Compliance at Docker

The security and privacy of customer data is Docker’s top priority. To demonstrate our commitment to protecting our customers’ information, Docker works with independent auditors to verify its security and has achieved SOC 2 Type 2 and ISO 27001 Certification.

ISO/IEC 27001

SOC 2

CSA Trusted Cloud

Our compliance

Docker Compliance is aligned with ISO/IEC 27001, SOC 2 trust services criteria, CSA Trusted Cloud Architectural Standard, and other applicable standards, frameworks, and best practices.

Docker also complies with many privacy regulations and is self-certified with the Data Privacy Framework.

Find more on privacy compliance

Audits and Certifications FAQs

Open All

Who’s responsible for Docker Compliance?

Docker’s Information Security team manages our security and compliance program. A dedicated team with legal, security engineering, information security, and GRC resources supervises all security and privacy-related business operations.

Has Docker’s security been SOC 2 audited by a certified third party?

Yes. Docker completed a SOC 2 Type 2 audit for the period of November 1, 2023, through January 31, 2024 and undergoes annual SOC 2 Type 2 audits.

How can I get a copy of Docker’s SOC 2 report?

Our SOC 2 Type 2 report is available to customers under NDA through your Account Executive. Customers can access Whistic by submitting a request for up-to-date security documentation.

When will your next SOC 2 Type 2 report be available?

Our next SOC 2 Type 2 report will be available in April 2025 and will cover the period February 1, 2024 through January 31, 2025.

What Docker products are in scope for your SOC 2 audits?

The current SOC 2 Type 2 audit includes Docker Desktop, Docker Hub, Docker Scout, and Docker Build Cloud. Docker will evaluate additional products that are released for introduction based on GA release date and the reporting period.

Are sub-processors audited?

Docker relies on cloud hosting providers and sub-processors in a shared responsibility model. Their security responsibilities are covered in the cloud hosting provider’s compliance attestations (e.g., SOC 2, ISO 27001), which Docker reviews annually.

Does the scope of the SOC audit include both public and private registries/repositories?

Yes. All of Docker Hub is included, which includes public and private repositories.

Is Docker ISO 27001 certified?

Yes. Docker achieved ISO 27001 certification in April 2024. Our ISO documents are available to customers under NDA on Whistic.

Is Docker NIST SP 800-53 certified?

Docker follows NIST standards where applicable, but our alignment is not 100%.

Does Docker perform internal audits?

Yes. Docker has a Governance, Risk, and Compliance team that is responsible for performing internal assessments of Docker’s control environment. The audits are focused on technical and security requirements, as well as compliance with contractual obligations and applicable legislation (i.e., GDPR).

Does Docker give customers audit rights?

Docker does not provide audit rights beyond questionnaires. Our SOC 2 report, security policy TOCs, and frequently requested security documentation are available to customers on Whistic. Customers can access Whistic by submitting a documentation request.

Does Docker comply with GDPR, CCPA, and other data privacy laws?

Yes. Due to our worldwide customer base, Docker is subject to many different privacy laws and regulations. Docker complies with leading privacy regulations like GDPR, CCPA, CPA, CTDPA, VCDPA, UCPA, and The APEC Privacy Framework. See our Privacy FAQs for more information.