions documented and Patching and Vulnerability
4306 M.1.7 approved by information security or senior management? Yes End User Device Security Management M. End User Device Security
Are all patches, service packs, and hot fixes tested prior to Patching and Vulnerability
4307 M.1.7.1 deployment to end user devices? Yes End User Device Security Management M. End User Device Security

Jump To:
Master
Are all vulnerabilities evaluated and prioritized for end user Patching and Vulnerability
4308 M.1.7.2 devices? Yes End User Device Security Management M. End User Device Security
Are all high-risk end user devices prioritized to receive patches Patching and Vulnerability
4309 M.1.7.3 first? Yes End User Device Security Management M. End User Device Security
Patching and Vulnerability

4310 M.1.7.4 Are all end user device patch successes and failures logged? Yes End User Device Security Management M. End User Device Security
Are third party alert services used to keep up to date with the Patching and Vulnerability
4311 M.1.8 latest vulnerabilities for all end user devices? Yes End User Device Security Management M. End User Device Security
Are all end user device operating system versions that no Patching and Vulnerability
4312 M.1.9 longer have patches released prohibited? Yes End User Device Security Management M. End User Device Security
Are all end user device operating system and application logs
configured to provide sufficient detail to support incident
investigation, including successful and failed login attempts and
4313 M.1.10 changes to sensitive configuration settings and files? Yes End User Device Security Audit Logs M. End User Device Security
Are all end user device events relevant to supporting incident

4314 M.1.11 investigation retained for a minimum of one year? Yes End User Device Security Audit Logs M. End User Device Security
Are all end user device events relevant to supporting incident

4315 M.1.12 investigation stored on alternate systems? Yes End User Device Security Audit Logs M. End User Device Security

Jump To:
Master
Are all, end user device system generated notifications

generated in the event the system fails to write an event to an
4316 M.1.13 audit log? Yes End User Device Security Audit Logs M. End User Device Security
Are all end user device operating system and application logs
relevant to supporting incident investigation protected against
4317 M.1.14 modification, deletion, and/or inappropriate access? Yes End User Device Security Audit Logs M. End User Device Security
Are anti-malware software version and engine upgrade

deployment failures reviewed at least weekly for all end user
4318 M.1.15 devices? Yes End User Device Security Malware Protection M. End User Device Security
Are activity alerts such as uncleaned infections and suspicious

activity reviewed and actioned at least weekly for all end user
4319 M.1.16 devices? Yes End User Device Security Malware Protection M. End User Device Security
Are defined procedures in place to identify and correct systems

4320 M.1.17 without anti-virus at least weekly for all end user devices? Yes End User Device Security Malware Protection M. End User Device Security
Are periodic configuration reviews performed at least quarterly

4321 M.1.18 and when a change is made to anti-malware standards? Yes End User Device Security Malware Protection M. End User Device Security
Are application whitelisting, application blacklisting, or Cloudflare uses end point monitoring
restriction of users' ability to install unapproved applications software which tracks what is
documented and used to prevent the installation of malicious downloaded by users, including
4322 M.1.19 software for all end user devices? No potentially malicious software. End User Device Security Malware Protection M. End User Device Security
Are users required to terminate active sessions when finished

3210 M.1.20 on all end user devices? Yes End User Device Security Inactivity Timeout M. End User Device Security

Jump To:
Master
Is there a requirement to physically secure end user systems

1980 M.1.21 when left unattended? Yes End User Device Security Inactivity Timeout M. End User Device Security
Are constituents allowed to utilize mobile devices within your Mobile Device Policy and
4090 M.1.22 environment? Yes Procedures Mobile Device Access M. End User Device Security
Mobile Device Policy and

4091 M.1.22.1 Can constituents view scoped data using mobile devices? No Procedures Mobile Device Access M. End User Device Security

4092 M.1.22.2 Can constituents process scoped data using mobile devices? No Procedures Mobile Device Access M. End User Device Security

4093 M.1.22.3 Can constituents delete scoped data using mobile devices? No Procedures Mobile Device Access M. End User Device Security

4094 M.1.22.4 Can constituents store scoped data using mobile devices? No Procedures Mobile Device Access M. End User Device Security

4095 M.1.22.5 Can constituents access corporate e-mail using mobile devices? Yes Procedures Mobile Device Access M. End User Device Security
Can constituents connect to scoped Systems using mobile Mobile Device Policy and
4096 M.1.22.6 devices? No Procedures Mobile Device Access M. End User Device Security

Jump To:
Master
Is there a mobile device management program in place that

has been approved by management and communicated to Mobile Device Policy and
4097 M.1.23 appropriate constituents? Yes Procedures Mobile Device Management M. End User Device Security
Are all mobile devices evaluated as part of the IT Risk Mobile Device Policy and
3762 M.1.23.1 Management program? Yes Procedures Mobile Device Management M. End User Device Security
Are any mobile devices with access to scoped data Constituent Scoped data is not accessible from mobile
3764 M.1.24 owned (BYOD)? N/A device. End User Device Security BYOD M. End User Device Security
Mobile device management policy is

Are BYOD mobile devices company managed using Mobile being fully implemented; at present users
3765 M.1.24.1 Device Management (MDM) technology? N/a are permitted to BYOD. End User Device Security BYOD M. End User Device Security
Is a technical solution in place to enforce mobile device security Mobile Device Policy and
4098 M.1.25 requirements (e.g., PIN, encryption, remote wipe, etc.)? N/A Procedures Mobile Device Management M. End User Device Security
Prior to device on-boarding are constituents required to sign a

legal agreement which details the obligations and rights related Mobile Device Policy and
3773 M.1.26 to mobile devices? No Procedures Mobile Device User Agreement M. End User Device Security
Does the mobile device user agreement include the owner of Mobile Device Policy and
3774 M.1.26.1 data on the mobile device? N/A Procedures Mobile Device User Agreement M. End User Device Security
Does the mobile device user agreement include the User's Mobile Device Policy and
3775 M.1.26.2 responsibility in ensuring the security of the mobile device? N/A Procedures Mobile Device User Agreement M. End User Device Security

Jump To:
Master
Does the mobile device user agreement include the security

requirements for scoped systems and data will override user's Mobile Device Policy and
4099 M.1.26.3 personal use? N/A Procedures Mobile Device User Agreement M. End User Device Security
Does the mobile device user agreement include the support Mobile Device Policy and
3782 M.1.26.4 roles and responsibilities? N/A Procedures Mobile Device User Agreement M. End User Device Security
Is there a process or procedure for responding to mobile device This is in place where devices are Mobile Device Policy and
3778 M.1.27 data compromise events? Yes company manged. Procedures Incident Response Procedures M. End User Device Security
Does the mobile device incident response process or procedure Mobile Device Policy and
3779 M.1.27.1 include remotely wiping the mobile device? Yes Procedures Incident Response Procedures M. End User Device Security
3780 M.1.27.2 include remotely accessing scoped data on the mobile? N/A Procedures Incident Response Procedures M. End User Device Security
3781 M.1.27.3 include physically accessing scoped data on the mobile device? N/A Procedures Incident Response Procedures M. End User Device Security
4111 M.1.27.4 include performing a forensic analysis on the mobile device? Yes Procedures Incident Response Procedures M. End User Device Security
Is there an approved process to support the mobile device Mobile Device Policy and
3783 M.1.28 lifecycle? Yes Applicable for company issued devices Procedures Mobile Device Management M. End User Device Security

Jump To:
Master
Does the mobile device lifecycle include onboarding mobile Mobile Device Policy and
3784 M.1.28.1 devices? Yes Procedures Mobile Device Management M. End User Device Security
Does the mobile device lifecycle include offboarding mobile Mobile Device Policy and
3785 M.1.28.2 devices? Yes Procedures Mobile Device Management M. End User Device Security
Does the mobile device lifecycle include asset tracking against

the mobile devices each Constituent is permitted to connect Mobile Device Policy and
3786 M.1.28.3 with? Yes Procedures Mobile Device Management M. End User Device Security
Is there an approved process for IT to offboard mobile devices

when a Constituent terminates, or requests to on-board a new Mobile Device Policy and
3787 M.1.29 mobile device? Yes Procedures Mobile Device Management M. End User Device Security
Does the mobile device offboarding process identify if the

Constituent has any legacy devices accessing scoped systems Mobile Device Policy and
3788 M.1.29.1 and data? N/A Procedures Mobile Device Management M. End User Device Security
Does the mobile device offboarding process confirm that

scoped data, settings and accounts have been removed from Mobile Device Policy and
3789 M.1.29.2 the legacy mobile device? N/A Procedures Mobile Device Management M. End User Device Security
Is the identity management system (directory services)

integrated with mobile infrastructure to support people Mobile Device Policy and
4100 M.1.30 joining/leaving/changing roles in the enterprise? Yes Procedures Mobile Device Management M. End User Device Security
Is Mobile Device Management (MDM) subject to an internal or Mobile Device Policy and
4101 M.1.31 external audit? Yes Procedures Mobile Device Management M. End User Device Security

Jump To:
Master
Per Cloudflare policy, devices owned by
the company or used by the employee to
connect to company resources must be
running the most recent operating system
Are there approved mobile operating system versions (unless IT has instructed users to delay an Mobile Device Policy and
3823 M.1.32 permitted to connect to the environment? N/A update due to a vulnerability). Procedures Mobile Device Management M. End User Device Security
Are mobile operating system versions that are deemed end of Mobile Device Policy and
3824 M.1.33 life permitted to connect to Scoped systems and data? N/A Procedures Mobile Device Management M. End User Device Security
Are constituents permitted to create and activate mobile This is encouraged to prevent employees Mobile Device Policy and
3825 M.1.34 hotspots? (Bring Your Own Network, BYON). Yes from connecting to unsecure WiFi. Procedures Mobile Device Management M. End User Device Security
Are Personal Computers (PCs) used to transmit, process or Personal Computer Policy and
1791 M.2 store Scoped systems and data. Yes Procedures Scoping M. End User Device Security
Is security approval required prior to implementing non- Personal Computer Policy and
1793 M.2.1 standard PC operating equipment? Yes Procedures PC Change Management M. End User Device Security
Is security approval required prior to implementing freeware or Personal Computer Policy and
1794 M.2.2 shareware applications on PCs? Yes Procedures PC Change Management M. End User Device Security
Are non-company managed PCs used to connect to the Personal Computer Policy and
1797 M.2.3 company network? No Procedures BYOD M. End User Device Security
Is installation of software on company-owned equipment Employees have local administrator rights Personal Computer Policy and
1803 M.2.4 (workstations, mobile devices) restricted to administrators? No to their company-issued devices Procedures PC Change Management M. End User Device Security

Jump To:
Master
Are cloud hosting staff technically prevented from accessing

the administrative environment via non-managed private
3558 M.3 devices? Yes End User Device Security Cloud Hosting Staff BYOD M. End User Device Security
Are cloud hosting staff technically prevented from using non-

managed private devices to log into administrative shell or UI
3559 M.3.1 credentials from within the Service Provider network? Yes End User Device Security Cloud Hosting Staff BYOD M. End User Device Security

managed private devices to log into standard shell or UI
credentials from within the Service Provider network via non-
3560 M.3.2 managed private devices? Yes End User Device Security Cloud Hosting Staff BYOD M. End User Device Security

managed private devices to log into administrative shell or UI
credentials from outside the Service Provider network via non-
3561 M.3.3 managed private devices? Yes End User Device Security Cloud Hosting Staff BYOD M. End User Device Security

managed private devices to log into standard shell or UI
credentials from outside the Service Provider network using
3562 M.3.4 non-managed private devices? Yes End User Device Security Cloud Hosting Staff BYOD M. End User Device Security
Is there a policy that defines network security requirements

that is approved by management, communicated to
4902 N.1 constituents and has an owner to maintain and review? Yes Network Policy Governance N. Network Security
Approval from the datacenter and reviews

Is there an approval process prior to installing a network in the process of contracting/purchasing
995 N.1.1 device? Yes additional devices. Network Policy Governance N. Network Security
Is there a process that requires security approval to allow

external networks to connect to the company network, and
1015 N.1.2 enforces the least privilege necessary? Yes Network Policy Governance N. Network Security

Jump To:
Master
Is security approval required to connect a device on the

company network to a non-company network (including the
Internet) if it bypasses network security devices (e.g., firewall,
1121 N.1.3 IPS, content filter)? Yes Network Policy Governance N. Network Security
Are there technical controls to prevent unauthorized devices

from physically connecting to the internal network or to detect
and alert an administrator (e.g., NAC - Network Access
1011 N.1.4 Control)? Yes Network Policy Governance N. Network Security
Are there security and hardening standards for network

devices, including Firewalls, Switches, Routers and Wireless Iptables on the servers and firewalls on
Access Points (baseline configuration, patching, passwords, routers in Cloudflare Network Points of Network Device Hardening
998 N.2 Access control)? Yes Presence. Network Policy Standards N. Network Security
Are all network device administrative interfaces configured to Network Device Hardening
1016 N.2.1 require authentication and encryption? Yes Network Policy Standards N. Network Security
Is access to diagnostic or maintenance ports on network

devices restricted to users with authorized credentials, and if Network Device Hardening
2612 N.2.1.1 available, trusted networks, devices and/or applications? Yes Network Policy Standards N. Network Security
Are all network device administrative interfaces configured to Network Device Hardening
4903 N.2.1.2 require multifactor authentication? Yes Network Policy Standards N. Network Security
Are default passwords changed or disabled prior to placing Network Device Hardening
4404 N.2.2 network devices into production? Yes Network Policy Standards N. Network Security
Are corporate standardized Simple Network Management

Protocol (SNMP) Community Strings used, default strings such
as 'public' or 'private' removed, and SNMP configured to use Network Device Hardening
4325 N.2.3 the most secure compatible version of the protocol? Yes Network Policy Standards N. Network Security

Jump To:
Master
Are reviews performed to validate compliance with Network Device Hardening

1008 N.2.4 documented network device standards at least annually? Yes Network Policy Standards N. Network Security
Is there sufficient detail contained in network device logs to

981 N.3 support incident investigation? Yes Network Policy Network Device Logging N. Network Security
Are network device logs relevant to supporting incident

investigation protected against modification, deletion and/or
inappropriate access and stored on alternate systems (e.g.,
4335 N.3.1 SIEM, Syslog, Log Management Service)? Yes Network Policy Network Device Logging N. Network Security
Are network device events relevant to supporting incident

4336 N.3.2 investigation retained for a minimum of one year? Yes Network Policy Network Device Logging N. Network Security
Are alerts generated in the event the network device system

3294 N.3.3 fails to write an event to an audit log? Yes Network Policy Network Device Logging N. Network Security
All patching is subject to Cloudflare's

SDLC. Patches that are critical must be
Are all available high-risk security patches applied and verified deployed within 30 days are subject to
994 N.4 on network devices? Yes tiered rollout. Network Policy Network Device Patching N. Network Security
Does network device patch management include testing of

4329 N.4.1 patches, service packs, and hot fixes prior to installation? Yes Network Policy Network Device Patching N. Network Security
Does network device patch management include evaluation

4330 N.4.2 and prioritization of vulnerabilities? Yes Network Policy Network Device Patching N. Network Security

Jump To:
Master
Does network device patch management include priority

4331 N.4.3 patching of high-risk systems first? Yes Network Policy Network Device Patching N. Network Security
Does network device patch management include logging of

4332 N.4.4 patch successes and failures? Yes Network Policy Network Device Patching N. Network Security
Are third party alert services used to keep up to date with the
4333 N.4.5 latest network device vulnerabilities? Yes Network Policy Network Device Patching N. Network Security
Are all network device patching exceptions necessary,

4334 N.4.6 documented, and approved by Information Security? Yes Network Policy Network Device Patching N. Network Security
Are network technologies used to isolate critical and sensitive

systems into network segments separate from those with less Network Segregation and
3689 N.5 sensitive systems? Yes Network Policy Segmentation N. Network Security
Is logical network separation of segregated networks enforced Network Segregation and

4904 N.5.1 using firewalls? Yes Network Policy Segmentation N. Network Security

4905 N.5.2 using Virtual LANs (VLANs) or Security Groups? Yes Network Policy Segmentation N. Network Security

4906 N.5.3 using Virtual Private Networks (VPNs)? Yes Network Policy Segmentation N. Network Security

Jump To:
Master
Is logical network separation of segregated networks enforced

using unidirectional gateways that separate networks using Network Segregation and
4907 N.5.4 data diodes? Yes Network Policy Segmentation N. Network Security
Is physical network separation enforced to completely prevent

any interconnectivity of traffic to and from segregated Network Segregation and
4908 N.5.5 networks? Yes Network Policy Segmentation N. Network Security
Are network or security technologies used to enforce security

requirements and block unauthorized traffic between Network Segregation and
4909 N.5.6 segregated systems and other networks and systems? Yes Network Policy Segmentation N. Network Security
Do all network segmentation and segregation technologies

enforce the principles of least privilege, need-to-know, and Network Segregation and
4910 N.5.7 whitelisting rather than blacklisting? Yes Network Policy Segmentation N. Network Security
Do all network segmentation and segregation technologies

enforce policy at each network layer from the data layer up
through the application layer? If no, please identify exceptions Network Segregation and
4911 N.5.8 in the additional information field. Yes Network Policy Segmentation N. Network Security
Do all systems that need to be accessed from both segregated

and non-segregated networks reside in a separate DMZ Network Segregation and
4912 N.5.9 network segment? Yes Network Policy Segmentation N. Network Security
Other than firewalls and baseboard management controller

interfaces, are all systems on segregated networks prohibited
from spanning multiple networks using dual-homed network Network Segregation and
4913 N.5.10 cards? Yes Network Policy Segmentation N. Network Security
Network traffic to and from untrusted
networks passes through a policy
enforcement point; firewall rules are
established in accordance to identified
Is every connection to an external network terminated at a security requirements and business Network Segregation and
976 N.5.11 firewall (e.g., the Internet, partner networks)? Yes justifications. Network Policy Segmentation N. Network Security

Jump To:
Master
Is there a separate network segment or dedicated endpoints Network Segregation and

1065 N.5.12 for remote access to internal networks? Yes VPN acts as a dedicated network segment Network Policy Segmentation N. Network Security
Are all firewall and other network Access Control List (ACL)
rules reviewed and updated at least quarterly and include
identification and removal of networks, sub networks, hosts, Firewall rules are reviewed and updated
3705 N.6 protocols or ports no longer in use? Yes on an as-needed basis. Network Policy ACL Management N. Network Security
979 N.6.1 Do network devices deny all access by default? Yes Network Policy ACL Management N. Network Security
Do the firewalls have any rules that permit 'any' network, sub
network, host, protocol or port on any of the firewalls (internal
3693 N.6.2 or external)? No Network Policy ACL Management N. Network Security
Is there a policy that defines the requirements for remote

access from external networks to networks containing Scoped
systems and data that has been approved by management and
3215 N.7 communicated to constituents? Yes Remote Network Access Policy N. Network Security
Are Split Tunneling and Bridged Internet Connections while

remotely connected to the company network prohibited by
2972 N.7.1 policy and/or technical control? Yes Remote Network Access Policy N. Network Security
Cloudflare policy restricts any non-

Is only organization-owned equipment permitted to connect company issued computers from
from external networks to networks containing Scoped systems connecting remotely to Cloudflare
3216 N.7.2 and data? Yes resources. Remote Network Access Policy N. Network Security
Are encrypted communications required for all remote

network connections from external networks to networks
5656 N.7.3 containing scoped systems and data? Yes Remote Network Access Policy N. Network Security

Jump To:
Master
Is multi-factor authentication required for all remote network

connections from external networks to networks containing
5657 N.7.4 scoped systems and data? Yes Remote Network Access Policy N. Network Security
Is there a process that requires security approval to allow

connections to internal network services from third party
4327 N.8 users, and enforces the least privilege necessary? Yes Remote Network Access Third Party N. Network Security
Are third party support personnel granted remote network

access only upon request, their activity is logged while active,
4328 N.8.1 and their access is removed upon completion of support? Yes Remote Network Access Third Party N. Network Security
Is remote administration of organizational assets approved,

logged, and performed in a manner that prevents unauthorized Remote Administration
4914 N.9 access? Yes Remote System Access Controls N. Network Security
Is multi-factor authentication required for remote Remote Administration

3541 N.9.1 administrative system access (shell or UI)? Yes Remote access permitted. Remote System Access Controls N. Network Security
For those non-admins who would have

Is multi-factor authentication required for all remote system access to production, remote access is Remote Administration
3542 N.9.1.1 access? Yes permitted Remote System Access Controls N. Network Security
Are encrypted communications required for all remote system Remote Administration
4915 N.9.2 access? Yes Remote Network Access Controls N. Network Security
Are users prohibited from accessing the Production

environment without going through a Jump Server or Remote Administration
4916 N.9.3 Administrative Subnet? Yes Remote System Access Controls N. Network Security

Jump To:
Master
Are Baseboard Management Controllers (BMCs) enabled on Baseboard Management

4917 N.10 any servers or other devices? Yes Remote System Access Controllers N. Network Security
Baseboard Management
4918 N.10.1 Is the default password changed on all BMCs? Yes Remote System Access Controllers N. Network Security
Are all BMCs configured on network address ranges reserved Baseboard Management
4919 N.10.2 specifically for BMCs and no other devices? Yes Remote System Access Controllers N. Network Security
Are BMC firmware updates monitored regularly and applied at Baseboard Management
4920 N.10.3 the first available maintenance window? Yes Remote System Access Controllers N. Network Security
Is all direct traffic to Baseboard Management controllers

restricted except from reserved IP address ranges for Baseboard Management
4921 N.10.4 management servers? Yes Remote System Access Controllers N. Network Security
Are firewalls configured to restrict all outbound traffic from Baseboard Management
4922 N.10.5 BMCs? Yes Remote System Access Controllers N. Network Security
Baseboard Management
4923 N.10.6 Is Multifactor Authentication enabled on all BMCs? Yes Remote System Access Controllers N. Network Security
Network Intrusion Detection/

1068 N.11 Are Network Intrusion Detection capabilities employed? Yes Network Security Prevention N. Network Security

Jump To:
Master
Are Intrusion Prevention signatures intended for blocking

traffic thoroughly tested for false positives before being put This is implemented across Cloudflare's Network Intrusion Detection/
4339 N.11.1 into 'Block' mode? Yes global network of PoPs. Network Security Prevention N. Network Security
Cloudflare's Detection and Response

Do Network IDS/IPS capabilities include configuration to send Team is building a SIEM to ingest all logs
alerts to security personnel when the volume or combination which will support improved response to
of security events indicate a likely security incident or potential threats by diminishing noise Network Intrusion Detection/
1075 N.11.2 compromise? Yes from false positives. Network Security Prevention N. Network Security
Is the interval between the availability of a new Network

IDS/IPS signature update and its deployment in 'Detect' mode Network Intrusion Detection/
1076 N.11.3 no longer than 24 hours? Yes Network Security Prevention N. Network Security
Is there a review and correction of Network IDS/IPS false Network Intrusion Detection/
4338 N.11.4 positives in at least weekly? Yes Network Security Prevention N. Network Security
Is there Network IDS/IPS monitoring and alert escalation to Network Intrusion Detection/
1077 N.11.5 security incident response personnel 24x7x365? Yes Network Security Prevention N. Network Security
Are Network IDS/IPS events sent to a central logging system or Network Intrusion Detection/
1080 N.11.6 SIEM? Yes Network Security Prevention N. Network Security
Is there a DMZ environment within the network that transmits,

2614 N.12 processes or stores Scoped systems and data? Yes Network Security DMZ Security N. Network Security
Are DMZ environments limited to only those servers that

1049 N.12.1 require access from the Internet? N/A Network Security DMZ Security N. Network Security

Jump To:
Master
Are DMZ environments divided into isolated DMZ network

segments for devices that initiate outbound traffic to the
1056 N.12.2 Internet and those that only receive inbound traffic? N/A Network Security DMZ Security N. Network Security
Are DMZ environments divided into isolated application and

database network segments for internet-facing webpages or
4340 N.12.3 other applications with an internet presence? N/A Network Security DMZ Security N. Network Security
Are wireless networking devices connected to networks

1095 N.13 containing scoped systems and data? Yes Network Security Wireless Security N. Network Security
Is there a wireless policy or program that has been approved by

management, communicated to appropriate constituents and
1096 N.13.1 an owner to maintain and review the policy? Yes Network Security Wireless Security N. Network Security
Does the Wireless Security Policy require approved and vendor

4341 N.13.2 supported wireless access points? Yes Network Security Wireless Security N. Network Security
Does the Wireless Security Policy prohibit wired and wireless

1107 N.13.3 network connections at the same time? N/A Network Security Wireless Security N. Network Security
Does the Wireless Security Policy require sensitive Wireless

networks to be authenticated using multi-factor MFA is in place for all connections to
1108 N.13.4 authentication? Yes corporate as well as production networks Network Security Wireless Security N. Network Security
Does the Wireless Security Policy require wireless connections

1111 N.13.5 to be secured with WPA2, and encrypted using AES or CCMP? Yes Network Security Wireless Security N. Network Security

Jump To:
Master
Does the Wireless Security Policy require continuous

monitoring and alerting to security personnel, or quarterly
1118 N.13.6 scanning for rogue wireless access points? Yes Network Security Wireless Security N. Network Security
Annual penetration testing of the

production network is copmpleted per
Does the Wireless Security Policy require wireless network PCI; however, there is no wireless
4342 N.13.7 penetration testing at least annually? N/A component to production netowkr. Network Security Wireless Security N. Network Security
Are there controls to prevent one client attempting to Cloud Tenant Segregation
3563 N.14 compromise another client in a resource pooled environment? Yes Network Security Controls N. Network Security
Do cloud tenant segregation controls include Cloud Tenant Segregation

3564 N.14.1 Inbound/Outbound firewalls between tenants? N/A Network Security Controls N. Network Security
Do cloud tenant segregation controls include IPS monitoring Cloud Tenant Segregation
3565 N.14.2 between tenants? N/A Network Security Controls N. Network Security
Do cloud tenant segregation controls include Real-time Cloud Tenant Segregation

3566 N.14.3 alerting? N/A Network Security Controls N. Network Security
Do cloud tenant segregation controls include Real-time Cloud Tenant Segregation

3567 N.14.4 monitoring by service provider? N/A Network Security Controls N. Network Security
Are mechanisms implemented to achieve resilience

requirements in normal and adverse situations such as
4924 N.15 Distributed Denial of Service (DDoS) attacks? Yes Network Security DDoS Mitigation N. Network Security

Jump To:
Master
Are Industrial Control Systems (ICS) used as part of the delivery Cloudflare is not providing customer with Industrial Control System
4592 N.16 of service? N/A Industrial Control Systems. Security Scoping N. Network Security
Are all Industrial Control Systems segregated onto their own Cloudflare is not providing customer with Industrial Control System Network Segregation and
4593 N.16.1 network (VLAN or Software Defined Network)? N/A Industrial Control Systems. Security Segmentation N. Network Security
Are all ICS devices segregated by an application firewall from Cloudflare is not providing customer with Industrial Control System Network Segregation and
4594 N.16.2 the rest of the network? N/A Industrial Control Systems. Security Segmentation N. Network Security
Are physical areas with ICS devices scanned at least annually Cloudflare does not utilize these
for non 802-11 wireless communications e.g., Bluetooth, technologies in its production Industrial Control System
4595 N.16.3 Zigbee, Z-Wave? N/A environment. Security Wireless Controls N. Network Security
Clouflare's data center providers are

Are clean power supply protection systems used to prevent responsible for the upkeep of power
AURORA attacks (Attacks against circuit breakers intended to generators and power delivery to Industrial Control System
4596 N.16.4 physically damage power generators)? No Cloudfalre's power racks. Security Power Controls N. Network Security
Is there collection of, access to, processing of, disclosure of, or Personal Information,
retention of client scoped data that includes any classification Identification, and
4533 P.1 of personal information or personal data of individuals? Yes Privacy Program Management Classification P. Privacy
Is client scoped data collected, accessed, transmitted,

processed, disclosed, or retained that can be classified as Personal Information,
personally identifiable financial information under the Gramm- Identification, and
3687 P.1.1 Leach-Bliley Act (GBLA)? Yes Consumer Financial Privacy Classification P. Privacy
Does the client scoped data include the disclosure of account
4925 P.1.1.1 numbers or identifiers to the consumer's account? Yes Consumer Financial Privacy Use of Personal Information P. Privacy
assets.

Jump To:
Master
Does the contract limit the usage of the account number

4926 P.1.1.2 information? Yes Consumer Financial Privacy Use of Personal Information P. Privacy
Do contracts between parties, including subcontractors, specify

the obligations for technical, administrative, and physical data Protection of Personal
5886 P.1.1.3 safeguards for the protection of personal information? Yes Consumer Financial Privacy Information P. Privacy
Do contracts between parties, including subcontractors, specify

the limitations on the disclosure or sharing of personal Protection of Personal
5887 P.1.1.4 information for marketing purposes? Yes Consumer Financial Privacy Information P. Privacy
Is client scoped data collected, accessed, processed, disclosed,

or retained that can be classified as consumer report Personal Information,
information or derived from a consumer report under the Fair Identification, and
4927 P.1.2 and Accurate Credit Reporting Act (FACTA)? Yes Consumer Financial Privacy Classification P. Privacy
Are policies and procedures for secure disposal of consumer
information maintained to prevent the unauthorized access to Disposal, Destruction and
or use of information in a consumer report or information Redaction of Personal
4475 P.1.2.1 derived from a consumer report? Yes Consumer Financial Privacy Information P. Privacy
assets.
Access to systems containing customer
data is limited based upon role-based
Are policies and procedures in place that establish and define requirements. Access to this data and
the permissible purpose(s) for which the consumer report prevention of unauthorized access are
information is obtained including attestation that the report both subject to Cloudflare's Access
4928 P.1.2.2 information will not be used for any other purpose? Yes Control policy. Consumer Financial Privacy Use of Personal Information P. Privacy
Is the personally identifiable financial information used for

4929 P.1.2.3 debt collection purposes by your organization? No Consumer Financial Privacy Use of Personal Information P. Privacy
processed, disclosed, or retained that can be classified as
Protected Health Information (PHI) or other higher healthcare
classifications of privacy data under the U.S. Health Insurance Personal Information
4474 P.1.3 Portability and Accountability Act (HIPAA)? Yes Healthcare Privacy Identification and Classification P. Privacy
assets.

Jump To:
Master
Cloudflare's Security Incident and
Response Policy includes a standard to
inform customers or the public based
upon the scale of impact. Cloudflare
Are there documented policies and procedures to detect and
commits to inform its customers in a
report unauthorized acquisition, use, or disclosure of PHI client Privacy Incident & Breach
timely manner of any incident that may
3696 P.1.3.1 scoped data? Yes Healthcare Privacy Management P. Privacy
have impacted their data.
Individuals have the right to access,
correct, update, export, or delete their
personal information and may email
Are there documented procedures to enable the ability to SAR@cloudflare.com with any such
reasonably amend PHI maintained by the service provider upon subject access requests (“SAR”), and we Accuracy and Completeness of
3699 P.1.3.2 request? Yes will respond within thirty (30) days. Healthcare Privacy Personal Information P. Privacy
Are training records maintained for employees (including Training logs for Security Awareness and
management) with access to or potential access to client PHI to Privacy Training on an annual basis and
3702 P.1.3.3 meet the privacy and security obligations required by HIPAA? Yes administered through company LMS. Healthcare Privacy Privacy Awareness & Training P. Privacy
Is there a business associate contract in place to address Cloudflare may enter into BAAs with
obligations for the privacy and security requirements for the customers process PHI on behalf of their Protection of Personal
3701 P.1.3.4 services provided to the covered entity? N/A end customers. Healthcare Privacy Information P. Privacy
Is the healthcare personal data provided directed from the

4930 P.1.3.5 individual via an online platform or by electronic means? N/A Healthcare Privacy Use of Personal Information P. Privacy

processed, or retained that can be classified under U.S. State Personal Information
4931 P.1.4 Privacy Regulations (e.g., CA, MA, NY, NV, WA, CO)? Yes State Privacy Regulations Identification and Classification P. Privacy
If client scoped data includes data of California residents, does

the contract prohibit the vendor from retaining, using or
disclosing the personal information for any other commercial
purpose other than the specific purpose of performing the Personal Information
4932 P.1.4.1 services? Yes State Privacy Regulations Identification and Classification P. Privacy
processed, disclosed, or retained that can be classified as
European Union covered Personal Data, or Sensitive Personal European Privacy & Data Personal Information
4477 P.1.5 Data (e.g., genetic data, biometric data, health data)? Yes Protection Identification and Classification P. Privacy
assets.

Jump To:
Master
Cloudflare also remains certified under
the EU-US and Swiss-US Privacy Shield
frameworks for onward transfers of EU
data to the United States. (See https:
Are there documented policies and procedures for cross border
//www.cloudflare.com/privacyshield/).
data flows or transfers of client Scoped data to the US from European Privacy & Data
Customers can agree to the data
3713 P.1.5.1 other countries, or from EU to other countries? Yes Protection Privacy Policies P. Privacy
processing addendum (DPA) within the
Cloudflare dashboard, or by speaking to
their Account Team."
Has the organization developed and approved Binding
Corporate Rules (BCR) to the applicable data protection
authorities for the authorization of international data Standard Contractual Clauses in place in European Privacy & Data Disclosure of Personal
5888 P.1.5.1.1 transfers? No lieu of BCR Protection Information P. Privacy
Standard Contractual Clauses and other
additional measures are in place to enable
the transfer of personal data (mainly
limited to IP addresses only) to third
countries.
Are transfers enabled only to countries that have received an European Privacy & Data Disclosure of Personal
See https://www.cloudflare.
5889 P.1.5.1.2 adequacy status from data protection authorities? No Protection Information P. Privacy
com/gdpr/introduction/
Are Standard Contractual Clauses (SCCs) in place to authorize European Privacy & Data Disclosure of Personal
5890 P.1.5.1.3 transfers of client scoped data? Yes Protection Information P. Privacy
Is there a Data Processing Agreement (DPA) in place to address European Privacy & Data Disclosure of Personal
5891 P.1.5.2 the organization's obligations for the services provided? Yes Protection Information P. Privacy
If necessary, based on the services, is your organization Cloudflare is registered with the United
registered with the appropriate Data Protection Authorities? If Kingdom’s Information Commissioner’s
yes, please list which authorities and member countries are in Office (ICO). Our registration number is European Privacy & Data
4479 P.1.5.3 scope for the services in the Additional Information field. Yes ZA139631. Protection Compliance Review P. Privacy
If required, is there a designated Data Protection Officer? If European Privacy & Data
4480 P.1.5.4 yes, please identify in the Additional Information field. Yes Emily Hancock Protection Compliance Review P. Privacy
Is there a process in place to erase Personal Data based on the Disposal, Destruction and
Right to be Forgotten if required based upon the services European Privacy & Data Redaction of Personal
4481 P.1.5.5 provided? Yes Protection Information P. Privacy

Jump To:
Master
Is there a mechanism to temporarily suspend the processing of European Privacy & Data Privacy Data Collection, Notice,
5892 P.1.5.6 Personal Data based upon an individual's request? Yes Protection Choice & Consent P. Privacy
Is client scoped data collected, transmitted, processed,

disclosed, or retained that can be classified as Personal
Information as defined by Canadian Personal Information
Protection and Electronic Documents Act (PIPEDA) or Canadian Canadian Privacy & Data Personal Information
4933 P.1.6 Provincial Privacy Regulations? Yes Protection Identification and Classification P. Privacy
Are there contractual obligations and procedures defined to

address breach notification to the client including maintenance Canadian Privacy & Data Privacy Incident & Breach
4934 P.1.6.1 of record-keeping obligations of all breaches? Yes Protection Management P. Privacy
* Singapore's PDPA
* Australia Privacy Act
* Japan's PIPA
* Canada's PIPEDA and PIPA
processed, or retained that can be classified under any other
* California's CCPA and CPRA
international privacy jurisdictions? If Yes, list the applicable International Privacy & Data Personal Information
* GDPR
4935 P.1.7 international location in the Additional Information field. Yes Protection Identification and Classification P. Privacy
* UK GDPR

processed, disclosed or retained that can be classified as Personal Information,
Cardholder Data (CHD) within a Cardholder Data Environment Identification, and
4937 P.1.8 (CDE) for credit card processing? Yes PCI Security Standards Classification P. Privacy
Is a Report on Compliance (ROC), or Self-Assessment

Questionnaire (SAQ) and Attestation of Compliance for Service Personal Information,
Providers (AOC) available? If Yes, please provide and note in Attestation of Compliance for Service Identification, and
4938 P.1.8.1 Additional Information field the type of assurance report. Yes Providers (AoC) PCI Security Standards Classification P. Privacy
Is client scoped data of minors collected, transmitted, Personal Information,

processed, disclosed, or stored that can be classified under the Identification, and
4939 P.1.9 Children's Online Privacy Protection Act (COPPA)? No Children's Privacy Classification P. Privacy
Does the organization maintain an external safe harbor Personal Information,

certification for children's privacy? If yes, please indicate the Adequate (validated) controls in place but Identification, and
4940 P.1.9.1 certifying organization and link to current status. No no specific certifications to that effect. Children's Privacy Classification P. Privacy

Jump To:
Master
Is client scoped data collected, accessed, transmitted, Personal Information,

processed, disclosed, or retained that can be classified as Identification, and
5893 P.1.10 biometric data? No Privacy Program Management Classification P. Privacy
Does the contract limit the use of biometric identifiers and

5894 P.1.10.1 prohibit the sale or disclosure for commercial purposes? N/A Privacy Program Management Use of Personal Information P. Privacy
Disposal, Destruction and

Is there a documented procedure in place to destroy or erase Redaction of Personal
5895 P.1.10.2 biometric data within a retention schedule? N/A Privacy Program Management Information P. Privacy
Privacy and Security Steering Committee,

Is there a designated organizational structure or function which includes the Chief Security Officer
responsible for data privacy or data protection as it relates to and Data Protection Officer and the Responsibility & Accountability
4482 P.1.11 client scoped data? Yes Cloudflare Compliance Committee.. Privacy Program Management for Policies P. Privacy
Is documentation of data flows and/or data inventories Personal Information,

maintained for client scoped data based on data or information Data flows are documented according to Identification, and
4471 P.1.12 classification? Yes processing activities. Privacy Program Management Classification P. Privacy
Is there a formalized approval process to review and update Personal Information,

data classification definitions and related data flows/data Identification, and
4485 P.1.12.1 inventories of client scoped data on a periodic basis? Yes Privacy Program Management Classification P. Privacy
Does the data inventory and data flow documentation describe

the data processing environment, including locations where Personal Information,
data is collected, accessed, transmitted, processed, disclosed, Identification, and
4941 P.1.12.2 or retained by affiliates, subcontractors, or vendors? Yes Privacy Program Management Classification P. Privacy
Does the data inventory and/or data flow documentation Personal Information,
include identification of any access, transfer, processing, Identification, and
4942 P.1.12.3 disclosed, or retention that crosses national borders? Yes Privacy Program Management Classification P. Privacy

Jump To:
Master
Is there a mechanism to document the relevant basis or

5896 P.1.12.4 authorization for data transfers across jurisdictions? Yes Privacy Program Management Privacy Policies P. Privacy
Does the organization maintain records that identify the Sub-processors and locations are listed on
approved countries to which personal data can possibly be Cloudflare's website:
transferred in normal operations, including subcontractor https://www.cloudflare.
5897 P.1.12.5 locations? Yes com/gdpr/subprocessors/ Privacy Program Management Privacy Policies P. Privacy
Personal Information,
Does the data inventory include the categories of types of Identification, and
5898 P.1.12.6 individuals whose data is being processed? Yes Privacy Program Management Classification P. Privacy
Does the data inventory identify the systems/products/services Infrastructure and Systems
5899 P.1.12.7 in scope for the provision of the services? Yes Privacy Program Management Management P. Privacy
Does the data inventory identify the specific data elements Identification, and
5900 P.1.12.8 used within the services? Yes Privacy Program Management Classification P. Privacy
Does the data flow identify the source or origin of the data at Identification, and
5901 P.1.12.9 each phase of its lifecycle? Yes Privacy Program Management Classification P. Privacy
Is there a documented Privacy Policy or procedures for the

protection of personal information collected, accessed, Cloudflare's publicly available Privacy
transmitted, processed, disclosed, or retained on behalf of the Policy can be found here: https://www.
4472 P.1.13 client? Yes cloudflare.com/privacypolicy/ Privacy Program Management Privacy Policies P. Privacy
Are privacy controls defined and documented which address

obligations for the security (confidentiality, integrity, and
availability) of the client scoped data based on data or
4562 P.1.13.1 information classification? Yes Privacy Program Management Privacy Policies P. Privacy

Jump To:
Master
Privacy Policy is reviewed on as-needed

basis, based upon changes to applicable
Are there privacy policies and procedures with identified laws and regulations. All other policies are
privacy controls that are reviewed and revised at least reviewed annually, as required by
3224 P.1.13.2 annually? Yes Cloudflare Policy on Policies. Privacy Program Management Privacy Policies P. Privacy
The Data Protection Officer monitors
changes to and the development of
privacy regulations. Contractual
obligations are related to privacy are
Is there a management procedure maintained to monitor
approved by the Data Protection Officer
changes in applicable privacy statutory, regulatory or Changes in Regulatory and
and Commercial Transactions Team, and
4483 P.1.13.3 contractual regulations or contractual obligations? Yes Privacy Program Management Business Requirements P. Privacy
are tracked in compliance with ISO 2700:
2013 controls.
Is there a documented privacy policy and are procedures

maintained for the protection of information collected, Cloudflare's privacy policy is publicly
transmitted, processed, disclosed, or maintained on behalf of available online: https://www.cloudflare.
4484 P.1.13.4 the client? Yes com/privacypolicy/ Privacy Program Management Privacy Policies P. Privacy
Are copies of privacy policies and associated procedures

retained for a specified period in its retention schedule to
5902 P.1.13.5 address disputes or investigations by supervisory authorities? Yes Privacy Program Management Privacy Policies P. Privacy
Is version history of privacy policies maintained for externally

facing web privacy policies to address disputes, inquiries, and
5903 P.1.13.6 investigations? Yes Privacy Program Management Privacy Policies P. Privacy
Products and services undergo initial and

Are regular privacy impact risk assessments conducted? If yes, re-occurring risk assessments of privacy
please provide frequency and scope in additional information impact, at a frequency determined by the
4486 P.1.14 field. Yes risks identified. Privacy Program Management Risk Assessments P. Privacy
Are privacy risks identified and associated mitigation plans

documented in a formal data protection or privacy program
4487 P.1.14.1 plan that is reviewed by management? Yes Privacy Program Management Risk Assessments P. Privacy
Are sufficient resources allocated to mitigate identified privacy

4488 P.1.14.2 risks (e.g., people, time and money)? Yes Privacy Program Management Risk Assessments P. Privacy

Jump To:
Master
Are procedures to assess privacy impact maintained which

embed privacy requirements into new systems, applications or
devices throughout the system lifecycle (e.g., Privacy by Design
4489 P.1.14.3 or Privacy by Default)? Yes Privacy Program Management Risk Assessments P. Privacy
Does the privacy impact risk assessment identify the privacy

requirements, governance structures, and policy
5904 P.1.14.4 implementation/monitoring functions? Yes Privacy Program Management Risk Assessments P. Privacy
Does the privacy impact risk assessment process address

requirements for all identified entities in scope for the
environment e.g., service providers, customers, partners,
5905 P.1.14.5 manufacturers, application developers? Yes Privacy Program Management Risk Assessments P. Privacy
Is there a training and awareness program maintained that

addresses data privacy and data protection obligations based
4490 P.1.15 on role? Yes Privacy Program Management Privacy Awareness & Training P. Privacy
Is privacy awareness training conducted for new employees at

4491 P.1.15.1 the time of onboarding? Yes Privacy Program Management Privacy Awareness & Training P. Privacy
Is privacy awareness training for employees, including privacy

personnel, conducted on an annual basis including
acknowledgement and acceptance of their roles and
4492 P.1.15.2 responsibilities for privacy requirements? Yes Privacy Program Management Privacy Awareness & Training P. Privacy
Are privacy awareness training obligations extended to the

4493 P.1.15.3 organizations fourth parties (e.g., subcontractors or vendors)? Yes Privacy Program Management Privacy Awareness & Training P. Privacy
Are documented policies and procedures maintained to detect

and report unauthorized acquisition, use, or disclosure of client Privacy Incident & Breach
4494 P.1.16 scoped data? Yes Privacy Program Management Management P. Privacy

Jump To:
Master
Is a process maintained to identify and record any detected or Privacy Incident & Breach
4495 P.1.16.1 reported unauthorized disclosures of personal information? Yes Privacy Program Management Management P. Privacy
Is there a process in place to identify and report privacy

incidents including notification to external authorities as Privacy Incident & Breach
4496 P.1.16.2 required by applicable privacy or cyber security law? Yes Privacy Program Management Management P. Privacy
Is there a formal privacy incident communication procedure

integrated with the information security incident response and Privacy Incident & Breach
4497 P.1.16.3 escalation process? Yes Privacy Program Management Management P. Privacy
Does the organization have or maintain internet-facing website

(s), mobile applications, or other digital services or applications
that, collect, use, disclose, or retain client-scoped data and are
4943 P.2 used directly by individuals? Yes Notice Provision of Notice P. Privacy
Do clear and conspicuous privacy notices identify the business

purposes for which personal information is collected, used,
4499 P.2.1 processed, retained, maintained, and disclosed? Yes Notice Communication to Individuals P. Privacy
Do privacy notices include the categories of information

collected, use of outside data sources, including any categories
of affiliates or non-affiliated third parties with whom the
4563 P.2.2 personal data is shared? Yes Notice Communication to Individuals P. Privacy
Is there an ongoing process to regularly review and update

4501 P.2.3 privacy policies and notices on a periodic basis? Yes Notice Privacy Policies P. Privacy
Cloudflare does not sell personal data to
third parties (for marketing purposes or
otherwise).
Is notice provided at or before point of collection regarding the
Cloudflare does not share customer's
selling of personal data or sharing of data with third parties for
personal data with third parties for
4502 P.2.4 marketing purposes? N/A Notice Communication to Individuals P. Privacy
marketing.

Jump To:
Master
Are notices communicated to inform individuals regarding

awareness of privacy obligations, retention periods of data Cloudflare has a Privacy Policy and will
4503 P.2.5 collected, and opt-out choices applicable to the services? Yes enter a DPA with customers. Notice Communication to Individuals P. Privacy
Do privacy notices identify the web or digital technology(ies)

used (e.g., pixels, geolocation, cookies, web beacons, tracking
tools) and include a description(s) of how the technology(ies) is
4565 P.2.6 used and include opt-out mechanisms? Yes Notice Entities and Activities Covered P. Privacy
Cloudflare does not share customer's

Is there a mechanism to address the ability for individuals to personal data with third parties for
5906 P.2.7 prohibit the sale of their personal information? N/A marketing. Notice Communication to Individuals P. Privacy
Is personal information collected directly from an individual by

4944 P.3 the organization on behalf of the client? Yes Choice & Consent Privacy Policies P. Privacy
Where Cloudflare processes end-user

Are there documented privacy policies and procedures that data, it is the responsibility of a data
address choice and consent based on the statutory, regulatory, controller (our customer) to ensure the
or contractual obligations to provide privacy protection for personal data is being processed on a
4504 P.3.0.1 client-scoped data? Yes valid basis. Choice & Consent Privacy Policies P. Privacy
Are choices offered regarding the collection, use processing,

retention, disclosure and disposal of personal information The customer dictates what types of data
4506 P.3.0.2 communicated? Yes Cloudflare will process on its behalf. Choice & Consent Communication to Individuals P. Privacy
Is there a mechanism in place to receive and address changes

5907 P.3.0.3 that can include modification or withdrawal of consent? Yes Choice & Consent Communication to Individuals P. Privacy
Is there a mechanism in place to receive and address

restrictions on processing, or objections to the processing of
5908 P.3.0.4 personal information? Yes Choice & Consent Communication to Individuals P. Privacy

Jump To:
Master
Types of Personal Information

For client scoped data, is personal information provided to the Collection and Methods of
5658 P.4 organization directly by the client? Yes Collection Collection P. Privacy
Are there documented policies and procedures regarding

limiting the personal information collected and its use to the Collection limited to identified
3707 P.4.1 minimum necessary? Yes Collection purpose P. Privacy
The customer data processing addendum

Are there documented policies and procedures that address governs Cloudflare's obligations with
data collection and use based on the instructions of the client respect to client-scoped data processed Collection by Fair and Lawful
4509 P.4.2 or by contract? Yes on behalf of the client. Collection Means P. Privacy
Are there documented policies and procedures in place to

ensure that the access, transmission, processing, disclosure,
and retention of client scoped data is limited, and in
3237 P.5 compliance with applicable law? Yes Use, Retention, & Disposal Use of Personal Information P. Privacy
Are purpose limitations to the collection, use, and retention of

5914 P.5.1 personal information defined in the contract? Yes Use, Retention, & Disposal Use of Personal Information P. Privacy
If required by privacy jurisdiction, are mechanisms in place to

enable data portability of client scoped data maintained by the
5915 P.5.2 organization? Yes Use, Retention, & Disposal Use of Personal Information P. Privacy
Does the organization maintain a process to determine if client

instructions for data processing infringe on applicable
5916 P.5.3 legislation or regulation? Yes Use, Retention, & Disposal Use of Personal Information P. Privacy
Is there a documented records retention policy and process

with defined schedules that ensure that Personal Information is Retention of Personal
4510 P.5.4 retained for no longer than necessary? Yes Use, Retention, & Disposal Information P. Privacy

Jump To:
Master
Does the organization have a process for ensuring the timely

secure disposal of temporary files that have been created Retention of Personal
5948 P.5.4.1 containing PII? Yes Use, Retention, & Disposal Information P. Privacy
We have in place data processing
addendums (DPAs) with vendors and sub-
processors who process personal
information on our behalf. We choose our
vendors and sub-processors carefully,
Is there a policy and process to limit any secondary use of client
conducting thorough assessments of their
4511 P.5.5 scoped data unless authorized? Yes Use, Retention, & Disposal Use of Personal Information P. Privacy
privacy and security practices before we
even enter contracts with them. Once we
have a contract and DPA in place, the
extent of our oversight of their
Are there control mechanisms in place to de-identify, mask, compliance varies depending on the Disposal, Destruction and
anonymize, or pseudonymize personal data to prevent loss, nature of the information being Redaction of Personal
4512 P.5.6 theft, misuse or unauthorized access? Yes processed, the systems to which a sub- Use, Retention, & Disposal Information P. Privacy
We have inorplace
processor data
vendor processing
may have access, and
addendums
other factors.(DPAs) with vendors and sub-
processors who process personal
information on our behalf. We choose our
vendors and sub-processors carefully,
Is there a policy and/or process to limit or prevent the sharing
conducting thorough assessments of their
3692 P.5.7 of client scoped data with affiliates unless authorized? Yes Use, Retention, & Disposal Use of Personal Information P. Privacy
privacy and security practices before we
even enter contracts with them. Once we
have a contract and DPA in place, the
extent of our oversight of their
compliance varies depending on the
Is client scoped data aggregated, appended, or modeled using nature of the information being
4513 P.5.8 data analytics? Yes processed, the systems to which a sub- Use, Retention, & Disposal Use of Personal Information P. Privacy
processor or vendor may have access, and
other factors.
Does the data analytics process combine outside data sources

5909 P.5.8.1 of personal information with client scoped data? No Collection Collection from Third Parties P. Privacy
Are data analytic inputs and outputs identified and evaluated Information Developed About
5910 P.5.8.2 for bias? N/A Use, Retention, & Disposal Individuals P. Privacy
Is there a process in place to conduct periodic algorithm or

5911 P.5.8.3 data model reviews? N/A Use, Retention, & Disposal Privacy Policies P. Privacy

Jump To:
Master
Is personal information collected electronically or processed

4514 P.5.9 through automated means? Yes Use, Retention, & Disposal Use of Personal Information P. Privacy
5912 P.5.9.1 Do the services involve the use of automated decision making? Yes Use, Retention, & Disposal Use of Personal Information P. Privacy
If Yes, are there mechanisms to receive and implement

requests to object to the decision making, or require human
5913 P.5.9.2 intervention? Yes Use, Retention, & Disposal Use of Personal Information P. Privacy
Are individuals informed about their rights to access, review,

update, correct and limit disclosure or transmission of their Access by Individuals to their
4945 P.6 personal information which is maintained by the organization? Yes Access Personal Information P. Privacy
Is there a documented process to reasonably authenticate or

verify an individual's request prior to fulfilling their request for Confirmation of an Individual's
4515 P.6.1 access to their personal information? Yes Access Identity P. Privacy
Is there a process to inform individuals in writing of the reason

a request for access to their personal information was denied
and the dispute mechanisms if any to challenge as specifically
4516 P.6.1.1 permitted or required by law or regulation? Yes Access Denial of Access P. Privacy
Does the mechanism to inform individuals about their rights of

access to their personal information include specified Understandable Personal
timeframes, standardized formats, costs of response, or Information, Time Frame, and
4946 P.6.1.2 exceptions/limitations? Yes Access Cost P. Privacy
If required, are there processes established to require the

service provider to enable the fulfillment of an individual's
access rights and requests? If yes, please describe in additional Included in Cloudflare DPA that we will Access by Individuals to their
4947 P.6.2 information field. Yes help our customers to comply with DSARS Access Personal Information P. Privacy

Jump To:
Master
Does the process to respond to an individual's access request

include the categories and specific pieces of personal Access by Individuals to their
4948 P.6.2.1 information if collected by the organization? Yes Access Personal Information P. Privacy
Does the process to respond to an individual's access request Where an individual requests this
include the personal information that has been shared with information it can be provided to them, Access by Individuals to their
4949 P.6.2.2 fourth parties (vendors, subcontractors, service providers)? Yes subject to compliance with relevent laws. Access Personal Information P. Privacy

include providing the origins or sources of information Access by Individuals to their
4950 P.6.2.3 collected? Yes Access Personal Information P. Privacy
Does the process to respond to an individual's access request Yes for the purpose of collecting; N/A for
include providing the business or commercial purpose for selling as Cloudflare does not sell personal Access by Individuals to their
4951 P.6.2.4 collecting or selling personal information? Yes informaiton. Access Personal Information P. Privacy
Does the contract specify the technical measures and

obligations of the organization to support individuals' access Access by Individuals to their
5917 P.6.2.5 requests? Yes Access Personal Information P. Privacy
Are records of data disclosures and sharing maintained that can Access by Individuals to their
5918 P.6.2.6 be accessed by individuals upon request? Yes Access Personal Information P. Privacy

include communication and the status of the completion of the Access by Individuals to their
5919 P.6.2.7 request? Yes Access Personal Information P. Privacy
Are records of access requests by individuals maintained for

the minimum period prescribed by applicable laws or Access by Individuals to their
5920 P.6.2.8 regulations? Yes Access Personal Information P. Privacy

Jump To:
Master
Are policies and procedures in place to address third party

privacy obligations including limitations on disclosure and use Disclosure of Personal
4952 P.7 of client scoped data? Yes Disclosures to Third Parties Information P. Privacy
Do agreements with third parties who have access to or

potential access to client scoped data address confidentiality,
audit, security, and privacy, including but not limited to
incident response and notification, ongoing monitoring, return Disclosure of Personal
4953 P.7.1 of data, and secure disposal of client scoped data? Yes Disclosures to Third Parties Information P. Privacy
Do agreements with third parties who have access to or

potential access to client scoped data address limitations on
personal information use and disclosure, retention, and Protection of Personal
5659 P.7.2 restrictions on selling of personal information? Yes Disclosures to Third Parties Information P. Privacy
Do contracts or agreements with third parties define the

nature, business purpose, and duration of processing, direction
including type of personal information or categories of data Protection of Personal
4567 P.7.3 subjects that are in scope of the services? Yes Disclosures to Third Parties Information P. Privacy
If required, are there contractual controls established to

require the service provider to enable the fulfillment of data These requirements are set out in
subject access rights and requests? If yes, please describe in Cloudflare's Vendor Data Processing Access by Individuals to their
4568 P.7.4 Additional Information field. Yes Addendum. Disclosures to Third Parties Personal Information P. Privacy
Are policies and procedures documented that demonstrate the

understanding by the organization of its privacy obligations and
implementation of limitations on disclosure, use, sharing, and
4954 P.7.5 retention of client scoped data? Yes Disclosures to Third Parties Communication to Third Parties P. Privacy
Do fourth parties, (e.g., subcontractors, sub-processors, sub-

service organizations) have access to, receive, or process client Disclosure of Personal
4569 P.7.6 scoped data? Yes Disclosures to Third Parties Information P. Privacy
Has client consent been obtained for any usage of fourth-

parties, subcontractors, sub-processors or sub-service Protection of Personal
4570 P.7.6.1 organizations? Yes Disclosures to Third Parties Information P. Privacy

Jump To:
Master
Is a contract maintained with such fourth parties to require

each fourth-party, subcontractor, sub-processor, or sub-service
organization to adhere to the same legal and contractual Protection of Personal
4571 P.7.6.2 requirements that are required by the service organization? Yes Disclosures to Third Parties Information P. Privacy
Yes – In our vendor sub-processor DPA,

Are there documented policies, procedures or mechanisms to we require that our vendor/sub-
provide notice, and if required obtain consent for any new, or processors provide Cloudflare with notice
changed usage of fourth parties, subcontractors, sub- and the opportunity to object to Protection of Personal
4520 P.7.7 processors, or sub-service organizations? Yes additional vendors/sub-processors. Disclosures to Third Parties Information P. Privacy
Is there a documented process to obtain and periodically

assess compliance with confidentiality and privacy
commitments and requirements between client and service Misuse of Personal Information
4573 P.7.8 provider? Yes Disclosures to Third Parties by a Third Party P. Privacy
Is there a documented process to notify the client regarding

any legally binding requests for disclosure of client scoped data
(e.g., subpoena, law enforcement request, court order, and Disclosure of Personal
5921 P.7.9 regulatory inquiry)? Yes Disclosures to Third Parties Information P. Privacy
Is there a documented data protection program with

administrative, technical, and physical and environmental
3221 P.8 safeguards for the protection of client scoped data? Yes Security for Privacy Information Security Program P. Privacy
Are tests conducted of the effectiveness of the key

administrative, technical, physical and environmental Auditing and testing are conducted as
safeguards for protecting personal information at least part of PCI DSS, ISO 2700:2013, and SOC 2
4521 P.8.1 annually? Yes security compliance audits. Security for Privacy Testing Security Safeguards P. Privacy
Are mechanisms established so that access to personal

information is limited to authorized personnel based upon
4522 P.8.2 their assigned roles and responsibilities? Yes Security for Privacy Logical Access Controls P. Privacy
Is there a mechanism that informs individuals of the

administrative, technical, and physical safeguards taken to
4523 P.8.3 protection their personal information? Yes Security for Privacy Communication to Individuals P. Privacy

Jump To:
Master
Vendors, including sub-processors, are
subject to Cloudflare Vendor Security
Program, which includes a questionnaire-
Is there a Vendor Risk Management Program (including
based review and sharing all relevant
ongoing monitoring) maintained to address the security of the
security certifications. Vendors who are
client scoped data, that may be accessed, processed,
deemed high-risk due to the service they
4524 P.8.4 communicated to, or managed by external parties? Yes Security for Privacy Information Security Program P. Privacy
are offering, including sub-processors, are
re-evaluated annually by the vendor risk
program.
Is there a control to protect personal information stored on Personal Information on

4574 P.8.5 portable media or devices from unauthorized access? Yes Security for Privacy Portable Media P. Privacy
Is there a process or mechanism to minimize the use of

4575 P.8.6 personal information in testing, training and research? Yes Security for Privacy Testing Security Safeguards P. Privacy
Cloudflare’s customers are required to

Is there a documented policy or process to maintain accurate, keep their information –such as Account Accuracy and Completeness of
4526 P.9 complete and relevant records of client scoped data? N/A login data – up to date. Quality Personal Information P. Privacy
Are procedures documented that outline the relevancy of the

personal information collected, used, or processed to the Accuracy and Completeness of
4955 P.9.1 defined purpose in the contract or privacy notice? Yes Quality Personal Information P. Privacy
Is there an oversight function or compliance management

system maintained that addresses the quality and integrity of Cloudflare’s customers are required to
client scoped data or personal information maintained by the keep their information –such as Account Relevance of Personal
4576 P.9.2 organization? N/A login data – up to date. Quality Information P. Privacy
Is there a data privacy or data protection function that

maintains compliance, enforcement and monitoring
procedures to address compliance for its privacy obligations for
4529 P.10 client scoped data? Yes Monitoring and Enforcement Compliance Review P. Privacy
Are there enforcement mechanisms in place to address privacy

inquiries, complaints, disputes and recourse for violations of Inquiry, Complaint, and Dispute
3860 P.10.1 privacy compliance? Yes Monitoring and Enforcement Process P. Privacy

Jump To:
Master
Are there policies and processes in place to address privacy Inquiry, Complaint, and Dispute
4530 P.10.2 inquiries, complaints and disputes? Yes Monitoring and Enforcement Process P. Privacy
Is an independent dispute mechanism maintained for

resolution of privacy disputes? If so, identify the provider in Dispute Resolution and
4531 P.10.3 additional information field. Yes TRUSTe Monitoring and Enforcement Recourse P. Privacy
Are applicable licenses, registrations, permits, or approvals

maintained as required by applicable privacy laws and Cloudflare is certified to the EU-US and
4532 P.10.4 regulations? Yes Swiss-US Privacy Shields Monitoring and Enforcement Compliance Review P. Privacy
If required, has the organization registered as a data broker

under any state regulation? If yes, identify the state and link to Personal Information
5885 P.10.4.1 the registration in the Additional Information field. N/A Not required State Privacy Regulations Identification and Classification P. Privacy
If required, has the organization registered as a telemarketer

under any state regulation? If yes, identify the stake and link to
5922 P.10.4.2 the registration in the Additional Information field. N/A Not required State Privacy Regulations Use of Personal Information P. Privacy
Is compliance with privacy policies, commitments, SLAs,

contractual obligations, and applicable laws/regulations
4956 P.10.5 reviewed, documented, with results reported to management? Yes Monitoring and Enforcement Compliance Review P. Privacy
Are there processes in place to address instances of non-

compliance with privacy obligations for client scoped data,
4957 P.10.6 including corrective measures and disciplinary measures? Yes Monitoring and Enforcement Instances of noncompliance P. Privacy
Are there any open or unresolved privacy findings or citations

4958 P.10.7 from regulatory authorities applicable to the services? No Monitoring and Enforcement Instances of noncompliance P. Privacy

Jump To:
Master
Does the organization participate in any self-regulatory, self-

certification, or formal certification to address compliance to
5923 P.10.8 specific privacy obligations? Yes Monitoring and Enforcement Compliance Review P. Privacy
Does the organization maintain memberships in self-regulatory

or interoperability frameworks (e.g., ANA, NAI, DMA, IAB) to
address privacy risks or codes of conduct for the collection,
use, and transfer of data? If so, please indicate in the
5924 P.10.9 Additional Information field. No Monitoring and Enforcement Compliance Review P. Privacy
Has the organization self-certified to the EU-U.S. Privacy Shield https://www.privacyshield.

Framework and/or Swiss-U.S. Privacy Shield Framework? If, gov/participant?
5925 P.10.10 yes, please provide a link to the publicly available filing. Yes id=a2zt0000000GnZKAA0&status=Active Monitoring and Enforcement Compliance Review P. Privacy
There are no accredited GDPR

Has the organization applied for and received GDPR certifications, however Cloudflare is
certification to an accredited certification body or to the certified to ISO 27701:2019 which aligns
5926 P.10.11 competent supervisory authority? N/A to the GDPR. Monitoring and Enforcement Compliance Review P. Privacy
Has the organization applied for and received APEC

Certification for Processors by an authorized Accountability
5927 P.10.12 Agent? No Monitoring and Enforcement Compliance Review P. Privacy
Has the organization applied for and received certification as a

data processor for the international standard ISO/IEC 27701:
5928 P.10.13 2019 Privacy Information Management System (PIMS)? Yes Monitoring and Enforcement Compliance Review P. Privacy
4534 T.1 Are Windows servers used as part of the Scoped Services? No Malware Protection Scoping T. Threat Management
Is there an anti-malware policy or program that has been

approved by management, communicated to appropriate
895 T.1.1 constituents and an owner to maintain and review the policy? Yes Malware Protection Anti-Malware Policy T. Threat Management

Jump To:
Master
Does the anti-malware policy or program include defined

4343 T.1.1.1 operating systems that require antivirus? Yes Malware Protection Anti-Malware Policy T. Threat Management
Does the anti-malware policy or program include defined

antivirus configuration requirements including required
4344 T.1.1.2 modules/components? Yes Malware Protection Anti-Malware Policy T. Threat Management
Cloudflare has managed enterprise

Does the anti-malware policy or program prohibit disabling antivirus deployments for all systems
anti-malware with exceptions requiring Security approval and commonly affected by malicious software, Anti-Malware Coverage
4345 T.1.1.3 re-enablement as soon as possible? Yes per PCI requirement 5. Malware Protection Exclusions T. Threat Management
Does the anti-malware policy or program require approval

from Security and documentation of any folders, applications, Anti-Malware Coverage
4346 T.1.1.4 and processes excluded from anti-malware scanning? Yes Malware Protection Exclusions T. Threat Management
Does the anti-malware policy or program require

documentation of any folders, applications, and/or processes Anti-Malware Coverage
4347 T.1.1.5 excluded from anti-malware scanning? Yes Malware Protection Exclusions T. Threat Management
Does the approved anti-malware policy or program mandate

an interval between the availability of a new anti-malware Third party software is updated
912 T.1.1.6 signature update and its deployment no longer than 24 hours? Yes automatically at the Edge. Malware Protection Anti-Malware Policy T. Threat Management
Are whitelisted and/or blacklisted applications documented Application Whitelisting/

4348 T.1.1.7 and enforced? Yes Malware Protection Blacklisting T. Threat Management
Are anti-malware standards reviewed and/or updated at least

4116 T.1.1.8 annually to account for new security features and threats? Yes Malware Protection Anti-Malware Policy T. Threat Management

Jump To:
Master
Are Anti-malware software version and engine upgrade Third party software is updated
4384 T.1.1.9 deployment failures reviewed at least weekly? Yes automatically at the Edge. Malware Protection Anti-Malware Operations T. Threat Management
Is there a defined procedure to identify and correct systems

4386 T.1.1.10 without anti-malware software, performed at least weekly? Yes Malware Protection Anti-Malware Operations T. Threat Management
Does the anti-malware policy or program require a periodic

configuration review performed at least quarterly and when a
4387 T.1.1.11 change is made to anti-malware standards? Yes Baseline configurations maintained Malware Protection Anti-Malware Policy T. Threat Management
Does outbound web traffic get scanned for malware and

malicious/blacklisted sites, with any authorized exclusions
1014 T.1.1.12 documented? No Malware Protection Web Malware Scanning T. Threat Management
Are systems configured to detect and alert on the unauthorized

4959 T.1.2 use of mobile code (e.g., Java, ActiveX, Flash, VBScript)? Yes Malware Protection Mobile Code Protection T. Threat Management
Is mobile code prohibited from executing (e.g., Java, ActiveX,

2653 T.1.3 Flash, VBScript)? Yes Malware Protection Mobile Code Protection T. Threat Management
Is there a Vulnerability Management Policy or Program that has

constituent and an owner assigned to maintain and review the Vulnerability Management
4349 T.2 policy? Yes Vulnerability Management Policy T. Threat Management
Are vulnerabilities ranked for importance to the system and

3913 T.2.1 vulnerability identified? Yes Vulnerability Management Vulnerability Remediation T. Threat Management

Jump To:
Master
As required by PCI DSS Requirement 6.1,

Cloudflare assigns a risk rating to
vulnerabilities found during quarterly
scans and prioritizes remediation in
3716 T.2.2 Are vulnerabilities documented and tracked to remediation? Yes accordance with the assigned risk. Vulnerability Management Vulnerability Remediation T. Threat Management
Are exceptions and risk mitigation strategies tracked and

4350 T.2.3 approved by the Security group? Yes Vulnerability Management Vulnerability Remediation T. Threat Management
Are network Vulnerability Scans performed against internal

3711 T.2.4 networks and systems? Yes Vulnerability Management Vulnerability Scans: Internal T. Threat Management
4351 T.2.4.1 Do network Vulnerability Scans occur at least monthly? Yes Vulnerability Management Vulnerability Scans: Internal T. Threat Management
Do network Vulnerability Scans occur after a significant

4352 T.2.4.2 change? Yes Vulnerability Management Vulnerability Scans: Internal T. Threat Management
Are network vulnerability scans performed against internet-

3717 T.2.5 facing networks and systems? Yes Vulnerability Management Vulnerability Scans External T. Threat Management
4353 T.2.5.1 Do network Vulnerability Scans occur at least monthly? Yes Vulnerability Management Vulnerability Scans External T. Threat Management
Do network Vulnerability Scans occur after a significant

4354 T.2.5.2 change? Yes Vulnerability Management Vulnerability Scans External T. Threat Management

Jump To:
Master
3721 T.2.6 Are penetration tests performed? Yes Vulnerability Management Penetration Testing T. Threat Management
Cloudflare conducts penetration testing of

the network and dashboard annually in
accordance with PCI DSS requirement
4356 T.2.6.1 Is penetration testing performed at least annually? Yes 11.3 Vulnerability Management Penetration Testing T. Threat Management
4357 T.2.6.2 Is penetration testing performed after significant changes? Yes Vulnerability Management Penetration Testing T. Threat Management
Cloudflare has hired a consulting group to

Are Penetration Tests performed by independent trained and run its network and application
3710 T.2.6.3 experienced personnel? Yes penetration testing for 2019. Vulnerability Management Penetration Testing T. Threat Management
Do penetration tests procedures include manual in addition to

3463 T.2.6.4 automated procedures? Yes Vulnerability Management Penetration Testing T. Threat Management
Is penetration testing performed on external systems from the

4358 T.2.6.5 Internet? Yes Vulnerability Management Penetration Testing T. Threat Management
Is penetration testing performed on internal systems from

4359 T.2.6.6 inside the network? Yes Vulnerability Management Penetration Testing T. Threat Management
Does penetration testing include attempted exploitation of

4360 T.2.6.7 vulnerabilities? Yes Vulnerability Management Penetration Testing T. Threat Management

Jump To:
Master
Do Penetration Tests include password cracking attacks against

4361 T.2.6.8 available services? No Vulnerability Management Penetration Testing T. Threat Management
4362 T.2.6.9 Are web applications included in Penetration Tests? Yes Vulnerability Management Penetration Testing T. Threat Management
Are network and system details provided to the tester (White-

4363 T.2.6.10 Box Test) in Penetration Tests? No Vulnerability Management Penetration Testing T. Threat Management
Are Penetration Testing issues risk-ranked for importance to

3914 T.2.6.11 the system and vulnerability identified? Yes Vulnerability Management Penetration Testing T. Threat Management
Are Penetration Testing issues documented and tracked to

3725 T.2.6.12 remediation? Yes Vulnerability Management Penetration Testing T. Threat Management
Are Penetration Testing exceptions and risk mitigation

4364 T.2.6.13 strategies tracked and approved by the security group? Yes Vulnerability Management Penetration Testing T. Threat Management
Customers can conduct scans; penetration

Are clients permitted to execute a Penetration Test of the testing must be approved as part of the
3377 T.2.6.14 external environment? Yes customer contract. Vulnerability Management Penetration Testing T. Threat Management
Are there policies and processes to secure threat and

2233 T.3 vulnerability assessment tools and the data they collect? Yes Vulnerability Management Security Tools T. Threat Management

Jump To:
Master
Are there documented and managed processes for identifying

and managing cyber supply chain risks (i.e. ensuring software
and hardware components used as part of delivering a service Cyber Supply Chain Risk
4960 T.4 or product do not present a risk)? Yes Vulnerability Management Management T. Threat Management
Is there a documented process in place to detect backdoors

present in software and hardware sourced from third parties Cyber Supply Chain Risk
4961 T.4.1 used in the delivery of service? Yes Vulnerability Management Management T. Threat Management
Do you deliver software, firmware, and/or BIOS updates to Cloudflare is not providing customers with
clients through automatic downloads (e.g., Windows Update, hardware or services that require Automatic Software Update
4962 T.5 LiveUpdate)? N/A updates. Vulnerability Management Mechanisms T. Threat Management
Is there a documented process in place to protect against and

detect attacks against automatic software update Automatic Software Update
4963 T.5.1 mechanisms? Yes Vulnerability Management Mechanisms T. Threat Management
Are Servers used for transmitting, processing or storing scoped Server Security Configuration
4366 U.1 data? Yes Management Governance U. Server Security
Are server security configuration standards documented and Server Security Configuration Server Security Configuration
4367 U.1.1 based on external industry or vendor guidance? Yes Management Standards U. Server Security
Are server security standards reviewed and/or updated at least

annually to account for any changes in environment, available Server Security Configuration Server Security Configuration
4368 U.1.1.1 security features and/or leading practices? Yes Management Standards U. Server Security
Are server security configuration reviews performed regularly Server Security Configuration Server Security Configuration
4369 U.1.1.2 to validate compliance with documented standards? Yes Management Reviews U. Server Security

Jump To:
Master
Cloudflare is subject to annual audit for

Are server security configuration reviews performed to validate PCI DSS, and has undergone ISO 27001 Server Security Configuration Server Security Configuration
4535 U.1.1.2.1 compliance with documented standards at least annually? Yes and SOC 2 audits this year. Management Reviews U. Server Security
Are all servers configured according to security standards as Server Security Configuration Server Build Security
4536 U.1.2 part of the build process? Yes Management Configuration U. Server Security
Are all unnecessary/unused services uninstalled or disabled on Server Security Configuration

4370 U.1.2.1 all servers? Yes Management Network and System Services U. Server Security
Are all remote access and file sharing services configured to Server Security Configuration
4371 U.1.2.2 require authentication and encryption on all servers? Yes Management Network and System Services U. Server Security
Is data on a separate drive than the operating system Server Security Configuration
4372 U.1.2.3 executables/binaries on all servers? Yes Management Volume Security U. Server Security
Are all servers configured to log users out after 15 minutes of Cloudflare enforces timeout at the device Server Security Configuration
4373 U.1.2.4 inactivity? No level through MDM. Management Session Time-Out U. Server Security
Are vendor default passwords removed, disabled or changed Server Security Configuration
2659 U.1.2.5 prior to placing any device or system into production? Yes Management Password Management U. Server Security
Is sufficient detail contained in operating system and

application logs to support security incident investigations (at a
minimum, successful and failed login attempts, and changes to Server Security Configuration
4377 U.1.3 sensitive configuration settings and files)? Yes Management Audit Logs U. Server Security

Jump To:
Master
Are operating system and application events relevant to

supporting incident investigation retained for a minimum of Server Security Configuration
4378 U.1.3.1 one year? Yes Management Audit Logs U. Server Security
Are operating system and application logs relevant to

supporting incident investigation protected against Server Security Configuration
4381 U.1.3.2 modification, deletion and/or inappropriate access? Yes Management Audit Logs U. Server Security
Are operating system and application events relevant to Server Security Configuration
4379 U.1.3.3 supporting incident investigation stored on alternate systems? Yes Management Audit Logs U. Server Security
Is a system generated notifications generated in the event the

system fails to write an operating system or application event Server Security Configuration
4380 U.1.3.4 to an audit log? Yes Management Audit Logs U. Server Security
Is an alert generated if removable media (floppy disk, Server Security Configuration

4383 U.1.4 recordable CD, USB drive) is used on servers? Yes Management Audit Logs U. Server Security
2213 U.1.5 Are all systems and applications patched regularly? Yes Server Patching Patching Cadence U. Server Security
Are all available high-risk security patches applied and verified

4374 U.1.5.1 at least monthly on all server platforms? Yes Server Patching Patching Cadence U. Server Security
Are all server patches, service packs and hot fixes tested prior
2215 U.1.5.2 to installation? Yes Server Patching Patch Testing U. Server Security

Jump To:
Master
Do patch management processes include evaluation and

2217 U.1.5.3 prioritization of vulnerabilities? Yes Server Patching Patching Operations U. Server Security
Do patch management processes include logging of patch

2686 U.1.5.4 successes and failures? Yes Server Patching Patching Operations U. Server Security
Do patch management processes include priority patching of

2687 U.1.5.5 high-risk systems first? Yes Server Patching Patching Operations U. Server Security
Are all server patching exceptions necessary, documented and Patching Exception
4375 U.1.5.6 approved? Yes Server Patching Management U. Server Security
Are third party alert services used to keep up to date with the
2216 U.1.5.7 latest server vulnerabilities? Yes Server Patching Patching Operations U. Server Security
Are there any Operating System versions in use within the

Scoped Services that no longer have patches released? If yes,
4376 U.1.5.8 please describe in the Additional Information section. No Server Patching Patching Operations U. Server Security
4537 U.1.6 Is Unix or Linux used as part of the scoped services? Yes Unix/Linux Security Scoping U. Server Security
Root/Administrator
1292 U.1.6.1 Are users required to 'su' or 'sudo' into root? Yes Unix/Linux Security Authentication U. Server Security

Jump To:
Master
Does remote su/root access require multi-factor

1294 U.1.6.2 authentication? Yes Unix/Linux Security Multi-factor SU/Root U. Server Security
Is modification of startup and shutdown scripts restricted to

1302 U.1.6.3 root-level users? Yes Unix/Linux Security Startup/Shutdown Security U. Server Security
4538 U.1.7 Are AS/400s used as part of the scoped services? No AS/400 Security Scoping U. Server Security
1580 U.1.7.1 Are group profile assignments based on constituent role? N/A Cloudflare does not use AS/400s. AS/400 Security Role-Based Group Profile U. Server Security
1581 U.1.7.2 Are group profile assignments approved? N/A Cloudflare does not use AS/400s. AS/400 Security Group Profile Approval U. Server Security
4539 U.1.8 Are Mainframes used as part of the scoped services? No Mainframe Security Scoping U. Server Security
Are storage management personnel (tape operators) given

1497 U.1.8.1 privileged access to mainframe systems? N/A Mainframe Security Tape Operator Access U. Server Security
Are ESM (RACF) and inherent security configuration settings

configured to support mainframe access control standards and Access Control Subsystem
1502 U.1.8.2 requirements? N/A Mainframe Security Configuration Management U. Server Security

Jump To:
Master
Is authentication required for access to any mainframe Transaction or Database

1492 U.1.8.3 transaction or database system? Yes Mainframe Security Authentication U. Server Security
Are Hypervisors used to manage systems used to transmit, Hypervisor and Virtualization
3649 U.1.9 process or store Scoped data? No Security Hypervisor Security U. Server Security
Hypervisor and Virtualization

3650 U.1.9.1 Are Hypervisor hardening standards applied on all Hypervisors? N/A Security Hypervisor Security U. Server Security
Are Hypervisor Standard builds/security compliance checks Hypervisor and Virtualization

3651 U.1.9.2 required? N/A Security Hypervisor Security U. Server Security

3652 U.1.9.3 Are Hypervisors kept up to date with current patches? N/A Security Hypervisor Security U. Server Security

3653 U.1.9.4 Are unnecessary/unused Hypervisor services turned off? N/A Security Hypervisor Security U. Server Security
Is sufficient information in Hypervisor logs to evaluate Hypervisor and Virtualization

3655 U.1.9.5 incidents? N/A Security Hypervisor Security U. Server Security

3656 U.1.9.6 Are Hypervisor logs retained for a minimum of one year? N/A Security Hypervisor Security U. Server Security

Jump To:
Master
Is there a system generated alerts in the event of Hypervisor Hypervisor and Virtualization
3657 U.1.9.7 audit log failure? N/A Security Hypervisor Security U. Server Security

3658 U.1.9.8 Are Hypervisor audit logs stored on alternate systems? N/A Security Hypervisor Security U. Server Security
Are Hypervisor audit logs protected against modification, Hypervisor and Virtualization
3659 U.1.9.9 deletion and/or inappropriate access? N/A Security Hypervisor Security U. Server Security
Does the Hypervisor system lock accounts after 3-5 invalid Hypervisor and Virtualization
3670 U.1.9.10 login attempts? N/A Security Hypervisor Security U. Server Security
Is administrative access restricted to Hypervisor management Hypervisor and Virtualization

3671 U.1.9.11 interfaces? N/A Security Hypervisor Security U. Server Security
Are unneeded Hypervisor services disabled e.g., file-sharing Hypervisor and Virtualization
3672 U.1.9.12 between the guest and the host operating system)? N/A Security Hypervisor Security U. Server Security
Does the Hypervisor have introspection capabilities to monitor Hypervisor and Virtualization
3673 U.1.9.13 the security of each guest operating system? N/A Security Guest OS Security U. Server Security
Does the Hypervisor have introspection capabilities to monitor

the security of activity taking place between each guest Hypervisor and Virtualization
3674 U.1.9.14 operating system? N/A Security Virtual Network Security U. Server Security

Jump To:
Master
Are separate network VLANs for host operating system

communication with guest operating systems configured in the Hypervisor and Virtualization
3675 U.1.9.15 Hypervisor? N/A Security Virtual Network Security U. Server Security
Do guest operating systems communicate on separate VLAN's

from other guest operating systems that they do not need to Hypervisor and Virtualization
3676 U.1.9.16 communicate with? N/A Security Virtual Network Security U. Server Security
Is the host operating system management interface on a Hypervisor and Virtualization

3677 U.1.9.17 separate network than those used by guest operating systems? N/A Security Virtual Network Security U. Server Security
Is two-factor-authentication required for access to the Hypervisor and Virtualization

3678 U.1.9.18 administrative interfaces? N/A Security Hypervisor Security U. Server Security
Is there an approval process before VMs can be created to Hypervisor and Virtualization
3680 U.1.9.19 avoid VM sprawl? N/A Security Virtual Machine Management U. Server Security
Is migration of VMs logged, including source and target Hypervisor and Virtualization
3681 U.1.9.20 systems, time, user? N/A Security Virtual Machine Management U. Server Security
Do all VMs in the same host share the same risk and data Hypervisor and Virtualization
3682 U.1.9.21 classification? N/A Security Virtual Machine Management U. Server Security
Do all VMs in the same host share the same system sensitivity
level grouping (development and production not present on Hypervisor and Virtualization
3683 U.1.9.22 the same host)? N/A Security Virtual Machine Management U. Server Security

Jump To:
Master
Are Containers used to process or store Scoped data e.g.,

4393 U.1.10 Docker, Kubernetes, OpenShift? Yes Container Security Scoping U. Server Security
Can clients prohibit containers from being used on scoped

4394 U.1.10.1 systems with sensitive or confidential information? No Container Security Prohibition U. Server Security
Is there a data container security policy approved by

management, communicated to constituents and an owner to
4395 U.1.10.2 maintain and review? No No specific container policy. Container Security Container Security Policy U. Server Security
Does the data container security policy include security

requirements implemented as part of the container build
4396 U.1.10.3 process? N/A Container Security Container Security Policy U. Server Security
Does the data container security policy require Data Containers

4397 U.1.10.4 on the same host share the same risk and data classification? N/A Container Security Container Security Policy U. Server Security
Does the data container security policy require external

Container images to be signed and originate from a trusted
4398 U.1.10.5 registry? N/A Container Security Container Security Policy U. Server Security
Does the data container security policy ensure Containers are

scanned for vulnerabilities and identified vulnerabilities are
4399 U.1.10.6 remediated? N/A Container Security Container Security Policy U. Server Security
Does the data container security policy require that Seccomp

profiles are enabled to reduce the number of potentially risky
4400 U.1.10.7 usable system calls? N/A Container Security Container Security Policy U. Server Security

Jump To:
Master
Does the data container security policy require that an

4401 U.1.10.8 Authorization Plug-In be enabled? N/A Container Security Container Security Policy U. Server Security
Does the data container security policy require that Control

Groups be enabled to reduce the kernel and system resources
4402 U.1.10.9 that a container can consume? N/A Container Security Container Security Policy U. Server Security
Does the data container security policy require that Linux User
Namespace Support be enabled to reduce the kernel and
4403 U.1.10.10 system resources that a container can access? N/A Container Security Container Security Policy U. Server Security
Are Vulnerability Scans performed against all Containers using Cloudflare does not currently scan
4577 U.1.10.11 tools that can inspect the contents of Containers? No containers for vulnerabilities. Container Security Vulnerability Management U. Server Security
Cloudflare does not utilize IoT devices to

Do asset inventory and management processes include all process/store customer account
4585 U.2 physical objects with network connectivity (IoT Devices)? N/A information. Internet of Things (IoT) Security Identification and Inventory U. Server Security
Are IoT devices identified by scanning for non-802.11 wireless

4586 U.2.1 technologies like Bluetooth, Zigbee, and Z-Wave? N/A Internet of Things (IoT) Security Identification and Inventory U. Server Security
Are the security characteristics of all inventoried devices

4587 U.2.2 identified and understood? N/A Internet of Things (IoT) Security Identification and Inventory U. Server Security
When IoT devices are found to have inadequate security

controls, are they removed as soon as possible and scheduled
4588 U.2.3 for replacement? N/A Internet of Things (IoT) Security Management U. Server Security

Jump To:
Master
Is accountability for approval, monitoring, use and deployment

of each IoT device and their associated applications assigned to
4589 U.2.4 an owner? N/A Internet of Things (IoT) Security Management U. Server Security
Are IoT security requirements included as part of third party

4590 U.2.5 risk management requirements? N/A Internet of Things (IoT) Security Third Party Due Diligence U. Server Security
Are specific third party IoT-related controls included in contract

clauses, policies and procedures and monitored for
4591 U.2.5.1 compliance? N/A Internet of Things (IoT) Security Third Party Due Diligence U. Server Security
3304 V.1 Are Cloud Hosting services (IaaS) provided? Yes Cloud Hosting Cloud Service Model V. Cloud Hosting
Is there an Internet-accessible self-service portal available that

allows clients to configure security settings and view access Cloudflare supports this for the customer
4388 V.1.1 logs, security events and alerts? Yes account; not across all Cloudflare systems. Cloud API Scoping V. Cloud Hosting
Does the Cloud API allow clients to manage network access

3504 V.1.1.1 control (e.g., firewall ACL)? Yes Cloud API Cloud Security Configuration V. Cloud Hosting
3505 V.1.1.2 Does the API allow clients to manage access to the VPN? No Cloud API Cloud Security Configuration V. Cloud Hosting
Does the API allow clients to manage application access

3506 V.1.1.3 control/permissions? Yes Cloud API Cloud Security Configuration V. Cloud Hosting

Jump To:
Master
Does the API allow clients to manage username/password

3507 V.1.1.4 credentials? Yes Cloud API Cloud Security Configuration V. Cloud Hosting
3508 V.1.1.5 Does the API allow clients to manage client-side certificates? Yes Cloud API Cloud Security Configuration V. Cloud Hosting
Does the API allow clients to manage multi factor

3509 V.1.1.6 authentication? Yes Cloud API Cloud Security Configuration V. Cloud Hosting
Does the API allow clients to manage application generated

4454 V.1.1.7 tokens? Yes Cloud API Cloud Security Configuration V. Cloud Hosting
3511 V.1.1.8 Can the API alert, block or lock based on rate limit? Yes Cloud API Cloud Security Configuration V. Cloud Hosting
Cloudlfare Logs can be pushed into a

storage solution of the customer's
Is there an interface that allows access logs, security events choosing and then integrated into a SIEM,
4389 V.1.1.9 and alerts to be sent to an external client managed SIEM? Yes like Splunk, for further analysis. Cloud API SIEM Interface V. Cloud Hosting
Cloudflare owns all its hard metal stored

4540 V.2 Are Cloud Hosting services subcontracted? N/A in rented spaces Cloud Hosting Organization Subcontracted Cloud Services V. Cloud Hosting
Cloudflare is not a hosting provider but
has a Threat Intelligence Team who is
responsible for existing or new threats to
our infrastructure, as well as a Security
Is there a full-time internal security team assigned to Architecture team for ensure the Information Security Team
3384 V.2.1 protecting the cloud hosting infrastructure? N/A environment is secured. Cloud Hosting Organization Responsibilities V. Cloud Hosting

Jump To:
Master
Is there a management approved process to ensure that

backup image snapshots containing Scoped data are authorized
3373 V.3 by Outsourcer prior to being snapped? No Configuration Management Backup Image Management V. Cloud Hosting
Are backup image snapshots containing Scoped data stored in

an environment where the security controls protecting them
3374 V.3.1 are commensurate with the production environment? Yes Configuration Management Backup Image Management V. Cloud Hosting
Can backup image versions be electronically signed to ensure

3587 V.3.2 integrity? N/A Configuration Management Backup Image Management V. Cloud Hosting
Is the Assessee responsible for deploying patches to the live

3577 V.4 guest Operating Systems? Yes Configuration Management Patch Management V. Cloud Hosting
Is the Assessee responsible for ensuring the live Guest

3585 V.4.1 Operating Systems remain hardened? Yes Configuration Management Periodic Configuration Review V. Cloud Hosting
Is the Assessee responsible for deploying patches to all

application server components (e.g., web server, mail server,
4541 V.4.2 databases)? N/A Configuration Management Patch Management V. Cloud Hosting
Is the Assessee responsible for ensuring all application server

components remain hardened (e.g., web server, mail server,
4392 V.4.3 databases)? N/A Configuration Management Periodic Configuration Review V. Cloud Hosting
Are default hardened base virtual images applied to virtualized

3568 V.5 operating systems? Yes Configuration Management Periodic Configuration Review V. Cloud Hosting

Jump To:
Master
Are default hardened base virtual images based on a publicly

distributed industry, vendor, or government-recognized
4390 V.5.1 configuration standard? No Configuration Management Periodic Configuration Review V. Cloud Hosting
Are default hardened base virtual images based on the

Operating System Vendor's published security configuration
4391 V.5.1.1 standard? Yes Configuration Management Periodic Configuration Review V. Cloud Hosting
Are default hardened base virtual images based on Center for

3571 V.5.1.2 Internet Security (CIS) Security Configuration Benchmarks? Yes Configuration Management Periodic Configuration Review V. Cloud Hosting
Are default hardened base virtual images based on another

configuration standard? If yes, please note the standard(s) in
3575 V.5.1.3 the Additional Information field. No Configuration Management Periodic Configuration Review V. Cloud Hosting
Is the Service Provider responsible for ensuring the Guest

Operating System Base Images are hardened to the latest
4542 V.5.2 standards? Yes Configuration Management Base Image Management V. Cloud Hosting
Can a client supply their own default base virtual image for
3570 V.5.2.1 guest operating systems? No Configuration Management Base Image Management V. Cloud Hosting
Is the Service Provider responsible for deploying patches to the

3579 V.5.3 guest operating system Base Images? No Configuration Management Patch Management V. Cloud Hosting
Does the Cloud Hosting Provider provide independent audit

reports for their cloud hosting services (e.g., Service
4543 V.6 Operational Control - SOC)? Yes Independent Oversight Audit Reports V. Cloud Hosting

Jump To:
Master
Are independent audit reports provided by the Cloud Hosting

Provider valid for a 12-month period, completed within the last
12 months, performed by a certified audit firm, and free of
4544 V.6.1 qualified opinion? Yes Independent Oversight Audit Reports V. Cloud Hosting
Is the Cloud Service Provider certified by an independent third

party for compliance with domestic or international control
standards e.g., the National Institute of Standards and
Technology - NIST, the International Organization for
4545 V.6.2 Standardization - ISO? Yes Independent Oversight Audit Reports V. Cloud Hosting
Are any certifications of the Cloud Service Provider's

environment current, performed by a certified audit firm, and
4546 V.6.2.1 have they been reassessed within the last 12 months? Yes Independent Oversight Audit Reports V. Cloud Hosting
Can clients run their own vulnerability scans against their own
4547 V.6.3 cloud environment? Yes Independent Oversight Client-Managed Security V. Cloud Hosting
Can clients procure their own network security services e.g.,

4548 V.6.3.1 Firewall, IDS, IPS, WAF? Yes Independent Oversight Client-Managed Security V. Cloud Hosting
4964 Z. Additional Questions

Jump To:
Master

Jump To:
Master
Yes

Cloudflare Full Sig 2021

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cloudflare Full Sig 2021

Uploaded by

Copyright:

Available Formats

756762Shared Assessments Program 756762SIG Management Tool (SMT) 756762 Version 2020

Is there a formalized risk governance plan that defines the

Does the risk governance plan include risk management

Does the risk governance plan include range of assets to

Does the risk governance plan include range of internal and

Does the risk governance plan include risk scenarios that

Does the organization have a governing body accountable to

Does the risk governance plan define and communicate the

Is the risk governance plan approved by senior management

756762Content Library 756762Page 1 of Page(s)

Is training provided to employees regarding risk expectations

Does the risk governance plan include the identification of the

Does the risk governance plan include the alignment to the

Does the risk governance plan include the establishment and

Are there Subject Matter Experts and/or groups assigned to

Do risk assessment personnel maintain relevant professional

Do risk assessment personnel maintain contacts with relevant

Do risk assessment personnel participate in continuing

756762Content Library 756762Page 2 of Page(s)

Are personnel tasked with scoping assessments trained in the

Do all assessment groups utilize a consistent standardized

Is there a formalized Risk Assessment process that identifies,

Does the organization maintain an inventory of the applicable

Does the risk assessment process identify and monitor inherent

Does the risk assessment process identity and monitor

Does the risk assessment process identity and monitor

Are assessments scoped using a formal set of criteria that

756762Content Library 756762Page 3 of Page(s)

Does the risk assessment address confidentiality, integrity and

Does the risk assessment include the risks related to the

Does the risk assessment include documentation of the

Does the organization have a process in place for justifying why

Is there a process to identify and manage the risk response and

Does the risk treatment program include a formal process for

Does the risk treatment program include a formal process for

756762Content Library 756762Page 4 of Page(s)

Does the risk treatment program include a formal program for

Does the risk treatment program include creation of internal

Does the Enterprise Risk Management program include

Do risk metrics include measurements against risk tolerance

Do the risk metrics include Service Level Agreement

756762Content Library 756762Page 5 of Page(s)

Do the risk metrics include IT Vulnerability Management

Do the risk metrics include privacy and data protection

Cloudflare's list of sub-processors under

Is there a documented third party risk management program in

Does the third party risk management program have a

Have policies, standards, and procedures for implementing the

Does the third party risk management program include

756762Content Library 756762Page 6 of Page(s)

Does the program include definition of required contract

Does the third party risk management program include

Does the third party risk management program include

Does the third party risk management program include

Financial analysis is done where possible;

756762Content Library 756762Page 7 of Page(s)

Does the subcontractor third party risk management program

Initially risk assessment is completed by

The GDPR sub-processor page includes an

Does the third party risk management program require

756762Content Library 756762Page 8 of Page(s)

Does the third party risk management program require

Does the third party risk management program require

Does the third party risk management program require