
Twingate Compliance & Certifications 2026
Twingate keeps a lean cert list: an annual SOC 2 Type 2 on request, plus DORA, GDPR, HIPAA and PCI DSS. No ISO 27001 or FedRAMP; the model leans on your IdP.
Twingate Compliance verdict
Twingate runs a transparent, well-documented compliance program that is lean on formal certifications.
It undergoes an annual SOC 2 Type 2 audit, available on request, and publishes support for DORA, GDPR, HIPAA and PCI DSS. Behind that sits an unusually detailed security document.
Twingate is strong on documented practice and honest about scope. Request the SOC 2 Type 2 report from your contact, and review the detailed security document. It covers encryption, with AES-256 at rest in GCP and TLS in transit, NIST-aligned ciphers, daily tested backups, plus a no-passwords-stored data model. If you need DORA, GDPR, HIPAA or PCI DSS alignment, the Trust Center documents support. If you need ISO 27001 or FedRAMP, treat those as gaps and confirm directly, since they are not published. Lean on the architecture for control objectives: resource-level least-privilege access, IdP-delegated SSO and MFA, separation of authentication and data flows, relays that cannot decrypt, plus extensive audit logging. Use the open-source Gateway and Operator on GitHub, and Hacker House testing, as independent checks you can actually inspect.
- Published certifications are SOC 2 Type 2 plus support for DORA, GDPR, HIPAA and PCI DSS. ISO 27001 and FedRAMP are not listed in the Trust Center.
- The SOC 2 report is available on request from a Twingate contact, not as a self-service download.
- The independent signal here is open-source inspectability, the Gateway and Operator on GitHub, not a regulator listing or a review rating.
- SOC 2
- Type 2, annual (on request)
- Standards
- DORA, GDPR, HIPAA, PCI DSS
- Encryption
- AES-256 at rest (GCP), TLS
- Auth
- Delegated to IdP, no passwords stored
- Independent
- Open-source Gateway + Operator
This page covers Twingate's compliance posture and data handling. General capabilities and deployment mechanics live on their own pages.
Twingate certifications and the evidence behind them
| Framework | Status | Evidence to request |
|---|---|---|
| SOC 2 Type 2 | Audited annually | Report available on request from your Twingate contact |
| GDPR / HIPAA / PCI DSS / DORA | Supported | Compliance pages documented in the Trust Center |
| Third-party security testing | Ongoing | Hacker House: white-box analysis, fuzzing, threat modeling |
| Open-source components | Auditable | Gateway and Kubernetes Operator public on GitHub (MPL 2.0) |
| NIST SP 800-52 Rev. 2 | Followed | No proprietary cryptography; standard cipher selection |
| Encryption (AES-256 + TLS) | Enforced | At rest in Google Cloud with AES-256, in transit over TLS |
| ISO 27001 / FedRAMP | Not listed | Not among the published certifications; confirm directly |
Compliance evidence to request from Twingate
| Evidence | Type | How to get it |
|---|---|---|
| SOC 2 Type 2 report | Report | On request from your Twingate contact |
| Security document | Document | Published, people / data / infra / product |
| Open-source code (Gateway, Operator) | Source | Public on GitHub, independently auditable |
| Hacker House testing | Assessment | Third-party firm, confirmation on request |
| Customer penetration test | Test | Permitted with prior approval and notice |
What to verify before you rely on Twingate
- The published certifications are SOC 2 plus DORA, GDPR, HIPAA and PCI DSS; ISO 27001 and FedRAMP are not listed in the Trust Center, so do not assume them.
- The SOC 2 report is not self-service; you must contact Twingate to obtain a copy, so budget time in the security review.
- Because authentication is delegated to the identity provider, your effective security depends on the strength of your IdP configuration and MFA.
- Twingate stores user and infrastructure metadata in Google Cloud (no passwords), so confirm GCP regions and the metadata scope meet your residency needs.
Twingate Compliance FAQ
Is Twingate SOC 2 compliant?
Yes. Twingate undergoes annual SOC 2 audits and holds a SOC 2 Type 2 report, meaning its controls are tested over a period of time rather than at a single point. The report is not a self-service download. Existing and prospective customers obtain it by reaching out to their Twingate contact. Alongside SOC 2, the Trust Center documents support for DORA, GDPR, HIPAA and PCI DSS.
Is Twingate ISO 27001 or FedRAMP certified?
Twingate does not publicly list ISO 27001 or FedRAMP among its certifications. Its Trust Center names SOC 2, DORA, GDPR, HIPAA and PCI DSS. For ISO or federal requirements you should treat these as gaps and confirm current status directly rather than assume coverage. The product can still operate inside a customer's own authorized boundary, but it is not itself federally authorized.
How does Twingate protect and store customer data?
It minimizes and encrypts. Twingate stores user details without passwords and infrastructure metadata such as network details and ACLs. It encrypts customer data at rest in a Google Cloud managed database with AES-256 or better and in transit over TLS, and uses no proprietary cryptography, following NIST SP 800-52 Rev. 2. Backups are automated daily and tested, and data is permanently deleted on request. Because user-data flows are end-to-end encrypted, Twingate cannot decrypt traffic even when it passes through its relays.
How do I get Twingate's compliance evidence?
Request the SOC 2 Type 2 report from your Twingate contact, and review the published security document, which details people, data, infrastructure and product security. Independent assurance comes from a few places. Hacker House, a third-party security firm, performs white-box analysis, fuzzing and threat modeling. The Gateway and Kubernetes Operator are open source on GitHub. Customer penetration tests are also permitted with prior approval.
What should I verify before relying on Twingate for compliance?
Confirm that a SOC 2 Type 2, plus DORA, GDPR, HIPAA and PCI DSS, meets your bar, and that the absence of ISO 27001 and FedRAMP is acceptable. Because authentication is delegated to your identity provider, your security depends on that configuration and its MFA. Check GCP regions and metadata scope for residency. Use the open-source code and Hacker House testing as the independent checks rather than a star rating.
Sources & verification
| Source | What was checked | Last checked |
|---|---|---|
| Twingate Official | Official product page | July 10, 2026 |
| GitHub Twingate Gateway | Independent reference | July 10, 2026 |
| Twingate Trust Center | Trust Center | July 10, 2026 |
| Twingate Twingate Security | Twingate Security | July 10, 2026 |
Every fact on this Twingate page is tied to a named source and a verification date. Freshness-sensitive figures trace to the sources above; verify against the vendor before relying on them.
Explore Twingate
Every page on Twingate in one place, you are on compliance.
Snapshot, score and verdict
You are here
Hosting model, environments and rollout in your stack
Every tier and the entry price
Compared and ranked vs peers
Price and feature change history
Browse the full Identity & Access Management category
