GitHub has SOC for Service Organizations reports
GitHub has achieved SOC 2 Type 1 and SOC 1 Type 1 compliance for GitHub Business Cloud.
At GitHub, we invest in security best practices to make sure your data stays safe, your developers are productive, and your team can focus on solving problems. Today we’re excited to share even more progress: GitHub has achieved the AICPA Service Organization Controls (SOC) 2 Type 1 and SOC 1 Type 1 compliance for GitHub Business Cloud. And for our international customers, we’ve also achieved compliance with two IAASB International Standards on Assurance Engagements: the ISAE 3000 and ISAE 3402.
If you’re currently using GitHub Business Cloud, you can request a copy of these audit reports through your Support team.
Our focus on your security
We’re proud of this milestone, but security is an ongoing effort. Our information security program is continually focused on providing the best software development platform for engineers around the world. The SOC/ISAE reports, our recently acquired FedRAMP Tailored LiSaaS ATO, and the Cloud Security Alliance CAIQ are all ways we’ve committed to providing GitHub Business Cloud customers and their auditors with appropriate levels of assurance that their data is safe and secure on GitHub.com. As we work to improve our security posture, we’re also committed to issuing both SOC 1 and SOC 2 Type 2 assurance reports in six months and will continue on that cadence.
What is SOC?
SOC for Service Organizations are assurance reports on the internal controls of service organizations. These reports help people looking to use an outsourced service like GitHub assess and address the associated risks.
SOC 2 is considered the gold standard for security compliance for software-as-a-service (SaaS) companies in the US. SOC 2 requires companies to establish and follow strict information security policies and procedures, encompassing the secure protection of customer data.
SOC 1 attests to the compliance of an organization’s security controls over systems and processes that have material relevance to the service organization’s customers financial statements.
ISAE 3402 and ISAE 3000 assurance opinions are included in the SOC 1 and SOC 2 Type 1 reports, respectively. These enable us to represent our commitment to Security under an internationally recognized audit standard.
Our 2018 SOC reports provide assurance that GitHub is complying with the standards of the AICPA guidelines. To achieve compliance with the SOC and ISAE requirements, GitHub has implemented and adheres to common controls over security, the ones that matters most to our customers. The audit demonstrates that these controls are operating effectively and that they cover operational practices like logical and physical access management, data storage and recovery, encryption, change management, vendor management, incident management, detection and response, security and privacy awareness training, organizational management, and personnel security.
To learn more about security and compliance at GitHub, visit https://github.com/security.
Written by
Related posts
Enhance build security and reach SLSA Level 3 with GitHub Artifact Attestations
Learn how GitHub Artifact Attestations can enhance your build security and help your organization achieve SLSA Level 3. This post breaks down the basics of SLSA, explains the importance of artifact attestations, and provides a step-by-step guide to securing your build process.
Streamlining your MLOps pipeline with GitHub Actions and Arm64 runners
Explore how Arm’s optimized performance and cost-efficient architecture, coupled with PyTorch, can enhance machine learning operations, from model training to deployment and learn how to leverage CI/CD for machine learning workflows, while reducing time, cost, and errors in the process.
GitHub Enterprise: The best migration path from AWS CodeCommit
AWS CodeCommit is discontinuing new customer access and will no longer introduce new features. Learn how to migrate to GitHub Enterprise and why it’s the best option for you.