// Trust & Security Report

    Checkmarx Ltd. logo

    Checkmarx Ltd.

    Checkmarx One - unified AI-powered application security platform integrating SAST, SCA, DAST, secrets detection, IaC scanning, container security, API security, and runtime security with agentic AI assistance.

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO/IEC 27001:2022
    HELD

    We're certified to the latest and most recognized global standard for information security

    Verify on checkmarx.com
    SOC 2 Type II
    HELD

    Checkmarx undergoes an independent SOC 2 Type II audit annually

    Verify on checkmarx.com
    FedRAMP (Moderate Level, Government variant)
    HELD

    Checkmarx One for Government (CXG) achieved FedRAMP Certification on 6/12/2026 at Class C (Moderate) level. In September 2025, achieved FedRAMP Ready at the High Impact Level.

    Verify on checkmarx.com
    GDPR Compliance
    HELD

    Our privacy program aligns with the stringent requirements of GDPR

    Verify on checkmarx.com
    NIST Secure Software Development Framework (SSDF)
    HELD

    We align with the NIST Secure Software Development Framework (SSDF) to integrate security at every stage

    Verify on checkmarx.com
    ACN Level 2 (Italy - Agenzia per la Cybersicurezza Nazionale)
    HELD

    Checkmarx One achieves ACN Level 2 certification from Italy's National Cybersecurity Agency, confirming adherence to highest standards for cybersecurity, governance, and risk management

    Verify on checkmarx.com
    > Show 6 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA certification. Checkmarx offers HIPAA compliance mapping and presets to help customers achieve HIPAA compliance, but does not hold HIPAA certification for its own product.

    source: checkmarx.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification. Checkmarx offers PCI DSS compliance mapping and presets to help customers achieve PCI DSS compliance, but does not hold PCI DSS certification for its own product.

    source: checkmarx.com
    ISO/IEC 27017 (Cloud information security)
    NOT CONFIRMED

    No public evidence

    source: checkmarx.com
    ISO/IEC 27018 (Personal data protection in cloud)
    NOT CONFIRMED

    No public evidence

    source: checkmarx.com
    ISO/IEC 27701 (Privacy information management)
    NOT CONFIRMED

    No public evidence

    source: checkmarx.com
    ISO/IEC 42001 (AI governance and risk management)
    NOT CONFIRMED

    No public evidence

    source: checkmarx.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Multi-region SaaS with instances in North America, EU, Australia, India, and Singapore. Daily backups retain for 7 days, stored in different AWS regions per customer request.

    Checkmarx explicitly does NOT train AI models on customer code or proprietary data. Source code, secrets, and application data never leave the IDE. Only limited metadata (package name, version, manager, vulnerability IDs) is transmitted for enrichment. Customer code remains protected.

    // Security controls

    Encryption in transit

    TLS 1.2 with pre-signed, time-limited URLs for data uploads

    checkmarx.com

    Encryption at rest

    All customer data encrypted at rest in AWS S3 storage

    checkmarx.com

    Data backups

    Daily backups of all customer data, retained for 7 days, stored in secure locations and separate AWS regions

    checkmarx.com

    Access control

    Dedicated and encrypted S3 storage paths, accessible only to customer and authorized authenticated users

    checkmarx.com

    Audit logging

    All actions in AWS environment logged via CloudTrail, encrypted and stored centrally for audit and compliance purposes

    checkmarx.com

    // Products & data scope

    Checkmarx OneApplication Security Platform (ASPM)

    data: Source code, dependencies, containers, runtime behavior, AI components, secrets, IaC configurations, APIs

    Unified platform integrating SAST, SCA, DAST, secrets detection, IaC, container, API security, runtime security, and agentic AI assistance. Multi-tenant SaaS with dedicated customer data storage. Standard version targets commercial markets; Checkmarx One for Government (CXG) variant available with FedRAMP Moderate certification.

    // What to watch

    • FEDRAMP SCOPE NUANCE: Homepage claims 'FedRAMP Authorized' but FedRAMP certification (Moderate level) applies only to Checkmarx One for Government (CXG) product, not the standard Checkmarx One platform. This is technically accurate but could mislead buyers of the standard product.
    • PRODUCT DIFFERENCE: Government variant (CXG) has separate FedRAMP authorization path vs. standard Checkmarx One. Ensure listing clarifies which product holds which certification.
    • COMPLIANCE TOOLING VS. CERTIFICATION: Checkmarx offers HIPAA and PCI DSS compliance presets and mapping, but does NOT hold HIPAA or PCI DSS certifications itself. Marketing materials that mention 'HIPAA compliance' may conflate product features with vendor certifications.

    // At a glance

    Pricing model

    SaaS subscription with usage-based or per-instance pricing; private hosting options available

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Checkmarx Ltd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    checkmarx.com

    > Browse all vendor trust reports