OCLC Trust CenterCompliance

Icon: Compliance

We comply with a wide range of international recognized security standards.

Proactive, risk-based controls protect the confidentiality, integrity, and availability of our customer and user data. We adhere to current and new industry standards by maintaining current certifications with key regulatory agencies.

Certifications and attestations

Logo: FedRAMP


US federal government-approved cloud provider marketplace

The Federal Risk and Authorization Management Program (FedRAMP) is a United States federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP mandates a core set of processes to ensure effective, repeatable cloud security for cloud service offerings that hold federal government data. OCLC maintains a FedRAMP Li-SAAS authority to operate (ATO).

Logo: StateRAMP


US state and local government-approved cloud provider marketplace

The State Risk and Authorization Management Program (StateRAMP) is a United States state and local government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. StateRAMP mandates a core set of security standards based upon the National Institute of Standards and Technology (NIST) Special Publication 800-53 security and privacy controls for information systems and organizations. OCLC maintains an ‘Authorized’ security status and is a member of the StateRAMP Authorized Vendor List.

Logo: ISO/IEC 27001

ISO/IEC 27001

Information security management standard ISO/IEC 27001 is a security standard that formally specifies an Information Security Management System (ISMS) that is intended to bring information security under explicit management control. It mandates requirements that define how to implement, monitor, maintain, and continually improve the ISMS. This certification helps OCLC comply with numerous regulatory and legal requirements that relate to the security of information.

Logo: ISO/IEC 27018

ISO/IEC 27018

Personally Identifiable Information (PII) data protection standard ISO/IEC 27018 is an international code of practice for cloud privacy. Based on EU data-protection laws, it gives specific guidance to cloud service providers (CSPs) acting as processors of personally identifiable information (PII) on assessing risks and implementing state-of-the-art controls for protecting PII.

Logo: ISO/IEC 27701

ISO/IEC 27701

Privacy Information Management System (PIMS) standard ISO/IEC 27701 is an international privacy framework for the protection of personally identifiable information (PII). The standard covers data protection requirements from data protection regulations such as the General Data Protection Regulation (GDPR).



Security, availability, processing integrity, and confidentiality standard

The SOC 2 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants’ (AICPA) existing Trust Services Criteria (TSC). The purpose of this audit is to evaluate an organization’s information systems relevant to security, availability, processing integrity, and confidentiality.

Logo: Cloud Security Alliance

Cloud Security Alliance

Cloud security and privacy standard

The CSA Security Trust Assurance and Risk program promotes the use of best practices for providing security assurance within cloud computing. OCLC participates in the voluntary CSA Security, Trust & Assurance Registry (STAR) to document compliance with CSA-published security and privacy controls.


EU Cybersecurity Act

European cybersecurity standard

The EU Cybersecurity Act establishes a cybersecurity framework for digital products and services. The cybersecurity framework defines required security controls companies must follow when doing business in the EU. OCLC undergoes an annual ISO 27001 audit to demonstrate compliance with this regulation.

Logo: AGID

Italy AGID

Italian approved cloud provider marketplace

The Agenzia per l’Italia Digitale (AgID) coordinates the policies in the field of innovation and actively supports the spread of information and communication technologies in favor of Public Administration digitization and modernization. All of its guidelines and its actions are developed at national and European levels in a unitary and consistent perspective to federate the technological infrastructure, to ensure safety and reliability to the preservation and management of public data, and to provide integrated and shared high-quality services.

Logo: Spain Esquema Nacional de Seguridad

Spain Esquema Nacional de Seguridad (ENS)

Spain cybersecurity standard

The ENS accreditation scheme has been developed by the Ministry of Finance and Public Administration and the CCN (National Cryptologic Centre). This scheme is comprised of basic principles and minimum requirements necessary for the adequate protection of information.

Logo: UK Cyber Essentials

United Kingdom Cyber Essentials

UK cybersecurity standard

Cyber Essentials is a UK government-backed scheme designed to help organizations assess and mitigate risks from common cyber security threats to their IT systems. The Cyber Essentials scheme is a cybersecurity standard that identifies security controls for an organization to have in place within its IT systems. The Cyber Essentials scheme is a requirement for all UK government suppliers handling any personal data.

All of these certifications are regularly assessed by third parties and/or independent auditors, and result in a certification, audit report, or confirmation of compliance. Compliance alignments and frameworks include published requirements for specific purposes.

Contact our security team

The confidentiality, integrity, and availability of information is of paramount importance as we protect the security and privacy of libraries and their users. We have dedicated security and privacy staff with backgrounds in libraries and higher education, as well as highly security-conscious industries such as financial services, government, and defense who would love to connect.