As an AI-native cloud infrastructure provider, Nebius is built to ensure the security and privacy of data at every layer of computation, safeguarding the operational backbone of innovative workloads.

Today, we are thrilled to announce we achieved major security and compliance milestones.

Independent third-party audits have verified that our security controls meet the requirements of SOC 2 Type II (including HIPAA) and align with the principles of NIS2 and DORA. We also obtained ISO 27001 certification, strengthened our practices by incorporating principles from ISO 27701, 27018, 27799, 27032, and standalone ISO 22301.

Security at NebiusSecurity at Nebius

As pioneers pushing the boundaries of AI infrastructure at a global scale, we relentlessly improve our control systems to ensure your workloads are safeguarded by the highest standards of security, privacy and operational resilience.

Our systems are designed with integrated security controls to mitigate risks, ensure business continuity and stay ahead of emerging threats. Your workloads are protected across all data states, Nebius ensures robust data center controls, strict software development processes, robust vulnerability management strategies, structured incident reporting and at rest and in-transit encryption.

Enterprise-level securityEnterprise-level security

Rigorous third-party audits and international compliance standards have confirmed that Nebius’ comprehensive control systems ensure enterprise-level security across data handling, access management and infrastructure protection.

SOC 2 Type II including HIPAA: Safe, reliable and confidential operationsSOC 2 Type II including HIPAA: Safe, reliable and confidential operations

The Service Organization Control (SOC) 2 Type II audit proves Nebius’ rigorous safeguards ensure system security, data protection and service reliability, on par with the high standards set by the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria.

We undergo independent SOC 2 Type II audits covering our products, systems and infrastructure. These audits are conducted by Deloitte, an accredited third-party firm that evaluates the design and operational effectiveness of our measures to protect customer data.

As Nebius were seeking a third-party assurance (SOC 2 Type II report services) provider, we wanted to join forces with an organization that reflects our own performance standards and high level of service. Deloitte is recognized as one of the market leaders in SOC reports and internal control services. The company has been at the forefront of those since the initial standards were issued by the AICPA in the early 1990s and continues to serve as an adviser to the AICPA to this day. As Nebius’s external auditors, they have a dedicated group of risk and control specialists with deep industry experience in reducing risks and accelerating readiness.

The resulting SOC 2 Type II report by Deloitte provides an independent attestation of our controls. By signing the necessary NDA and consulting the report, customers can rest assured that Nebius operates securely and dependably. Spanning Nebius AI Cloud, AI Studio and TractoAI, the regular, independent audits attest our systems support responsible and safe AI development, with reliable service delivery.

SOC 2 Type II also includes a section that confirms compliance with the Health Insurance Portability and Accountability Act (HIPAA). Our security systems have been proven to ensure healthcare data is processed securely and responsibly, safely enabling the development of AI-powered healthcare solutions in compliance with US laws.

ISO 27001: Global-scale security controlsISO 27001: Global-scale security controls

Accredited by an independent auditor, the ISO 27001 certification validates that Nebius’ robust Information Security Management System (ISMS) effectively identifies and manages a broad range of risks, from data breaches to model tampering and service outages.

By aligning our security controls with global best practices, we ensure risks are addressed through structured, independently verified processes. This means that Nebius AI Cloud, AI Studio and TractoAI’s certified safeguards guarantee regulatory compliance, strengthen operational resilience and warrant your trust.

• Comprehensive data privacy (ISO 27701): Nebius is now certified as both a controller and processor of Personally Identifiable Information (PII), demonstrating our commitment to securing customer data in every service and operational context. By embedding privacy-specific controls into our operations, we extend our ISMS into a Privacy Information Management System (PIMS), ensuring safe and transparent data collection, processing, storage and deletion. This dual certification provides customers and regulators assurance we meet the highest international privacy standards at every stage of the data lifecycle.

• Data protection in the cloud (ISO 27018): Following global best practices for data privacy in cloud computing, Nebius guarantees responsible, transparent handling of all personal data entrusted to us. Designed to protect PII in cloud environments, our controls ensure the confidentiality, integrity and availability of personal data by documenting customer consent, strictly limiting processing to agreed purposes and giving customers full control over their data.

• Health-specific protections (ISO 27799): When Personal Health Information is involved (PHI), our data protection controls certified by ISO 27001 also comply with healthcare-specific security and regulatory requirements covered by the ISO 27799 standard. By processing sensitive medical data according to ISO guidelines, Nebius reinforces our commitment to protecting PHI, an ethical imperative to enable secure, trustworthy AI-powered healthcare services.

• Cybersecurity, above and beyond (ISO 27032): Aligned with this international standard, Nebius goes beyond traditional information security guidelines to protect our networks, systems and the wider digital ecosystem against cybersecurity threats. By following ISO 27032 guidelines, Nebius actively mitigates risks from malicious actors, supply chain weaknesses and technology misuse, safeguarding cloud infrastructure and digital interactions.

ISO 22301: Ensuring service resilienceISO 22301: Ensuring service resilience

The ISO 22301 certification demonstrates that Nebius can anticipate, withstand and recover from disruptive events, ensuring our AI cloud services remain available and reliable even under challenging circumstances.

As confirmed by a third-party audit, our Business Continuity Management System (BCMS) meets globally recognized standards. Built on proactive risk assessment and rigorous testing, our BCMS enables us to coordinate rapid responses during disruptions, minimize the impact of incidents and improve our continuity processes to stay resilient against evolving threats.

NIS2: Strengthening EU-wide cybersecurityNIS2: Strengthening EU-wide cybersecurity

As verified by a third-party audit, Nebius fulfills all obligations set by the EU in the NIS2 Directive, including cybersecurity risk management, strict incident reporting and governance requirements. The evaluation also demonstrates Nebius’ operational resilience, ensuring our AI-native cloud platform can withstand cybersecurity threats, maintain service continuity and fulfill regulatory duties for digital infrastructure in the EU.

DORA: Financial cybersecurity and resilience in the EUDORA: Financial cybersecurity and resilience in the EU

As an AI cloud infrastructure provider to regulated financial organizations, Nebius strictly complies with the Digital Operational Resilience Act (DORA) standards. As proven by this third-party audit, Nebius meets EU-level requirements to safeguard risk management, incident response, business continuity and governance in the financial sector. This compliance milestone confirms Nebius delivers uninterrupted, secure services under strict oversight.