// Trust & Security Report
Sysdig, Inc.
Cloud-Native Application Protection Platform (CNAPP) with runtime security, vulnerability management, posture management, and cloud observability. Products: Sysdig Secure (threat detection, CNAPP), Sysdig Monitor (observability), Sysdig Platform (unified).
Certifications held
5
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on sysdig.com“As part of Sysdig's SOC2 Type 2, and ISO 27001 and 27701 certifications, various policies and processes are in place to control Personal Data access, disclosure, modification and retention.”
Verify on sysdig.com“Sysdig processes and policies are reviewed on a regular basis in accordance with SOC2 Type 2, and ISO 27001 and 27701 certification requirements.”
Verify on sysdig.com“As part of Sysdig's SOC2 Type 2, and ISO 27001 and 27701 certifications, various policies and processes are in place to control Personal Data access, disclosure, modification and retention.”
Verify on sysdig.com“The parties agree to abide by the GDPR, UK DPA 2018, and Swiss DPA, and other applicable privacy laws, recognizing the Standard Contractual Clauses or similar principles.”
Verify on sysdig.com“Sysdig adheres to the EU-U.S. Data Privacy Framework Principles with regard to the processing of personal data received from the European Union and the United Kingdom.”
> Show 8 unconfirmed / not-held certifications
source: sysdig.comNo HIPAA certification exists (HIPAA does not issue certifications); however, Sysdig supports HIPAA compliance for customers via HITRUST CSF framework and offers Business Associate Agreements (BAA). Sysdig Secure includes HIPAA compliance controls and audit support.
source: sysdig.comSysdig Secure supports the HITRUST Common Security Framework (CSF), which leverages nationally and internationally accepted security and privacy-related regulations, standards, and frameworks–including ISO, NIST, PCI, HIPAA, and GDPR. (This is a feature/support, not a vendor certification of Sysdig itself.)
no public evidence
no public evidence
source: sysdig.comSysdig Secure supports PCI DSS compliance checking for customers (not a vendor certification of Sysdig itself). Sysdig includes pre-built policies mapped to PCI DSS frameworks.
no public evidence
no public evidence
no public evidence
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
United States (Virginia, Oregon - US-East-1, US-West-1, US-West-2) and Europe (Frankfurt/Germany - EU-Central-1, EU-North-1, and EU-3 regions). Customers can select data residency during onboarding.
Sysdig Sage (an AI-powered feature) is explicitly enabled through the Data Processing Addendum. Sysdig processes personal data 'for the purpose of maintaining or improving the quality of the Services and Sysdig Sage (including through the training or fine-tuning of AI models)' when enabled and aligned with customer agreement. When Sysdig acts as a data processor for customer data, they are restricted to processing data 'solely for the Business Purposes' outlined in the agreement. Customers warrant they have obtained 'all necessary consents, licenses and approvals' before submitting personal data. No opt-out explicitly stated in public documentation.
// Security controls
Encryption in transit
TLS/SSL encryption for all data transmission. CloudFront and AWS services used for data transmission security.
sysdig.comEncryption at rest
Data stored in cloud environments encrypted at rest. Specific encryption standards not detailed in public documentation.
sysdig.comPenetration testing
Pen tests performed at least annually through authorized third parties as part of compliance audit requirements.
sysdig.comCompliance audits
Independent third-party audits performed at least annually. SOC 2 Type II audit conducted by Coalfire.
sysdig.comSubprocessor management
Vendor management process in place to review subprocessor compliance on ongoing basis. Subprocessor list published and updated.
sysdig.comPersonnel training
Authorized Personnel required to complete confidentiality agreements and receive 'data privacy security and training appropriate to the nature of their processing'.
sysdig.comData retention policy
Personal information retained 'for no longer than necessary to provide the Services and fulfill the transactions you have requested, comply with our legal obligations, resolve disputes, enforce our agreements.' Retention periods vary based on data sensitivity and legal obligations.
sysdig.com// Products & data scope
data: Runtime data from containerized workloads, Kubernetes clusters, cloud accounts. Scans container images, monitors runtime activity, evaluates posture.
Core product. Includes threat detection, vulnerability management, posture management (CSPM/KSPM), identity & entitlement management, compliance checks, forensics. Supports CIS, PCI-DSS, NIST, HIPAA, GDPR, SOC 2, ISO 27001 compliance frameworks.
data: Performance data, logs, metrics, traces from containerized and cloud-native environments.
Provides process-level visibility, full-stack monitoring, cost optimization, alerting. Service-oriented performance management for Kubernetes and cloud-native apps.
data: Combined runtime, security posture, and observability data.
Unified integration of Sysdig Secure and Sysdig Monitor. Recently announced 'Headless Cloud Security' integration with Claude Code and AI-native workflows.
data: Customer usage data and security events (when enabled).
Optional AI feature that provides analytics and insights. Uses customer data for training and fine-tuning AI models when enabled via agreement.
// What to watch
- AI training: Sysdig Sage feature explicitly trains on customer data when enabled; customers should verify opt-out capabilities via contract review.
- HIPAA misleading in marketing: Sysdig does not hold HIPAA certification (none exist), but supports HIPAA compliance for customers. Distinguish vendor certification from customer compliance support.
- ISO 27001/27701 status: DPA references these as current certifications under regular review, but no public audit report links or renewal dates disclosed. Recommend verifying directly with Sysdig.
- FedRAMP, ISO 27017, ISO 27018 absent: Sysdig does not publicly disclose these certifications. Not a weakness (many enterprise SaaS vendors do not hold these), but relevant for federal/highly-regulated customers.
// At a glance
Pricing model
SaaS subscription model. Pricing not publicly listed; requires demo/contact.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Sysdig, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
sysdig.com