SaaS Compliance Certifications Map: SOC 2, ISO 27001, HIPAA, FedRAMP — 2026
For a vendor security review, the certifications a tool holds decide whether it can even be considered. This compiles the compliance attestations of popular tools across categories in 2026 — the answer to the "send us your SOC 2" email.
Security and procurement teams filter vendors by certification before features. SOC 2 and ISO 27001 are baseline; HIPAA, FedRAMP, PCI DSS, FIPS 140-2 and 21 CFR Part 11 gate specific industries. This page maps which tools hold what, from our sourced category studies.
Free to cite and link. Certifications expire and are re-issued; always confirm the current attestation (and its scope/date) on the vendor's trust/security page before relying on it for a compliance decision.
Certifications by tool
| Tool | Category | Certifications (as listed in source) |
|---|
| Box | Cloud storage | FedRAMP High, HIPAA/HITECH, SOC 1/2/3, ISO 27001/27018, FIPS 140-2, ITAR, IRS-1075 |
| Qualtrics | Surveys/XM | SOC 2 Type II, HIPAA, FedRAMP (Government), GDPR, ISO 27001 |
| Keeper | Password manager | FedRAMP Authorization, FIPS 140-2, SOC 2 Type 2, ISO 27001 |
| SignNow | E-signature | SOC 2 Type II, HIPAA (BAA from entry Business tier), PCI DSS, 21 CFR Part 11, eIDAS |
| Signeasy | E-signature | SOC 2 Type II, GDPR, HIPAA, eIDAS, 21 CFR Part 11 |
| Adobe Acrobat Sign | E-signature | ESIGN, eIDAS, HIPAA, FDA 21 CFR Part 11 |
| DocuSign | E-signature | ISO 27001, SOC 2 Type II; HIPAA (BAA) on Enterprise |
| Dropbox Sign | E-signature | SOC 2 Type II, ISO 27001, eIDAS (incl. QES) |
| 1Password | Password manager | SOC 2 Type II |
| Personio | HR | ISO 27001; GDPR audited (Bitkom Consult); EU residency (Frankfurt) |
| Tresorit | Cloud storage | Independently audited zero-knowledge; Swiss; selectable residency |
| Internxt | Cloud storage | ISO 27001; HIPAA compliant; open source |
| forms.app | Forms | GDPR, ISO/IEC 27001, PCI DSS |
| Deel | Fintech/HR | SOC 1, GDPR, CCPA |
| Jotform | Forms | SOC 2 Type 2, GDPR; HIPAA on Gold/Enterprise |
| Formstack | Forms | HIPAA (higher tiers); Formstack Sign ESIGN/UETA + Standard BAA on all accounts |
Key findings
- Box is the certification heavyweight. FedRAMP High, ITAR, IRS-1075, FIPS 140-2, the full SOC and ISO set — Box holds the broadest portfolio in this list, which is why it dominates government and heavily-regulated enterprise despite not being zero-knowledge. For the hardest compliance bars, breadth of certification beats encryption marketing.
- FedRAMP is the rare, government-grade gate. Only Box, Qualtrics (Government) and Keeper list FedRAMP here. If you sell to or operate in US federal contexts, that single certification eliminates most of the market — worth checking first.
- SOC 2 Type II is the baseline, not a differentiator. Nearly every serious B2B tool here holds it. Its absence is a red flag; its presence is table stakes. The real filtering happens on the industry-specific certs (HIPAA, PCI DSS, 21 CFR Part 11).
- HIPAA gating is a pricing decision, not just a checkbox. SignNow offers a BAA from its entry Business tier, while DocuSign and Jotform gate HIPAA to Enterprise/Gold. Same certification, very different cost to actually use it — see our e-signature and forms studies.
- "Certified" ≠ "in scope for your use." A certification can apply to one product or region and not another, and attestations expire. Always pull the current report and check its scope and date — a 2-year-old SOC 2 is not a current one.
Methodology
Compliance certifications were compiled from our sourced 2026 category studies (cloud storage, e-signature, password managers, forms, HR, surveys, fintech). Listings reflect certifications named in the source data; a blank does not mean a tool lacks a certification, only that it wasn't listed. This is a vendor-assessment starting point, not a compliance attestation or legal advice.
Editorial note (verification): Certifications expire, are re-issued, and vary in scope by product/region. For any procurement or compliance decision, request and verify the current attestation report (SOC 2, ISO certificate, BAA) directly from the vendor and confirm its scope and date. Compiled 2026-06-27.
How to cite
"SaaS Compliance Certifications Map: SOC 2, ISO 27001, HIPAA, FedRAMP — 2026", ToolsRanks. https://toolsranks.com/etudes/saas-compliance-certifications-2026
A spreadsheet of all certifications is available on request.