1Password Business compliance
★★★★★ 4.7 CE

1Password Business Compliance & Certifications 2026

1Password holds the full ISO 27001 family, SOC 2 Type 2 and TX-RAMP in one trust center. Zero-knowledge design keeps even 1Password out of your vaults.

1Password Business Compliance verdict

Verified today·4 sources checked

1Password brings a deep certification set.

The full ISO 27001 family, SOC 2 Type 2, CSA STAR, TISAX, plus TX-RAMP all live in one SafeBase trust center. The sensitive reports sit behind an access request.

What it means for your security review

A 1Password compliance review starts at the trust center. Most of what you need is already public. The exceptions release only on an access request: the AgileBits SOC 2 report and bridge letter, the ISO 27001 certificate and Statement of Applicability, the 2025 pentest and the network diagram. Pull them to check scope and validity. The self-assessments on file, CAIQ, HECVAT, SIG, can shortcut your own questionnaire. Federal work is where the gap shows. The government listing is TX-RAMP, a state authorization rather than FedRAMP, so confirm it clears your agency's bar. For control objectives, lean on the design. The zero-knowledge dual-key model and Secure Remote Password cover confidentiality and in-transit protection. Vault permissions and MFA guard sign-in. Passkeys and SCIM provisioning handle identity and lifecycle, the Events API streams audit to your SIEM, and Watchtower flags breached items. Plan operationally for the Secret Key recovery model, keep any self-hosted SCIM bridge reachable, confirm PCI scope for cardholder data, and budget for the missing free tier.

Honest limits
  • Certifications run deep: the full ISO 27001 family, SOC 2 Type 2, CSA STAR, TISAX, plus TX-RAMP. TX-RAMP is a Texas state authorization, not FedRAMP.
  • Security is zero-knowledge by design. A lost account password and Secret Key make recovery difficult, and that trade-off is deliberate.
  • The most sensitive evidence sits in the private set: the SOC 2 report, ISO certificates, the annual pentest. A trust-center access request unlocks it.
ISO
27001:2022 / 27017 / 27018 / 27701
SOC 2
Type 2 (report in trust center)
Encryption
Zero-knowledge dual-key + Secret Key
Gov
TX-RAMP (state, not FedRAMP)
Testing
Annual pentest + public bug bounty
View sources

This page covers 1Password's compliance posture and data handling. General capabilities and deployment mechanics live on their own pages.

1Password Business certifications and the evidence behind them

FrameworkStatusEvidence to request
ISO/IEC 27001:2022 (+ SoA)CertifiedCertificate and Statement of Applicability in the trust center
ISO/IEC 27017 / 27018 / 27701CertifiedCloud-security, cloud-privacy and PIMS certificates
SOC 2 Type 2CertifiedAgileBits SOC 2 report and bridge letter (access request)
CSA STAR Level 1ListedCAIQ self-assessment, public on the CSA registry (AgileBits, listed 2021)
TISAXAssessedAutomotive information-security label
TX-RAMPAuthorizedTexas state authorization, not FedRAMP
GDPR / VPATCompliantDPA, subprocessor list, accessibility VPAT

Compliance evidence to request from 1Password Business

EvidenceTypeHow to get it
AgileBits SOC 2 report + bridge letterReportTrust center, access request
ISO 27001 certificate + Statement of ApplicabilityCertificateTrust center
2025 annual penetration testReportTrust center, access request
Network diagram + PCI DSS materialsDocumentTrust center, access request
CAIQ v4.0.2, HECVAT Full, SIGSelf-assessmentTrust center
Public bug bounty (HackerOne)ContinuousPublic program

What to verify before you rely on 1Password Business

  • The government authorization is TX-RAMP (Texas), not FedRAMP, so confirm it satisfies your federal or agency requirement.
  • The SOC 2 report, ISO certificates and pentest sit in the private document set and require an access request through the trust center.
  • PCI DSS materials are present, but confirm the exact scope for your cardholder-data environment rather than assume coverage.

1Password Business Compliance FAQ

Which compliance certifications does 1Password hold?

A broad set, all documented in the SafeBase trust center. The core is the full ISO 27001 family: 27001:2022 with a Statement of Applicability, then 27017, 27018 and 27701. Around it sit SOC 2 Type 2 with a published AgileBits report and bridge letter, CSA STAR Level 1, TISAX, TX-RAMP, a VPAT, plus GDPR. The trust center also carries a current annual pentest, a network diagram and PCI DSS materials. One caveat travels with all of it: TX-RAMP is a Texas state authorization, not FedRAMP.

How does 1Password's encryption protect my data?

Through a zero-knowledge dual-key model. Your account is locked by a password that 1Password never stores and only you know, combined with a 128-bit Secret Key, so even 1Password cannot decrypt what you save. Secure Remote Password authenticates the account without sending credentials over the Internet. End-to-end encryption uses established algorithms, and further controls verify the browser signature and clear item details from the clipboard.

How do I get 1Password's compliance evidence?

From the SafeBase trust center, which splits documents into a public and a private set. The public materials are available immediately. The sensitive ones, the AgileBits SOC 2 report and bridge letter, the ISO certificates, the 2025 annual pentest and the network diagram, need an access request. The trust center also offers self-assessments for CAIQ, HECVAT, SIG. 1Password publishes independent audit results on its site and runs a large public bug bounty.

How does 1Password handle access control and audit logs?

Access is governed through vaults and your identity provider. Vault permissions and access tracking decide who can see and share each credential. MFA and passkeys protect sign-in, and the SCIM bridge lets admins provision users and groups from the IdP, then grant, revoke or suspend access. The Events API streams sign-in attempts, item usage, admin actions to your SIEM. Watchtower flags breached items, and Extended Access Management adds device trust beyond traditional IAM.

What should I verify before relying on 1Password for compliance?

Start by confirming that TX-RAMP, not FedRAMP, satisfies any government requirement you carry. Pull the SOC 2, ISO, plus pentest evidence from the trust center under an access request, and read the scope and validity dates. Plan for the Secret Key recovery model, since a lost password and key are hard to undo by design, and keep any self-hosted SCIM bridge reachable. Confirm PCI DSS scope for cardholder environments, and account for the absence of a permanent free tier.

Sources & verification

Verified by ComparEdgeMethod: Vendor docs, official pages, and selected independent sources
SourceWhat was checkedLast checked
1Password TeamsOfficial product pageJuly 10, 2026
1Password SecuritySecurity and complianceJuly 10, 2026
1Password Trust centerProduct documentationJuly 10, 2026
Cloud Security Alliance STARCSA STAR security postureJuly 10, 2026

Every fact on this 1Password Business page is tied to a named source and a verification date. Freshness-sensitive figures trace to the sources above; verify against the vendor before relying on them.