Compliance at Docker
The security and privacy of customer data is Docker’s top priority. To demonstrate our commitment to protecting our customers’ information, Docker works with independent auditors to verify its security and has achieved SOC 2 Type 1.
CSA Trusted Cloud
Docker Compliance is aligned with ISO/IEC 27001, SOC 2 trust services criteria, CSA Trusted Cloud Architectural Standard, and other applicable standards, frameworks, and best practices.
Docker also complies with many privacy regulations and is self-certified with the Data Privacy Framework.
Audits and Certifications FAQs
Who’s responsible for Docker Compliance?
Docker’s Information Security team manages our security and compliance program. A dedicated team with legal, security engineering, information security, and GRC resources supervises all security and privacy-related business operations.
Has Docker’s security been SOC 2 audited by a certified third party?
Yes. Docker completed a SOC 2 Type 1 audit in March 2023 and is preparing for a SOC 2 Type 2 audit. This audit will cover the period of November 1, 2023, through January 31, 2024. Afterward, we’ll undergo annual SOC 2 Type 2 audits.
How can I get a copy of Docker’s SOC 2 report?
Our SOC 2 Type 1 report is available to customers under NDA through your Account Executive. Customers can access Whistic by submitting a request for up-to-date security documentation.
When will your SOC 2 Type 2 report be available?
Our SOC 2 Type 2 report will be available soon after the audit period ends. We expect that to be in April/May 2024. Our SOC 2 Type 1 report is available until then.
What Docker products are in scope for your SOC 2 audits?
The current SOC 2 Type 1 report covers Docker Desktop and Docker Hub. Our upcoming SOC 2 Type 2 audit will include Docker Desktop, Docker Hub, and Docker Scout.
Are sub-processors audited?
Docker relies on cloud hosting providers and sub-processors in a shared responsibility model. Their security responsibilities are covered in the cloud hosting provider’s compliance attestations (e.g., SOC 2, ISO 27001), which Docker reviews annually.
Does the scope of the SOC audit include both public and private registries/repositories?
Yes. All of Docker Hub is included, which includes public and private repositories.
Is Docker ISO 27001 certified?
Docker is undergoing ISO 27001 certification at the same time as our initial SOC 2 Type 2 attestation. We expect our certificate in April/May 2024.
Is Docker NIST SP 800-53 certified?
Docker follows NIST standards where applicable, but our alignment is not 100%.
Does Docker perform internal audits?
Yes. Docker has a Governance, Risk, and Compliance team that is responsible for performing internal assessments of Docker’s control environment. The audits are focused on technical and security requirements, as well as compliance with contractual obligations and applicable legislation (i.e., GDPR).
Does Docker give customers audit rights?
Docker does not provide audit rights beyond questionnaires. Our SOC 2 report, security policy TOCs, and frequently requested security documentation are available to customers on Whistic. Customers can access Whistic by submitting a documentation request.
Does Docker comply with GDPR, CCPA, and other data privacy laws?
Yes. Due to our worldwide customer base, Docker is subject to many different privacy laws and regulations. Docker complies with leading privacy regulations like GDPR, CCPA, CPA, CTDPA, VCDPA, UCPA, and The APEC Privacy Framework. See our Privacy FAQs for more information.
Learn about Docker’s certifications and compliance requirements such as SOC 2, GDPR and CCPA.
Find answers to questions about Docker’s security program and links to see product security notices, report a vulnerability, and more.
Find information about our BC/DR, backup processes, and availability. Access real-time and historical uptime information.
Learn about Docker’s Privacy Program and how we comply with specific regulations such as GDPR and CCPA.