Security & Compliance
Ivanti Public Security Profile
Ivanti Security Profile
(click-through NDA required)
MobileIron Security Profile
Cherwell Security Profile
(click-through NDA required)
Privacy Compliance
CCPA
The California Consumer Privacy Act (CCPA) regulates how Ivanti handles personal information of California residents and gives certain rights with respect to their personal information.
Our Special Notice to California Residents is a supplement to our Privacy Policy and applies to information we collect in our role as a business.
If you have more questions about how Ivanti meets CCPA requirements, please reach out to [email protected].
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) gives EU individuals more freedom to say how their personal data is handled and creates an opportunity for Ivanti to better serve our customers and reaffirm that we are dedicated to data protection.
Ivanti’s GDPR Compliance Statement is available here. If you have more questions about how Ivanti meets GDPR requirements, please reach out to [email protected].
Information Comissioner's Office
The Information Commissioner’s Office is “responsible for upholding information rights in the interest of the public for the United Kingdom. The Data Protection Regulations 2018 requires organizations who process personal information to register with the Information Commissioner’s Office.
You may view Ivanti’s ICO registration here.
You may view MobileIron’s ICO registration here.
You may view Cherwell’s ICO registration here.
You may view Pulse Secure’s ICO registration here.
Data Sovereignty
As technology continues to evolve and data transmissions occur on a global basis, data privacy has become one of the most important aspects of business today. Click here to discover how Ivanti handles data sovereignty as well as how the company meets specific European Data Privacy regulations.
Certifications & Attestations
Service Organization Control 2 
Service Organization Control 2 (SOC 2) helps businesses attest that they provide non-financial reporting controls that meet certain levels of service related to the security, availability, processing integrity, confidentiality, and privacy of a system.
For Ivanti, The Cadence Group conducted this attestation of compliance. The attestation report describes Ivanti’s Cloud Service Platform (CSP), assesses the fairness of the CSP’s description of its controls, and evaluates whether the controls are appropriately designed and operating effectively over the specified assessment period.
Ivanti Service Manager’s most recent SOC 2 Type 2 audit occurred in October of 2020. Ivanti Cloud completed the SOC 2 Type 1 audit in April 2020. Click here to request a copy of the SOC 2 Report.
International Organization for Standardization (ISO)
& International Electrotechnical Commission (IEC) 
ISO/IEC 27001:2013
The ISO and IEC provide standards that help customers deploy and automate IT solutions with processes that align with ITIL.
ISO/IEC 27001:2013 is a security management standard that specifies security management best practices and comprehensive security controls. The basis of this certification is the development and implementation of a suitable Information Security Management System (ISMS), which defines how Ivanti manages security and data protection. The certification process verifies that Ivanti does the following:
- Evaluates the information security risks of the cloud services, considering the impact of - threats and vulnerabilities.
- Implements a comprehensive set of information security controls and other forms of risk management to address customer and architecture security risks.
- Performs periodic checks that the information security controls meet the requirements.
Ivanti Service Manager has been found in compliance with the standards outlined by the ISO and IEC, as stated in the audit plan. Click here to view a copy of Ivanti’s 27001:2013
FedRAMP 
Ivanti Service Manager has received an official FedRAMP Authorized designation!
The Federal Risk and Authorization Management Program (FedRAMP) is a United States Government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud-based services. Ivanti’s ATO (authority to operate) designation can be found on the FedRAMP Marketplace.
You can view our press release for more information here.
U.S. Federal Government Agency Authorization to Operate (ATO)
Authorization to Operate (ATO) is the security approval required to launch a new IT system in the federal government. Government agencies determine whether to grant an information system authorization to operate for a period of time by evaluating if the security risk is acceptable.
Ivanti has received ATOs from the Air Force, Army, Department of Defense (DoD), Defense Health Agency (DHA), Department of Homeland Security (DHS), National Guard, Navy, Pacific Air Forces (PACAF), United States Special Operations Command (SOCOM), and U.S Strategic Command (STRATCOM).
Common Criteria 
As of 2014, the United Kingdom has required suppliers that handle certain kinds sensitive and personal information for the central UK government to obtain Cybersecurity Essentials certification. This certification assures customers that Ivanti has an understanding of our cyber security level that we work to secure our IT against cyber attack.
You can download our current certification here or search the NCSC site for Ivanti here.
VPAT 2.4 Section 508: Revised Section 508 Standards
Section 508 standards are the technical requirements and criteria used to measure conformance to the U.S. Rehabilitation Act. This federal law requires agencies and companies to provide individuals with disabilities equal access to electronic information and data comparable to those who do not have disabilities. More information on Section 508 can be found at Section508.gov.
The following Ivanti products have been deemed 508 compliant through self-attestation:
- Asset Manager: Click here to view VPAT
- Endpoint Manager: Click here to view VPAT
- Service Manager: Click here to view VPAT
- Identity Director: Click here to view VPAT
- License Optimizer: Click here to view VPAT
- Security Controls: Click here to view VPAT
Cybersecurity Essentials 
As of 2014, the United Kingdom has required suppliers that handle certain kinds sensitive and personal information for the central UK government to obtain Cybersecurity Essentials certification. This certification assures customers that Ivanti has an understanding of our cyber security level that we work to secure our IT against cyber attack.
You can search for our up-to-date certification by visiting the IASME site and searching for "Ivanti".
Additional Resources
Privacy & Legal
- Privacy Policy
- Subprocessor List
- End User License Agreement (EULA)
- Data Processing Addendum
- Additional Privacy and Legal Resources are available here.
Standardised Information Gathering (SIG)
Using a comprehensive set of questions (content library), the SIG gathers information to determine how security risks are managed across 18 risk control areas, or “domains”, within a service provider’s environment. The library houses comprehensive risk and cybersecurity frameworks as well as industry-specific controls.
Ivanti’s SIG Lite is scoped to the corporate level with designations for on-premise or hosted products and is available here.
Security Whitepapers
Listed below are Ivanti’s current public facing whitepapers:
- Ivanti Service Manager Security Whitepaper
- Ivanti Neurons Security Whitepaper
- Ivanti Content Research, Testing, and Validation of Authenticity Whitepaper
- FedRAMP Security Posture
- Improving Security Posture Public Sector Whitepaper
Penetration Testing
Internal tests are conducted by Ivanti's Security team. This are usually run on an as-needed basis. The findings from these scans are shared with the relative development teams to get the vulnerabilities fixed, and the fixes released in product updates.
Independent 3rd party tests are conducted on our products on a regular basis. After testing completes, Ivanti is provided with two reports. One report is shared with the relative development teams to get the vulnerabilities fixed, and the fixes released in product updates. The second report is the summary letter that we are able to share with customers.
Click on the product below to view its penetration letter:
- 2020 Pentest Schedule Customer Letter
- Service Manager Customer Letter
- Application Controls Customer Letter
- License Optimizer Customer Letter
- Xtraction Customer Letter
- Asset Manager Customer Letter
- Patch for SCCM Customer Letter
- Security Controls Customer Letter
- Endpoint Manager Customer Letter
- File Director Customer Letter
- Service Desk Customer Letter
- Device Application Control Customer Letter
- Workspace Control Customer Letter
- Ivanti Neurons Customer Letter
- ConnectPro Customer Letter
- Performance and Environment Manager Customer Letter
- Endpoint Security Customer Letter
- Identity Director Customer Letter
- Avalanche Customer Letter
Other
Endpoint Manager Core Server Hardening forum.
Endpoint Manager Core Services Application Hardening Guide
Resources by Product
Service Manager
Ivanti Service Manager has the following Security and Compliance certifications and resources available for public consumption:
- SOC 2 Type 2: Click here to request a copy of the report
- ISO 27001:2013 certificate
- FedRAMP ATO
- 508 VPAT
- Security Whitepaper
- FedRAMP Security Posture
- Improving Security Posture Public Sector Whitepaper
- Penetration Test Letter
- SIG Lite
For additional product information, please click here.
Ivanti Neurons
Ivanti Neurons has the following Security and Compliance certifications and resources available for public consumption:
- SOC 2 Type 1 Report: Click here to request a copy of the report
- Security Whitepaper
- Penetration Test Letter
- SIG Lite
For additional product information, please click here.
Asset Manager
Ivanti’s Asset Manager solution has the following Security and Compliance certifications and resources available for public consumption:
- SOC 2 Type 2: Click here to request a copy of the report
- 508 VPAT
- Penetration Test Letter
- SIG Lite
For additional product information, please click here.
Endpoint Manager
Ivanti’s Endpoint Manager solution has the following Security and Compliance certifications and resources available for public consumption:
For additional product information, please click here.
Licence Optimizer
Ivanti’s Licence Optimizer has the following Security and Compliance certifications and resources available for public consumption:
For additional product information, please click here.
Service Desk
Ivanti’s Service Desk has the following Security and Compliance certifications and resources available for public consumption:
For additional product information, please click here.
Security Controls
Ivanti Security Controls solution has the following Security and Compliance certifications and resources available for public consumption:
For additional product information, please click here.
Patch for SCCM
Ivanti’s Patch for SCCM solution has the following Security and Compliance certifications and resources available for public consumption:
For additional product information, please click here.
Application Control
Ivanti’s Application Control solution has the following Security and Compliance certifications and resources available for public consumption:
For additional product information, please click here.
File Director
Ivanti’s File Director has the following Security and Compliance certifications and resources available for public consumption:
For additional product information, please click here.
Xtraction
Ivanti’s Xtraction solution has the following Security and Compliance certifications and resources available for public consumption:
For additional product information, please click here.
Device Application Control
Ivanti’s Device Application Control solution has the following Security and Compliance certifications and resources available for public consumption:
For additional product information, please click here.
Workspace Control
Ivanti’s Workspace Control solution has the following Security and Compliance certifications and resources available for public consumption:
For additional product information, please click here.
Performance Manager and Environment Manager
Ivanti’s Performance Manager and Environment Manager solution has the following Security and Compliance certifications and resources available for public consumption:
For additional product information, please click here and here.
Identity Director
Ivanti’s Identity Director solution has the following Security and Compliance certifications and resources available for public consumption:
For additional product information, please click here.
Endpoint Security
Ivanti’s Endpoint Security solution has the following Security and Compliance certifications and resources available for public consumption:
For additional product information, please click here.
Avalanche
Ivanti’s Avalanche solution has the following Security and Compliance certifications and resources available for public consumption:
For additional product information, please click here.