Twingate compliance
★★★★★ 4.8 CE

Twingate Compliance & Certifications 2026

Twingate keeps a lean cert list: an annual SOC 2 Type 2 on request, plus DORA, GDPR, HIPAA and PCI DSS. No ISO 27001 or FedRAMP; the model leans on your IdP.

Twingate Compliance verdict

Verified today·4 sources checked

Twingate runs a transparent, well-documented compliance program that is lean on formal certifications.

It undergoes an annual SOC 2 Type 2 audit, available on request, and publishes support for DORA, GDPR, HIPAA and PCI DSS. Behind that sits an unusually detailed security document.

What it means for your security review

Twingate is strong on documented practice and honest about scope. Request the SOC 2 Type 2 report from your contact, and review the detailed security document. It covers encryption, with AES-256 at rest in GCP and TLS in transit, NIST-aligned ciphers, daily tested backups, plus a no-passwords-stored data model. If you need DORA, GDPR, HIPAA or PCI DSS alignment, the Trust Center documents support. If you need ISO 27001 or FedRAMP, treat those as gaps and confirm directly, since they are not published. Lean on the architecture for control objectives: resource-level least-privilege access, IdP-delegated SSO and MFA, separation of authentication and data flows, relays that cannot decrypt, plus extensive audit logging. Use the open-source Gateway and Operator on GitHub, and Hacker House testing, as independent checks you can actually inspect.

Honest limits
  • Published certifications are SOC 2 Type 2 plus support for DORA, GDPR, HIPAA and PCI DSS. ISO 27001 and FedRAMP are not listed in the Trust Center.
  • The SOC 2 report is available on request from a Twingate contact, not as a self-service download.
  • The independent signal here is open-source inspectability, the Gateway and Operator on GitHub, not a regulator listing or a review rating.
SOC 2
Type 2, annual (on request)
Standards
DORA, GDPR, HIPAA, PCI DSS
Encryption
AES-256 at rest (GCP), TLS
Auth
Delegated to IdP, no passwords stored
Independent
Open-source Gateway + Operator
View sources

This page covers Twingate's compliance posture and data handling. General capabilities and deployment mechanics live on their own pages.

Twingate certifications and the evidence behind them

FrameworkStatusEvidence to request
SOC 2 Type 2Audited annuallyReport available on request from your Twingate contact
GDPR / HIPAA / PCI DSS / DORASupportedCompliance pages documented in the Trust Center
Third-party security testingOngoingHacker House: white-box analysis, fuzzing, threat modeling
Open-source componentsAuditableGateway and Kubernetes Operator public on GitHub (MPL 2.0)
NIST SP 800-52 Rev. 2FollowedNo proprietary cryptography; standard cipher selection
Encryption (AES-256 + TLS)EnforcedAt rest in Google Cloud with AES-256, in transit over TLS
ISO 27001 / FedRAMPNot listedNot among the published certifications; confirm directly

Compliance evidence to request from Twingate

EvidenceTypeHow to get it
SOC 2 Type 2 reportReportOn request from your Twingate contact
Security documentDocumentPublished, people / data / infra / product
Open-source code (Gateway, Operator)SourcePublic on GitHub, independently auditable
Hacker House testingAssessmentThird-party firm, confirmation on request
Customer penetration testTestPermitted with prior approval and notice

What to verify before you rely on Twingate

  • The published certifications are SOC 2 plus DORA, GDPR, HIPAA and PCI DSS; ISO 27001 and FedRAMP are not listed in the Trust Center, so do not assume them.
  • The SOC 2 report is not self-service; you must contact Twingate to obtain a copy, so budget time in the security review.
  • Because authentication is delegated to the identity provider, your effective security depends on the strength of your IdP configuration and MFA.
  • Twingate stores user and infrastructure metadata in Google Cloud (no passwords), so confirm GCP regions and the metadata scope meet your residency needs.

Twingate Compliance FAQ

Is Twingate SOC 2 compliant?

Yes. Twingate undergoes annual SOC 2 audits and holds a SOC 2 Type 2 report, meaning its controls are tested over a period of time rather than at a single point. The report is not a self-service download. Existing and prospective customers obtain it by reaching out to their Twingate contact. Alongside SOC 2, the Trust Center documents support for DORA, GDPR, HIPAA and PCI DSS.

Is Twingate ISO 27001 or FedRAMP certified?

Twingate does not publicly list ISO 27001 or FedRAMP among its certifications. Its Trust Center names SOC 2, DORA, GDPR, HIPAA and PCI DSS. For ISO or federal requirements you should treat these as gaps and confirm current status directly rather than assume coverage. The product can still operate inside a customer's own authorized boundary, but it is not itself federally authorized.

How does Twingate protect and store customer data?

It minimizes and encrypts. Twingate stores user details without passwords and infrastructure metadata such as network details and ACLs. It encrypts customer data at rest in a Google Cloud managed database with AES-256 or better and in transit over TLS, and uses no proprietary cryptography, following NIST SP 800-52 Rev. 2. Backups are automated daily and tested, and data is permanently deleted on request. Because user-data flows are end-to-end encrypted, Twingate cannot decrypt traffic even when it passes through its relays.

How do I get Twingate's compliance evidence?

Request the SOC 2 Type 2 report from your Twingate contact, and review the published security document, which details people, data, infrastructure and product security. Independent assurance comes from a few places. Hacker House, a third-party security firm, performs white-box analysis, fuzzing and threat modeling. The Gateway and Kubernetes Operator are open source on GitHub. Customer penetration tests are also permitted with prior approval.

What should I verify before relying on Twingate for compliance?

Confirm that a SOC 2 Type 2, plus DORA, GDPR, HIPAA and PCI DSS, meets your bar, and that the absence of ISO 27001 and FedRAMP is acceptable. Because authentication is delegated to your identity provider, your security depends on that configuration and its MFA. Check GCP regions and metadata scope for residency. Use the open-source code and Hacker House testing as the independent checks rather than a star rating.

Sources & verification

Verified by ComparEdgeMethod: Vendor docs, official pages, and selected independent sources
SourceWhat was checkedLast checked
Twingate OfficialOfficial product pageJuly 10, 2026
GitHub Twingate GatewayIndependent referenceJuly 10, 2026
Twingate Trust CenterTrust CenterJuly 10, 2026
Twingate Twingate SecurityTwingate SecurityJuly 10, 2026

Every fact on this Twingate page is tied to a named source and a verification date. Freshness-sensitive figures trace to the sources above; verify against the vendor before relying on them.