AI vendors with CSA STAR certification
AI vendors listed in the Cloud Security Alliance STAR Registry, a free public registry of cloud-vendor security attestations based on the Cloud Controls Matrix.
The Cloud Security Alliance (CSA) STAR Registry is a public registry of cloud-vendor security assessments based on the CSA Cloud Controls Matrix (CCM). Three levels: Level 1 Self-Assessment (publicly self-attested CAIQ questionnaire), Level 2 Third-Party Assessment (independent audit, equivalent to SOC 2 or ISO 27001), and Level 3 Continuous Auditing (in development). STAR is widely respected in cloud security circles and complements rather than replaces SOC 2 / ISO 27001.
Vendors with CSA STAR
Amazon (AWS)
Score 12.34 · low
Salesforce
Score 12.74 · low
IBM
Score 14.11 · low
Microsoft
Score 14.68 · low
SAP
Score 16.63 · low
Google DeepMind
Score 18.85 · low
Oracle
Score 19.89 · low
Palo Alto Networks
Score 19.89 · low
Snowflake
Score 24.36 · moderate
ServiceNow
Score 24.4 · moderate
Databricks
Score 25.4 · moderate
Naver
Score 31.18 · moderate
HubSpot
Score 33.63 · moderate
Alibaba Cloud
Score 42.24 · elevated
Buyer checklist
- Verify the vendor's STAR registry listing directly — anyone can self-assert, the registry shows what level they're at.
- For Level 1, the CAIQ questionnaire response is a starting point for diligence — not a substitute for it.
- For Level 2, confirm which attestation backed the registration (CSA STAR Attestation vs Certification).
- Cross-reference the CCM control coverage with your specific risk concerns.
- STAR is most useful in cloud-native procurement; less relevant for traditional on-prem AI deployments.
Compliance is necessary, not sufficient. Holding CSA STAR is a meaningful baseline, but no certification covers AI-specific risk end-to-end. Layer this on top of vendor-specific diligence — sub-processor disclosure, training-data policy, model card transparency, dependency-chain mapping.