Compliance at Docker
ISO/IEC 27001
SOC 2
CSA Trusted Cloud
Our compliance
Audits and Certifications FAQs
Who’s responsible for Docker Compliance?
Docker’s Information Security team manages our security and compliance program. A dedicated team with legal, security engineering, information security, and GRC resources supervises all security and privacy-related business operations.
Has Docker’s security been SOC 2 audited by a certified third party?
Yes. Docker completed a SOC 2 Type 2 audit for the period of November 1, 2023, through January 31, 2024 and undergoes annual SOC 2 Type 2 audits.
How can I get a copy of Docker’s SOC 2 report?
Our SOC 2 Type 2 report is available to customers under NDA through your Account Executive. Customers can access Whistic by submitting a request for up-to-date security documentation.
When will your next SOC 2 Type 2 report be available?
Our next SOC 2 Type 2 report will be available in April 2025 and will cover the period February 1, 2024 through January 31, 2025.
What Docker products are in scope for your SOC 2 audits?
The current SOC 2 Type 2 audit includes Docker Desktop, Docker Hub, Docker Scout, and Docker Build Cloud. Docker will evaluate additional products that are released for introduction based on GA release date and the reporting period.
Are sub-processors audited?
Docker relies on cloud hosting providers and sub-processors in a shared responsibility model. Their security responsibilities are covered in the cloud hosting provider’s compliance attestations (e.g., SOC 2, ISO 27001), which Docker reviews annually.
Does the scope of the SOC audit include both public and private registries/repositories?
Yes. All of Docker Hub is included, which includes public and private repositories.
Is Docker ISO 27001 certified?
Yes. Docker achieved ISO 27001 certification in April 2024. Our ISO documents are available to customers under NDA on Whistic.
Is Docker NIST SP 800-53 certified?
Docker follows NIST standards where applicable, but our alignment is not 100%.
Does Docker perform internal audits?
Yes. Docker has a Governance, Risk, and Compliance team that is responsible for performing internal assessments of Docker’s control environment. The audits are focused on technical and security requirements, as well as compliance with contractual obligations and applicable legislation (i.e., GDPR).
Does Docker give customers audit rights?
Docker does not provide audit rights beyond questionnaires. Our SOC 2 report, security policy TOCs, and frequently requested security documentation are available to customers on Whistic. Customers can access Whistic by submitting a documentation request.
Does Docker comply with GDPR, CCPA, and other data privacy laws?
Yes. Due to our worldwide customer base, Docker is subject to many different privacy laws and regulations. Docker complies with leading privacy regulations like GDPR, CCPA, CPA, CTDPA, VCDPA, UCPA, and The APEC Privacy Framework. See our Privacy FAQs for more information.
Related content
Security
Find answers to questions about Docker’s security program and links to see product security notices, report a vulnerability, and more.
Go to security
Availability
Find information about our BC/DR, backup processes, and availability. Access real-time and historical uptime information.
Go to availability
Privacy
Learn about Docker’s Privacy Program and how we comply with specific regulations such as GDPR and CCPA.
Go to privacy
Compliance
Learn about Docker’s certifications and compliance requirements such as SOC 2, ISO 27001, GDPR and CCPA.
Go to compliance