ReqoData
Privacy & Compliance 2026Updated

List of ISO 27701 Certified Data Processors

Verified directory of organizations holding ISO/IEC 27701 certification as PII processors, covering cloud platforms, SaaS vendors, and managed service providers with independently audited privacy information management systems.

Available Data Fields

Company Name
Certification Scope (Processor/Controller)
Certifying Body
Certificate Valid Through
Services Covered
Regions of Operation
Privacy Frameworks Supported
Industry Sector
Contact Information
Compliance Documentation URL

Data Preview

* Full data requires registration
CompanyScopeCertifying BodyServices
Google CloudPII ProcessorErnst & Young CertifyPointGoogle Cloud Platform, Google Workspace
Microsoft AzurePII ProcessorSchellman & CompanyAzure, Dynamics 365, Power Platform
Amazon Web ServicesPII ProcessorEY CertifyPointAWS Cloud Services
CloudflarePII Processor & ControllerSchellman & CompanyCDN, DNS, DDoS Protection, Zero Trust
Zoom CommunicationsPII ProcessorSchellman & CompanyZoom UCaaS Platform

1,000+ records available for download.

* Continue from free preview

ISO 27701 Certified Data Processors: Building a Privacy-Compliant Vendor Stack

ISO/IEC 27701 is the global benchmark for privacy information management, providing a certifiable framework that maps directly to GDPR processor obligations under Articles 28 and 32. For Data Protection Officers evaluating third-party processors, an ISO 27701 certificate is one of the strongest signals that a vendor has implemented systematic, auditable controls around personal data handling.

What the Certification Actually Proves

Unlike self-declared GDPR compliance, ISO 27701 requires an independent third-party audit by an accredited certification body (e.g., Schellman, BSI, Bureau Veritas, EY CertifyPoint). The audit verifies:

  • A functioning Privacy Information Management System (PIMS) integrated with ISO 27001 controls
  • Documented PII processing purposes, lawful bases, and data subject rights procedures
  • Sub-processor management, cross-border transfer safeguards, and breach notification processes
  • Annual surveillance audits and full recertification every three years

Adoption Landscape

Since its publication in 2019, ISO 27701 adoption has accelerated sharply — driven by GDPR enforcement actions, Schrems II implications, and enterprise procurement teams adding it as a vendor requirement. Major cloud providers (AWS, Azure, Google Cloud) achieved certification early, followed by SaaS platforms across HR, finance, and collaboration categories. In October 2025, ISO published a revised standalone version (ISO/IEC 27701:2025), decoupling it from ISO 27001 and broadening accessibility for privacy-focused organizations.

Key Sectors with High Certification Density

Cloud Infrastructure & IaaS
AWS, Microsoft Azure, Google Cloud, OVHcloud, IBM Cloud — certified as PII processors covering core compute, storage, and networking services.
SaaS & Collaboration
Zoom, Workday, Salesforce (Slack), OneTrust — certified for specific product lines with defined processing scopes.
Managed Services & Outsourcing
BPO providers and managed security services increasingly pursue certification to satisfy due diligence requirements in DPA negotiations.

Using This Data for Vendor Assessment

When evaluating processors from this dataset, DPOs should verify:

  • Scope alignment — certificates cover specific services, not the entire company. Confirm the certified scope includes the service you intend to use.
  • Role designation — processor vs. controller certification addresses different obligations. Most enterprise SaaS vendors certify as processors.
  • Surveillance audit dates — a certificate nearing expiry without a recent surveillance audit may indicate lapsed compliance.
  • Sub-processor chain — ISO 27701 requires documented sub-processor management, but does not guarantee sub-processors are themselves certified.

Frequently Asked Questions

Q.Does ISO 27701 certification guarantee GDPR compliance?

No. ISO 27701 demonstrates that an organization has implemented a structured privacy management system aligned with GDPR principles, but certification alone does not constitute legal GDPR compliance. It is, however, one of the strongest independently verified indicators of a processor's privacy maturity.

Q.How is the certification scope determined for each processor?

Each certificate specifies the exact services, business units, and data processing activities covered. Our data captures the certified scope as stated on the certificate, so you can verify whether it includes the specific service relevant to your processing agreement.

Q.How current is this data?

When you request this dataset, our AI crawls public certification registries, vendor compliance pages, and accreditation body directories in real time to retrieve the latest certificate details. This is not a static database — data is collected fresh at the time of your request.

Q.Are sub-processors of certified companies also included?

This dataset focuses on organizations that directly hold ISO 27701 certification. Sub-processors may or may not be independently certified. Where a certified processor publicly discloses its sub-processor list, we include that as supplementary data.

Q.What is the difference between the 2019 and 2025 versions of ISO 27701?

ISO/IEC 27701:2025 is a revised standalone standard that can be implemented independently of ISO 27001, whereas the 2019 version required ISO 27001 as a prerequisite. Both versions are currently valid, and our data indicates which version each organization is certified against.