Every compliance attestation FluffyStack tracks across 708 cloud services and 37 providers. Each card lists the issuing body, the jurisdiction it applies to, a plain-English summary, an official docs link, and how many catalogue services currently hold it.
Catalogue claims reflect each vendor's published “services in scope” pages where we have them, otherwise the provider's default attestation set. Always verify against the vendor's current scope document before procurement decisions.
European Data Protection Board (EDPB) · European Union
EU-wide data-protection law governing how personal data of EU residents may be processed, transferred, and stored. Applies to any service handling EU personal data regardless of where it's hosted.
Official documentationInternational Organization for Standardization (ISO) · Global
International standard for Information Security Management Systems (ISMS). Defines risk-assessment, control selection, and continual-improvement requirements. The global baseline for vendor risk assessments.
Official documentationAmerican Institute of Certified Public Accountants (AICPA) · Global
Audited attestation that a service organisation has effective security, availability, processing integrity, confidentiality, and privacy controls. Type 2 = controls observed over 6–12 months.
Official documentationPCI Security Standards Council · Global
Mandatory standard for any system storing, processing, or transmitting cardholder data. Required by Visa, Mastercard, Amex, Discover, JCB. v4.0 introduces customised-implementation pathways.
Official documentationCloud Security Alliance (CSA) · Global
Public registry of cloud-provider self-assessments and third-party audits against the CSA Cloud Controls Matrix. Three levels: Self-Assessment, Attestation/Certification, Continuous Monitoring.
Official documentationUS Department of Health & Human Services · United States
US federal law setting the privacy and security baseline for Protected Health Information (PHI). A cloud service claiming HIPAA must sign a Business Associate Agreement (BAA) with the customer.
Official documentationUS General Services Administration (GSA) · United States
Standardised cloud-security assessment for US federal agencies. Three impact levels — Low, Moderate, High. Required for any cloud service hosting federal data. Authorisation is service- and region-specific.
Official documentationUK Crown Commercial Service (CCS) · United Kingdom
UK government procurement framework for cloud services. Listing on the G-Cloud Digital Marketplace is required to sell cloud to UK public-sector buyers. Currently iterates as G-Cloud 14.
Official documentationUK National Cyber Security Centre (NCSC) · United Kingdom
NCSC's baseline-security scheme. Two tiers — Basic (self-certified) and Plus (independently audited). Required for every UK central-government supplier and most regulated industries.
Official documentationAgence du Numérique en Santé (ANS), France · FR
French health-data hosting certification, conceptually France's HIPAA. Mandatory for any provider hosting French patient data — covers technical, organisational, and physical-security requirements specific to medical workloads.
Official documentationANSSI (Agence nationale de la sécurité des systèmes d'information), France · FR
ANSSI's French sovereign-cloud cert. Required for processing data classified Sensitive in the French public sector. Held only by OVHcloud Sovereign Cloud, Outscale's regulated SKU, and the Bleu / S3NS joint ventures.
Official documentationBundesamt für Sicherheit in der Informationstechnik (BSI), Germany · DE
BSI's Cloud Computing Compliance Controls Catalogue — the German federal baseline for cloud-service procurement. Claimed by every hyperscaler operating in DE plus STACKIT, IONOS, T-Systems-owned providers, Exoscale.
Official documentationVerband der Automobilindustrie (VDA), Germany · DE
VDA-managed industry scheme for the German automotive supply chain. Mandatory if hosting OEM data for VW, BMW, Mercedes-Benz, Audi, Porsche. Assessment levels AL1/AL2/AL3 scale with data sensitivity.
Official documentationCentro Criptológico Nacional (CCN-CERT), Spain · ES
Spanish National Security Framework, Alta tier. Mandatory for Spanish public-sector workloads handling classified or sensitive data. Three tiers — Básica, Media, Alta. Recognised by CCN-CERT.
Official documentationAustralian Signals Directorate (ASD) · AU
Australian Government's accreditation scheme for cloud services handling Commonwealth data. Assessment tiers map to PROTECTED, SECRET, TOP SECRET. Required by Australian federal agencies.
Official documentationIPA + METI, Government of Japan · JP
Japanese government-wide cloud assessment scheme administered jointly by IPA (technical) and METI (policy). Required for Japan-resident public-sector procurement. Registered cloud services listed in a public catalogue.
Official documentationInfocomm Media Development Authority (IMDA), Singapore · SG
IMDA's three-tier standard; Level 3 is Singapore's public-sector baseline. Required for whole-of-government cloud (WOG-Cloud) procurement. Held by hyperscaler Singapore regions plus Tencent and Alibaba SG.
Official documentationKorea Internet & Security Agency (KISA) · KR
Mandatory for South Korean cloud-service providers serving public sector or regulated industries. The Cloud Security Assurance Program (CSAP) is the cloud-specific extension. Held by Naver Cloud, KT Cloud, Korean hyperscaler regions.
Official documentationCanadian Centre for Cyber Security (CCCS) · CA
Canadian federal baseline for cloud, comparable to FedRAMP Moderate. Required by Government of Canada departments for hosting Protected B / Medium-impact workloads. Reciprocity with FedRAMP Moderate is partial.
Official documentation
defaultCompliance array applied across all of its services unless a service has an explicit override. AWS C5 and IRAP are explicit per-service overrides drawn from AWS's public services-in-scope pages.