In Esri PSIRT, we get a LOT of questions. Some questions we see more frequently than others - like folks wondering where your data goes when you publish to ArcGIS Online, or where to go to ask other questions.
We've documented many security, privacy, and compliance information over on our ArcGIS Trust Center.
Here are a few examples of some frequently asked questions, with some pointers on where to find references to support these answers.
The first set of questions we're usually asked is along the lines of:
Q: Do you house the servers where ArcGIS Online is hosted?
Q: If not, do you have a third party such AMAZON, Microsoft that handles this for you?
This is an example of a question that's documented in DCS-04 in the ArcGIS.com Cloud Security Alliance Controls Matrix. The controls documented in the Cloud Security Controls Matrix map to NIST SP 800-53 and ISO/IEC 27001:2013, and cover a great many aspects of ArcGIS Online.
Q: What else can you share from a security, privacy, or compliance stand point?
We've accumulated a good bit of information for our customers. In fact, we curate https://trust.arcgis.com, which is a repository for knowledge regarding security, compliance, and privacy. Of particular note is our 'documents' section, found here: https://trust.arcgis.com/en/documents/.
Customers should know that ArcGIS Online is a FedRAMP Tailored Low authorized solution by the United States Department of Agriculture (USDA). This includes the requirement to adhere to robust continuous monitoring requirements and security controls are reviewed at a minimum of every three (3) years.
Q: Who can I reach out to to obtain additional or more granular information if I don't see it on the ArcGIS Trust Center?
Esri's PSIRT is here to help. If we're missing something on the Trust Center, let us know. We'll answer your question and update our docs.
Let us know how else we can help!