GlobalSOC 2 Type II is an independent attestation that evaluates both the design and the operational effectiveness of a service organization’s security controls over a period of time, based on the AICPA Trust Services Criteria. It provides assurance that controls for security, availability, processing integrity, confidentiality, and privacy function consistently over time. Learn more
IRAP
Certification type
Authorization
Territorial relevance
APACIRAP provides independent security assessments of systems and cloud services against the Australian Government’s Information Security Manual (ISM). It helps organisations understand the effectiveness of their security controls and supports risk-informed authorisation decisions.Learn more
FedRAMP
Certification type
Authorization
Territorial relevance
North AmericaFedRAMP is a U.S. government–wide program that standardizes security assessment and authorization for cloud services used by federal agencies. It is built on the NIST-SP 800-53 baseline security and privacy controls, requiring cloud service providers to implement and maintain these controls to securely process federal data. The program enforces rigorous third party assessments and continuous monitoring to ensure ongoing compliance across federal environments. NiCE is FedRAMP Authorized at the Moderate Impact Level. There are 53 baseline security and privacy controls, requiring cloud service providers to implement and maintain these controls to securely process federal data. Learn more
C5
Certification type
Certification
Territorial relevance
European Union Sovereign CloudThe Cloud Computing Compliance Criteria Catalogue (C5), developed by Germany’s Federal Office for Information Security (BSI), sets minimum security and transparency requirements for cloud services. It builds on established standards such as ISO/IEC 27001 and BSI’s IT-Grundschutz to provide a consistent framework for evaluating cloud providers. Learn more
Cyber Essentials Plus
Certification type
Certification
Territorial relevance
EMEACyber Essentials is an information assurance protocol operated by the United Kingdom’s National Cyber Security Centre (NCSC) that ensures information risk management by using an assurance framework and set of security controls to indicate an organization’s ability to protect its customers’ data from threats coming from the Internet.Learn more
ISO 27001
Certification type
Certification
Territorial relevance
GlobalISO/IEC 27001:2022 is the globally recognized standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It provides a structured, risk-based framework to protect information assets and ensure confidentiality, integrity, and availability.Learn more
ISO 27017
Certification type
Certification
Territorial relevance
GlobalISO/IEC 27017 is a cloud security–specific code of practice that provides additional implementation guidance on information security controls for both cloud service providers and cloud customers. It extends ISO/IEC 27002 by offering cloud-focused guidance on existing controls plus seven new controls addressing shared responsibilities, virtual environment separation, and secure cloud operations.Learn more
ISO 27018
Certification type
Certification
Territorial relevance
GlobalISO/IEC 27018 is an international code of practice focused on protecting personally identifiable information (PII) in public cloud environments where the cloud provider acts as a PII processor. It builds on ISO/IEC 27002 by providing privacy-specific controls and guidance to ensure transparent, responsible, and secure handling of PII in the cloud. Learn more
ISO 27701
Certification type
Certification
Territorial relevance
GlobalISO/IEC 27701 is an international standard that defines the requirements for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). It provides structured guidance for organizations acting as PII controllers or processors to manage privacy risks and demonstrate accountability for protecting personal data. The standard builds on ISO/IEC 27001 and 27002 by adding privacy-specific controls aligned with global regulations.Learn more
ISO 9001
Certification type
Certification
Territorial relevance
GlobalISO 9001 is an internationally recognized standard that specifies requirements for a Quality Management System (QMS), helping organizations consistently deliver products and services that meet customer and regulatory expectations. It provides a structured framework for improving efficiency, enhancing customer satisfaction, and supporting continual improvement across any industry or size of organization.Learn more
GDPR
Certification type
Law
Territorial relevance
EMEAThe General Data Protection Regulation (GDPR) is the European Union’s comprehensive data protection law, effective since May 25, 2018, designed to give individuals greater control over their personal data and standardize privacy rules across the EU. It applies to any organisation worldwide that processes the personal data of EU residents and enforces strict requirements for transparency, data rights, and accountability.Learn more
CCPA
Certification type
Law
Territorial relevance
North AmericaThe California Consumer Privacy Act (CCPA) is a landmark U.S. state privacy law that gives California residents key rights over their personal information, including the right to know what data is collected, the right to delete it, and the right to opt out of its sale. It also prohibits businesses from discriminating against individuals who exercise these rights and requires transparent data practices.Learn more
CPNI
Certification type
Law
Territorial relevance
North AmericaNiCE fully complies with the Federal Communications Commission in protecting Customer Proprietary Network Information (CPNI). Information is securely stored and continuously monitored; further, it is our commitment to you that we will not sell, lend or license CPNI data to a third party. Learn more
HIPAA
Certification type
Law
Territorial relevance
North AmericaThe Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law that establishes national standards to protect the privacy and security of individuals’ medical records and other protected health information (PHI). It regulates how covered entities—such as healthcare providers, health plans, and healthcare clearinghouses—use and disclose PHI while granting individuals rights over their health information.Learn more
Section 508
Certification type
Law
Territorial relevance
North AmericaSection 508 of the U.S. Rehabilitation Act requires federal agencies to ensure that all electronic and information technology (EIT) they develop, procure, maintain, or use is accessible to people with disabilities, providing access comparable to that available to others. Updated standards adopted in 2017 align Section 508 with modern accessibility frameworks such as WCAG 2.0, ensuring accessible websites, software, documents, and digital services across the federal government. Learn more
TCPA
Certification type
Law
Territorial relevance
North AmericaThe Telephone Consumer Protection Act (TCPA) is a U.S. federal law enacted in 1991 to protect consumers from unwanted telemarketing calls, texts, and faxes by restricting the use of auto-dialers, prerecorded messages, and unsolicited communications without consent. It also empowers individuals to control who may contact them and established key protections such as the national Do-Not-Call registry.Learn more
PCI DSS
Certification type
Certification
Territorial relevance
GlobalPCI DSS (Payment Card Industry Data Security Standard) is a global security framework designed to protect payment card data by defining technical and operational requirements for any entity that stores, processes, or transmits cardholder information. It establishes a consistent baseline of controls to safeguard cardholder and sensitive authentication data across the payment ecosystem. Learn more
Sarbanes-Oxley
Certification type
Certification
Territorial relevance
North AmericaThe Sarbanes-Oxley Act of 2002 (SOX) is a U.S. federal law enacted to protect investors by improving the accuracy and reliability of corporate financial reporting. It requires public companies to implement strong internal controls, ensure executive accountability, and undergo independent audits to prevent fraud and enhance transparency in financial disclosures.Learn more
CAIQ
Certification type
Framework
Territorial relevance
GlobalThe Consensus Assessments Initiative Questionnaire (CAIQ), developed by the Cloud Security Alliance (CSA), is a standardized set of questions used to assess the security controls of cloud service providers. It maps directly to the CSA Cloud Controls Matrix (CCM), providing transparency into a provider’s security posture and helping customers evaluate cloud risks consistently.Learn more
DPF
Certification type
Framework
Territorial relevance
North AmericaThe Data Privacy Framework (DPF) is an EU–U.S., UK–U.S., and Swiss–U.S. data transfer mechanism that allows certified U.S. organizations to receive personal data from Europe while ensuring protections comparable to EU, UK, and Swiss privacy laws. It provides protection for transatlantic data flows through enforceable privacy principles and enhanced oversight mechanisms.Learn more
DORA
Certification type
Law
Territorial relevance
EMEADORA (Digital Operational Resilience Act) is an EU regulation that strengthens the digital resilience of financial institutions by requiring them to withstand, respond to, and recover from ICT-related disruptions. It creates a unified EU-wide framework covering ICT risk management, incident reporting, resilience testing, and oversight of critical third party technology providers-related disruptions. Learn more
EU Data Act
Certification type
Law
Territorial relevance
EMEAThe EU Data Act (Regulation (EU) 2023/2854) establishes harmonised rules on fair access to and use of data, aiming to boost the EU’s data economy by making both personal and nonpersonal data more accessible and usable. It grants users of connected products greater control over the data they generate, facilitates business-to-business and cloud-to-cloud data portability, and promotes fairness in data sharing contracts.Learn more
LGPD
Certification type
Law
Territorial relevance
LATAMThe Lei Geral de Proteção de Dados (LGPD) is Brazil’s comprehensive data protection law that unifies existing regulations and establishes rules for the processing of personal data to safeguard privacy and fundamental rights. It applies to any organization handling data of individuals in Brazil, regardless of where the company is located, and grants data subjects rights such as access, correction, deletion, and data portability.Learn more
WCAG 2.2
Certification type
Certification
Territorial relevance
GlobalNiCE strives to make all our products accessible and align with the W3C’s international standard, Web Content Accessibility Guidelines 2.2 (WCAG) Level A and AA, Section 508 of the United States Rehabilitation Act of 1973, and the European Accessibility Act (EAA). NiCE actively takes into account these standards to improve the accessibility across our product suite as well as incorporating inclusive design principles in our new features and solutions. We regularly test for accessibility during development and after substantial releases, address any identified issues, incorporate design best practices, invest resources in our ongoing initiatives, and partner with accessibility testing experts.Learn more
Ready to experience the power of one platform?
Let us show you how NiCE can unify, automate and elevate your entire customer experience - with AI at the core and outcomes at the forefront.
Enterprise contact centers, especially cloud contact center platforms (CCaaS), typically need to meet a mix of security certifications and data compliance requirements based on the organization’s industry, geography, and the types of customer data processed. Depending on customer needs and regulated environments, some contact centers may also need to align with additional frameworks and regulatory programs (e.g., HITRUST, FedRAMP, IRAP, and other regional or sector-specific requirements). The overall goal is to ensure consistent controls for data security, privacy, audit readiness, and risk management across customer interactions.
Stringent security requirements have evolved within the cloud services space. NiCE CXone relies on industry standardized audits, practices documentation, and compliance survey questionnaires to both assess and respond to security queries from prospective and current customers. NiCE maintains security governance and regulatory compliance through our Trust Office, a cross-functional team of security, privacy, and compliance experts focused on strict customer data protection and operational resilience. The Trust Office supports ongoing readiness for key compliance certifications and assurance programs, including SOC 2 Type II, ISO 27001, and privacy/security requirements such as GDPR, HIPAA, and PCI DSS, and ensure NiCE compliance towards latest applicable regulations.
NiCE maintains a proactive security posture through continuous vulnerability assessment and vulnerability management, CXone supports secure operations and audit-aligned controls commonly expected under SOC 2 Type II and ISO/IEC 27001 programs. This continuous approach helps reduce security risk while supporting enterprise expectations for security certifications, audit readiness, and compliance assurance.
Sensitive customer information is protected in CXone using industry-standard security controls designed to support data compliance requirements such as GDPR, HIPAA, and PCI DSS (PCI compliance). Core protections include encryption at rest and in transit using industry-standard cryptography (e.g., AES for data at rest and TLS for data in transit), Encryption key management practices to protect keys and reduce unauthorized access risk, access controls and operational safeguards that help protect regulated data types (e.g., personal data under GDPR, health data under HIPAA, and payment-related data under PCI DSS). These controls help customers meet enterprise expectations for secure cloud contact center compliance and protection of sensitive data throughout its lifecycle.
