// Trust & Security Report

    Aqua Security Software Ltd. logo

    Aqua Security Software Ltd.

    Cloud Native Application Protection Platform (CNAPP): Container Security, Software Supply Chain Security, Cloud Workload Protection (CWPP), Kubernetes Security, CSPM, Code Security, Runtime Security, Vulnerability Management; open-source tools Trivy and Tracee; Aqua U.S. Gov (FedRAMP-authorized federal edition)

    Certifications held

    10

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type II [listed under Compliance on trust center]; 'Aqua Security undergoes SOC 2 audit on the annual basis' examining Security, Availability, Processing Integrity, Confidentiality, and Privacy

    Verify on aquasec.com
    ISO 27001:2022
    HELD

    ISO 27001:2022 [listed on trust center]; 'ISO/IEC 27001:2022 standard' certified — renewed December 2024 across all worldwide locations

    Verify on trust.aquasec.com
    ISO 27017:2015 (Cloud Security)
    HELD

    ISO 27017:2015 [listed on trust center]; 'ISO/IEC 27017:2015 (Cloud service security) certified' — achieved December 2024

    Verify on aquasec.com
    ISO 27018:2019 (Cloud Privacy)
    HELD

    ISO27018:2019 [listed on trust center]; 'ISO/IEC 27018:2019 (Privacy protection in the cloud) certified' — achieved December 2024

    Verify on aquasec.com
    ISO 27701:2019 (Privacy Information Management)
    HELD

    ISO 27701:2019 [listed on trust center]; 'ISO/IEC 27701:2019 certified' — extends ISO 27001 framework to cover PII processing controls

    Verify on aquasec.com
    ISO/IEC 42001 (AI Management Systems)
    HELD

    'ISO/IEC 42001 certified' for Artificial Intelligence Management Systems — listed on Aqua's compliance page; AI Acceptable Use Policy also published in trust center

    Verify on aquasec.com
    CSA STAR
    HELD

    CSA Star [listed on trust center]; 'CSA STAR Level 1 — Security, Trust & Assurance Registry Self-Assessment' with public CAIQ documentation — NOTE: Level 1 is a self-assessment, not a third-party audit (Level 2/3)

    Verify on trust.aquasec.com
    FedRAMP High Impact
    HELD

    'Aqua Security Achieves FedRAMP High Impact Authorization' announced April 8, 2025; product Aqua U.S. Gov CNAPP hosted on AWS GovCloud, sponsored by Department of Education; meets over 400 security controls — applies to the federal product variant, not the commercial CNAPP

    Verify on aquasec.com
    NIST 800-53 Low Baseline
    HELD

    NIST 800-53 Low Baseline [listed under Compliance on trust center]; consistent with FedRAMP High authorization which requires meeting NIST 800-53 controls

    Verify on trust.aquasec.com
    GDPR (posture)
    HELD

    GDPR listed as a compliance framework on trust center; supported through ISO 27701 and ISO 27018 certifications; product privacy policy references a Data Processing Addendum for customer data

    Verify on aquasec.com
    > Show 2 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No HIPAA certification or Business Associate Agreement (BAA) found in public documentation. HIPAA is referenced only as a compliance control target that Aqua helps customers achieve ('Controls for PCI, HIPAA, GDPR, and beyond') — not as Aqua's own certification

    source: aquasec.com
    PCI DSS
    NOT CONFIRMED

    No PCI DSS certification found for Aqua Security itself. PCI is referenced as a compliance framework Aqua helps customers achieve ('Controls for PCI, HIPAA, GDPR, and beyond') — not as Aqua's own cert

    source: aquasec.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    US, Europe (EU), and Israel; for EEA/UK/Switzerland data, transfers only to countries approved by the European Commission, Swiss Federal Council, and UK ICO

    No explicit public policy on AI training on customer data found. An 'AI Acceptable Use Policy' is listed in the trust center but requires access to view. The product privacy policy does not address AI training. Posture is unknown and should be confirmed directly with vendor.

    // Security controls

    Encryption at rest

    Implemented (confirmed control on trust center)

    trust.aquasec.com

    Encryption in transit

    Implemented (confirmed control on trust center)

    trust.aquasec.com

    Encryption key management

    Key management process established (confirmed control on trust center)

    trust.aquasec.com

    MFA

    Multi-Factor Authentication implemented (confirmed control on trust center)

    trust.aquasec.com

    RBAC

    Role-Based Access Control established (confirmed control on trust center)

    trust.aquasec.com

    Penetration testing

    Penetration Testing conducted (confirmed control on trust center)

    trust.aquasec.com

    Endpoint security

    EDR, disk encryption, malware protection, and endpoint management policies all confirmed (trust center)

    trust.aquasec.com

    Business Continuity / DR

    BCDR plans established and tested; incident response plan tested; data backup and restoration procedures tested

    trust.aquasec.com

    Vulnerability management

    Vulnerability scanning procedures established (confirmed control); SSDLC and change management enforced

    trust.aquasec.com

    Network security

    Network and firewall access restricted (confirmed control on trust center)

    trust.aquasec.com

    Vendor risk management

    Vendor Risk Management established; subprocessors listed publicly (Atlassian, Auth0, AWS, Datadog, Fivetran, Freshdesk)

    trust.aquasec.com

    Security awareness training

    Security Awareness Training implemented (confirmed control on trust center)

    trust.aquasec.com

    // Products & data scope

    Aqua CNAPP (Commercial)Cloud Native Application Protection Platform

    data: Cloud workload metadata, container images, runtime telemetry, code repositories, CI/CD pipeline events, vulnerability data; processing in US/EU/Australia via AWS

    Flagship commercial platform. Covers container security, CWPP, CSPM, Kubernetes security, code/supply chain security, and runtime protection. SOC 2 Type II and full ISO stack applies.

    Aqua U.S. GovFederal CNAPP (Government)

    data: Federal unclassified data; hosted exclusively on AWS GovCloud (US)

    FedRAMP High Impact authorized as of April 2025. Tailored for US federal, state, and local government. Sponsored for FedRAMP authorization by Department of Education.

    TrivyOpen Source Security Scanner

    data: Scans container images, filesystems, repos, IaC locally; no data sent to Aqua unless cloud mode used

    Open source; widely used by the community. No SaaS data processing in the basic CLI version. Cloud/commercial integrations may differ.

    TraceeOpen Source Runtime Threat Detection

    data: Runtime syscall and eBPF event data from customer environments; no cloud dependency in OSS mode

    Open source eBPF-based runtime security tool. No customer data sent to Aqua in standalone mode.

    // What to watch

    • CSA STAR is Level 1 (self-assessment / CAIQ) only — not a third-party audited Level 2 or Level 3 certification; verify current level in the CSA STAR registry before listing as a full cert badge
    • ISO 42001 (AI Management Systems) is confirmed on the compliance page but no dedicated press release was found on aquasec.com; cross-check the trust center's locked 'Reports and Documents' section to confirm audit letter exists
    • FedRAMP High authorization (April 2025) applies specifically to the 'Aqua U.S. Gov' product variant hosted on AWS GovCloud — the commercial CNAPP is NOT FedRAMP authorized; list this distinction clearly to avoid misleading enterprise buyers
    • HIPAA and PCI DSS appear in marketing copy as compliance frameworks Aqua helps customers meet, but Aqua holds no HIPAA certification or BAA of its own — potential over-claim risk if summarized as 'HIPAA compliant'
    • AI training data posture is not publicly documented; the 'AI Acceptable Use Policy' listed in the trust center is gated behind access request — recommend requesting it or confirming directly with the vendor before publishing

    // At a glance

    Pricing model

    Enterprise SaaS subscription (commercial CNAPP); open-source (Trivy, Tracee free); federal edition priced separately

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Aqua Security Software Ltd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.aquasec.com

    > Browse all vendor trust reports