// Trust & Security Report

    Sysdig, Inc. logo

    Sysdig, Inc.

    Cloud-Native Application Protection Platform (CNAPP) with runtime security, vulnerability management, posture management, and cloud observability. Products: Sysdig Secure (threat detection, CNAPP), Sysdig Monitor (observability), Sysdig Platform (unified).

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    As part of Sysdig's SOC2 Type 2, and ISO 27001 and 27701 certifications, various policies and processes are in place to control Personal Data access, disclosure, modification and retention.

    Verify on sysdig.com
    ISO 27001
    HELD

    Sysdig processes and policies are reviewed on a regular basis in accordance with SOC2 Type 2, and ISO 27001 and 27701 certification requirements.

    Verify on sysdig.com
    ISO 27701
    HELD

    As part of Sysdig's SOC2 Type 2, and ISO 27001 and 27701 certifications, various policies and processes are in place to control Personal Data access, disclosure, modification and retention.

    Verify on sysdig.com
    GDPR
    HELD

    The parties agree to abide by the GDPR, UK DPA 2018, and Swiss DPA, and other applicable privacy laws, recognizing the Standard Contractual Clauses or similar principles.

    Verify on sysdig.com
    EU-U.S. Data Privacy Framework
    HELD

    Sysdig adheres to the EU-U.S. Data Privacy Framework Principles with regard to the processing of personal data received from the European Union and the United Kingdom.

    Verify on sysdig.com
    > Show 8 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No HIPAA certification exists (HIPAA does not issue certifications); however, Sysdig supports HIPAA compliance for customers via HITRUST CSF framework and offers Business Associate Agreements (BAA). Sysdig Secure includes HIPAA compliance controls and audit support.

    source: sysdig.com
    HITRUST CSF
    NOT CONFIRMED

    Sysdig Secure supports the HITRUST Common Security Framework (CSF), which leverages nationally and internationally accepted security and privacy-related regulations, standards, and frameworks–including ISO, NIST, PCI, HIPAA, and GDPR. (This is a feature/support, not a vendor certification of Sysdig itself.)

    source: sysdig.com
    ISO 27017
    NOT CONFIRMED

    no public evidence

    ISO 27018
    NOT CONFIRMED

    no public evidence

    PCI DSS
    NOT CONFIRMED

    Sysdig Secure supports PCI DSS compliance checking for customers (not a vendor certification of Sysdig itself). Sysdig includes pre-built policies mapped to PCI DSS frameworks.

    source: sysdig.com
    FedRAMP
    NOT CONFIRMED

    no public evidence

    CSA STAR AI
    NOT CONFIRMED

    no public evidence

    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    no public evidence

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    United States (Virginia, Oregon - US-East-1, US-West-1, US-West-2) and Europe (Frankfurt/Germany - EU-Central-1, EU-North-1, and EU-3 regions). Customers can select data residency during onboarding.

    Sysdig Sage (an AI-powered feature) is explicitly enabled through the Data Processing Addendum. Sysdig processes personal data 'for the purpose of maintaining or improving the quality of the Services and Sysdig Sage (including through the training or fine-tuning of AI models)' when enabled and aligned with customer agreement. When Sysdig acts as a data processor for customer data, they are restricted to processing data 'solely for the Business Purposes' outlined in the agreement. Customers warrant they have obtained 'all necessary consents, licenses and approvals' before submitting personal data. No opt-out explicitly stated in public documentation.

    // Security controls

    Encryption in transit

    TLS/SSL encryption for all data transmission. CloudFront and AWS services used for data transmission security.

    sysdig.com

    Encryption at rest

    Data stored in cloud environments encrypted at rest. Specific encryption standards not detailed in public documentation.

    sysdig.com

    Penetration testing

    Pen tests performed at least annually through authorized third parties as part of compliance audit requirements.

    sysdig.com

    Compliance audits

    Independent third-party audits performed at least annually. SOC 2 Type II audit conducted by Coalfire.

    sysdig.com

    Subprocessor management

    Vendor management process in place to review subprocessor compliance on ongoing basis. Subprocessor list published and updated.

    sysdig.com

    Personnel training

    Authorized Personnel required to complete confidentiality agreements and receive 'data privacy security and training appropriate to the nature of their processing'.

    sysdig.com

    Data retention policy

    Personal information retained 'for no longer than necessary to provide the Services and fulfill the transactions you have requested, comply with our legal obligations, resolve disputes, enforce our agreements.' Retention periods vary based on data sensitivity and legal obligations.

    sysdig.com

    // Products & data scope

    Sysdig SecureCloud-Native Application Protection Platform (CNAPP)

    data: Runtime data from containerized workloads, Kubernetes clusters, cloud accounts. Scans container images, monitors runtime activity, evaluates posture.

    Core product. Includes threat detection, vulnerability management, posture management (CSPM/KSPM), identity & entitlement management, compliance checks, forensics. Supports CIS, PCI-DSS, NIST, HIPAA, GDPR, SOC 2, ISO 27001 compliance frameworks.

    Sysdig MonitorCloud Observability & Monitoring

    data: Performance data, logs, metrics, traces from containerized and cloud-native environments.

    Provides process-level visibility, full-stack monitoring, cost optimization, alerting. Service-oriented performance management for Kubernetes and cloud-native apps.

    Sysdig PlatformUnified Security & Observability

    data: Combined runtime, security posture, and observability data.

    Unified integration of Sysdig Secure and Sysdig Monitor. Recently announced 'Headless Cloud Security' integration with Claude Code and AI-native workflows.

    Sysdig SageAI-powered Security Insights

    data: Customer usage data and security events (when enabled).

    Optional AI feature that provides analytics and insights. Uses customer data for training and fine-tuning AI models when enabled via agreement.

    // What to watch

    • AI training: Sysdig Sage feature explicitly trains on customer data when enabled; customers should verify opt-out capabilities via contract review.
    • HIPAA misleading in marketing: Sysdig does not hold HIPAA certification (none exist), but supports HIPAA compliance for customers. Distinguish vendor certification from customer compliance support.
    • ISO 27001/27701 status: DPA references these as current certifications under regular review, but no public audit report links or renewal dates disclosed. Recommend verifying directly with Sysdig.
    • FedRAMP, ISO 27017, ISO 27018 absent: Sysdig does not publicly disclose these certifications. Not a weakness (many enterprise SaaS vendors do not hold these), but relevant for federal/highly-regulated customers.

    // At a glance

    Pricing model

    SaaS subscription model. Pricing not publicly listed; requires demo/contact.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Sysdig, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    sysdig.com

    > Browse all vendor trust reports