
1Password Business Compliance & Certifications 2026
1Password holds the full ISO 27001 family, SOC 2 Type 2 and TX-RAMP in one trust center. Zero-knowledge design keeps even 1Password out of your vaults.
1Password Business Compliance verdict
1Password brings a deep certification set.
The full ISO 27001 family, SOC 2 Type 2, CSA STAR, TISAX, plus TX-RAMP all live in one SafeBase trust center. The sensitive reports sit behind an access request.
A 1Password compliance review starts at the trust center. Most of what you need is already public. The exceptions release only on an access request: the AgileBits SOC 2 report and bridge letter, the ISO 27001 certificate and Statement of Applicability, the 2025 pentest and the network diagram. Pull them to check scope and validity. The self-assessments on file, CAIQ, HECVAT, SIG, can shortcut your own questionnaire. Federal work is where the gap shows. The government listing is TX-RAMP, a state authorization rather than FedRAMP, so confirm it clears your agency's bar. For control objectives, lean on the design. The zero-knowledge dual-key model and Secure Remote Password cover confidentiality and in-transit protection. Vault permissions and MFA guard sign-in. Passkeys and SCIM provisioning handle identity and lifecycle, the Events API streams audit to your SIEM, and Watchtower flags breached items. Plan operationally for the Secret Key recovery model, keep any self-hosted SCIM bridge reachable, confirm PCI scope for cardholder data, and budget for the missing free tier.
- Certifications run deep: the full ISO 27001 family, SOC 2 Type 2, CSA STAR, TISAX, plus TX-RAMP. TX-RAMP is a Texas state authorization, not FedRAMP.
- Security is zero-knowledge by design. A lost account password and Secret Key make recovery difficult, and that trade-off is deliberate.
- The most sensitive evidence sits in the private set: the SOC 2 report, ISO certificates, the annual pentest. A trust-center access request unlocks it.
- ISO
- 27001:2022 / 27017 / 27018 / 27701
- SOC 2
- Type 2 (report in trust center)
- Encryption
- Zero-knowledge dual-key + Secret Key
- Gov
- TX-RAMP (state, not FedRAMP)
- Testing
- Annual pentest + public bug bounty
This page covers 1Password's compliance posture and data handling. General capabilities and deployment mechanics live on their own pages.
1Password Business certifications and the evidence behind them
| Framework | Status | Evidence to request |
|---|---|---|
| ISO/IEC 27001:2022 (+ SoA) | Certified | Certificate and Statement of Applicability in the trust center |
| ISO/IEC 27017 / 27018 / 27701 | Certified | Cloud-security, cloud-privacy and PIMS certificates |
| SOC 2 Type 2 | Certified | AgileBits SOC 2 report and bridge letter (access request) |
| CSA STAR Level 1 | Listed | CAIQ self-assessment, public on the CSA registry (AgileBits, listed 2021) |
| TISAX | Assessed | Automotive information-security label |
| TX-RAMP | Authorized | Texas state authorization, not FedRAMP |
| GDPR / VPAT | Compliant | DPA, subprocessor list, accessibility VPAT |
Compliance evidence to request from 1Password Business
| Evidence | Type | How to get it |
|---|---|---|
| AgileBits SOC 2 report + bridge letter | Report | Trust center, access request |
| ISO 27001 certificate + Statement of Applicability | Certificate | Trust center |
| 2025 annual penetration test | Report | Trust center, access request |
| Network diagram + PCI DSS materials | Document | Trust center, access request |
| CAIQ v4.0.2, HECVAT Full, SIG | Self-assessment | Trust center |
| Public bug bounty (HackerOne) | Continuous | Public program |
What to verify before you rely on 1Password Business
- The government authorization is TX-RAMP (Texas), not FedRAMP, so confirm it satisfies your federal or agency requirement.
- The SOC 2 report, ISO certificates and pentest sit in the private document set and require an access request through the trust center.
- PCI DSS materials are present, but confirm the exact scope for your cardholder-data environment rather than assume coverage.
1Password Business Compliance FAQ
Which compliance certifications does 1Password hold?
A broad set, all documented in the SafeBase trust center. The core is the full ISO 27001 family: 27001:2022 with a Statement of Applicability, then 27017, 27018 and 27701. Around it sit SOC 2 Type 2 with a published AgileBits report and bridge letter, CSA STAR Level 1, TISAX, TX-RAMP, a VPAT, plus GDPR. The trust center also carries a current annual pentest, a network diagram and PCI DSS materials. One caveat travels with all of it: TX-RAMP is a Texas state authorization, not FedRAMP.
How does 1Password's encryption protect my data?
Through a zero-knowledge dual-key model. Your account is locked by a password that 1Password never stores and only you know, combined with a 128-bit Secret Key, so even 1Password cannot decrypt what you save. Secure Remote Password authenticates the account without sending credentials over the Internet. End-to-end encryption uses established algorithms, and further controls verify the browser signature and clear item details from the clipboard.
How do I get 1Password's compliance evidence?
From the SafeBase trust center, which splits documents into a public and a private set. The public materials are available immediately. The sensitive ones, the AgileBits SOC 2 report and bridge letter, the ISO certificates, the 2025 annual pentest and the network diagram, need an access request. The trust center also offers self-assessments for CAIQ, HECVAT, SIG. 1Password publishes independent audit results on its site and runs a large public bug bounty.
How does 1Password handle access control and audit logs?
Access is governed through vaults and your identity provider. Vault permissions and access tracking decide who can see and share each credential. MFA and passkeys protect sign-in, and the SCIM bridge lets admins provision users and groups from the IdP, then grant, revoke or suspend access. The Events API streams sign-in attempts, item usage, admin actions to your SIEM. Watchtower flags breached items, and Extended Access Management adds device trust beyond traditional IAM.
What should I verify before relying on 1Password for compliance?
Start by confirming that TX-RAMP, not FedRAMP, satisfies any government requirement you carry. Pull the SOC 2, ISO, plus pentest evidence from the trust center under an access request, and read the scope and validity dates. Plan for the Secret Key recovery model, since a lost password and key are hard to undo by design, and keep any self-hosted SCIM bridge reachable. Confirm PCI DSS scope for cardholder environments, and account for the absence of a permanent free tier.
Sources & verification
| Source | What was checked | Last checked |
|---|---|---|
| 1Password Teams | Official product page | July 10, 2026 |
| 1Password Security | Security and compliance | July 10, 2026 |
| 1Password Trust center | Product documentation | July 10, 2026 |
| Cloud Security Alliance STAR | CSA STAR security posture | July 10, 2026 |
Every fact on this 1Password Business page is tied to a named source and a verification date. Freshness-sensitive figures trace to the sources above; verify against the vendor before relying on them.
Explore 1Password Business
Every page on 1Password Business in one place, you are on compliance.
Snapshot, score and verdict
You are here
Hosting model, environments and rollout in your stack
Every tier and the entry price
Compared and ranked vs peers
Price and feature change history
Browse the full Identity & Access Management category
