// Trust & Security Report
Aqua Security Software Ltd.
Cloud Native Application Protection Platform (CNAPP): Container Security, Software Supply Chain Security, Cloud Workload Protection (CWPP), Kubernetes Security, CSPM, Code Security, Runtime Security, Vulnerability Management; open-source tools Trivy and Tracee; Aqua U.S. Gov (FedRAMP-authorized federal edition)
Certifications held
10
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on aquasec.com“SOC 2 Type II [listed under Compliance on trust center]; 'Aqua Security undergoes SOC 2 audit on the annual basis' examining Security, Availability, Processing Integrity, Confidentiality, and Privacy”
Verify on trust.aquasec.com“ISO 27001:2022 [listed on trust center]; 'ISO/IEC 27001:2022 standard' certified — renewed December 2024 across all worldwide locations”
Verify on aquasec.com“ISO 27017:2015 [listed on trust center]; 'ISO/IEC 27017:2015 (Cloud service security) certified' — achieved December 2024”
Verify on aquasec.com“ISO27018:2019 [listed on trust center]; 'ISO/IEC 27018:2019 (Privacy protection in the cloud) certified' — achieved December 2024”
Verify on aquasec.com“ISO 27701:2019 [listed on trust center]; 'ISO/IEC 27701:2019 certified' — extends ISO 27001 framework to cover PII processing controls”
Verify on aquasec.com“'ISO/IEC 42001 certified' for Artificial Intelligence Management Systems — listed on Aqua's compliance page; AI Acceptable Use Policy also published in trust center”
Verify on trust.aquasec.com“CSA Star [listed on trust center]; 'CSA STAR Level 1 — Security, Trust & Assurance Registry Self-Assessment' with public CAIQ documentation — NOTE: Level 1 is a self-assessment, not a third-party audit (Level 2/3)”
Verify on aquasec.com“'Aqua Security Achieves FedRAMP High Impact Authorization' announced April 8, 2025; product Aqua U.S. Gov CNAPP hosted on AWS GovCloud, sponsored by Department of Education; meets over 400 security controls — applies to the federal product variant, not the commercial CNAPP”
Verify on trust.aquasec.com“NIST 800-53 Low Baseline [listed under Compliance on trust center]; consistent with FedRAMP High authorization which requires meeting NIST 800-53 controls”
Verify on aquasec.com“GDPR listed as a compliance framework on trust center; supported through ISO 27701 and ISO 27018 certifications; product privacy policy references a Data Processing Addendum for customer data”
> Show 2 unconfirmed / not-held certifications
source: aquasec.comNo HIPAA certification or Business Associate Agreement (BAA) found in public documentation. HIPAA is referenced only as a compliance control target that Aqua helps customers achieve ('Controls for PCI, HIPAA, GDPR, and beyond') — not as Aqua's own certification
source: aquasec.comNo PCI DSS certification found for Aqua Security itself. PCI is referenced as a compliance framework Aqua helps customers achieve ('Controls for PCI, HIPAA, GDPR, and beyond') — not as Aqua's own cert
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
US, Europe (EU), and Israel; for EEA/UK/Switzerland data, transfers only to countries approved by the European Commission, Swiss Federal Council, and UK ICO
No explicit public policy on AI training on customer data found. An 'AI Acceptable Use Policy' is listed in the trust center but requires access to view. The product privacy policy does not address AI training. Posture is unknown and should be confirmed directly with vendor.
// Security controls
Encryption key management
Key management process established (confirmed control on trust center)
trust.aquasec.comPenetration testing
Penetration Testing conducted (confirmed control on trust center)
trust.aquasec.comEndpoint security
EDR, disk encryption, malware protection, and endpoint management policies all confirmed (trust center)
trust.aquasec.comBusiness Continuity / DR
BCDR plans established and tested; incident response plan tested; data backup and restoration procedures tested
trust.aquasec.comVulnerability management
Vulnerability scanning procedures established (confirmed control); SSDLC and change management enforced
trust.aquasec.comNetwork security
Network and firewall access restricted (confirmed control on trust center)
trust.aquasec.comVendor risk management
Vendor Risk Management established; subprocessors listed publicly (Atlassian, Auth0, AWS, Datadog, Fivetran, Freshdesk)
trust.aquasec.comSecurity awareness training
Security Awareness Training implemented (confirmed control on trust center)
trust.aquasec.com// Products & data scope
data: Cloud workload metadata, container images, runtime telemetry, code repositories, CI/CD pipeline events, vulnerability data; processing in US/EU/Australia via AWS
Flagship commercial platform. Covers container security, CWPP, CSPM, Kubernetes security, code/supply chain security, and runtime protection. SOC 2 Type II and full ISO stack applies.
data: Federal unclassified data; hosted exclusively on AWS GovCloud (US)
FedRAMP High Impact authorized as of April 2025. Tailored for US federal, state, and local government. Sponsored for FedRAMP authorization by Department of Education.
data: Scans container images, filesystems, repos, IaC locally; no data sent to Aqua unless cloud mode used
Open source; widely used by the community. No SaaS data processing in the basic CLI version. Cloud/commercial integrations may differ.
data: Runtime syscall and eBPF event data from customer environments; no cloud dependency in OSS mode
Open source eBPF-based runtime security tool. No customer data sent to Aqua in standalone mode.
// What to watch
- CSA STAR is Level 1 (self-assessment / CAIQ) only — not a third-party audited Level 2 or Level 3 certification; verify current level in the CSA STAR registry before listing as a full cert badge
- ISO 42001 (AI Management Systems) is confirmed on the compliance page but no dedicated press release was found on aquasec.com; cross-check the trust center's locked 'Reports and Documents' section to confirm audit letter exists
- FedRAMP High authorization (April 2025) applies specifically to the 'Aqua U.S. Gov' product variant hosted on AWS GovCloud — the commercial CNAPP is NOT FedRAMP authorized; list this distinction clearly to avoid misleading enterprise buyers
- HIPAA and PCI DSS appear in marketing copy as compliance frameworks Aqua helps customers meet, but Aqua holds no HIPAA certification or BAA of its own — potential over-claim risk if summarized as 'HIPAA compliant'
- AI training data posture is not publicly documented; the 'AI Acceptable Use Policy' listed in the trust center is gated behind access request — recommend requesting it or confirming directly with the vendor before publishing
// At a glance
Pricing model
Enterprise SaaS subscription (commercial CNAPP); open-source (Trivy, Tracee free); federal edition priced separately
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Aqua Security Software Ltd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.aquasec.com