// Trust & Security Report
Checkmarx Ltd.
Checkmarx One - unified AI-powered application security platform integrating SAST, SCA, DAST, secrets detection, IaC scanning, container security, API security, and runtime security with agentic AI assistance.
Certifications held
6
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on checkmarx.com“We're certified to the latest and most recognized global standard for information security”
Verify on checkmarx.com“Checkmarx undergoes an independent SOC 2 Type II audit annually”
Verify on checkmarx.com“Checkmarx One for Government (CXG) achieved FedRAMP Certification on 6/12/2026 at Class C (Moderate) level. In September 2025, achieved FedRAMP Ready at the High Impact Level.”
Verify on checkmarx.com“Our privacy program aligns with the stringent requirements of GDPR”
Verify on checkmarx.com“We align with the NIST Secure Software Development Framework (SSDF) to integrate security at every stage”
Verify on checkmarx.com“Checkmarx One achieves ACN Level 2 certification from Italy's National Cybersecurity Agency, confirming adherence to highest standards for cybersecurity, governance, and risk management”
> Show 6 unconfirmed / not-held certifications
source: checkmarx.comNo public evidence of HIPAA certification. Checkmarx offers HIPAA compliance mapping and presets to help customers achieve HIPAA compliance, but does not hold HIPAA certification for its own product.
source: checkmarx.comNo public evidence of PCI DSS certification. Checkmarx offers PCI DSS compliance mapping and presets to help customers achieve PCI DSS compliance, but does not hold PCI DSS certification for its own product.
source: checkmarx.comNo public evidence
source: checkmarx.comNo public evidence
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Multi-region SaaS with instances in North America, EU, Australia, India, and Singapore. Daily backups retain for 7 days, stored in different AWS regions per customer request.
Checkmarx explicitly does NOT train AI models on customer code or proprietary data. Source code, secrets, and application data never leave the IDE. Only limited metadata (package name, version, manager, vulnerability IDs) is transmitted for enrichment. Customer code remains protected.
// Security controls
Data backups
Daily backups of all customer data, retained for 7 days, stored in secure locations and separate AWS regions
checkmarx.comAccess control
Dedicated and encrypted S3 storage paths, accessible only to customer and authorized authenticated users
checkmarx.comAudit logging
All actions in AWS environment logged via CloudTrail, encrypted and stored centrally for audit and compliance purposes
checkmarx.com// Products & data scope
data: Source code, dependencies, containers, runtime behavior, AI components, secrets, IaC configurations, APIs
Unified platform integrating SAST, SCA, DAST, secrets detection, IaC, container, API security, runtime security, and agentic AI assistance. Multi-tenant SaaS with dedicated customer data storage. Standard version targets commercial markets; Checkmarx One for Government (CXG) variant available with FedRAMP Moderate certification.
// What to watch
- FEDRAMP SCOPE NUANCE: Homepage claims 'FedRAMP Authorized' but FedRAMP certification (Moderate level) applies only to Checkmarx One for Government (CXG) product, not the standard Checkmarx One platform. This is technically accurate but could mislead buyers of the standard product.
- PRODUCT DIFFERENCE: Government variant (CXG) has separate FedRAMP authorization path vs. standard Checkmarx One. Ensure listing clarifies which product holds which certification.
- COMPLIANCE TOOLING VS. CERTIFICATION: Checkmarx offers HIPAA and PCI DSS compliance presets and mapping, but does NOT hold HIPAA or PCI DSS certifications itself. Marketing materials that mention 'HIPAA compliance' may conflate product features with vendor certifications.
// At a glance
Pricing model
SaaS subscription with usage-based or per-instance pricing; private hosting options available
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Checkmarx Ltd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
checkmarx.com