// Trust & Security Report

    Temporal Technologies, Inc. logo

    Temporal Technologies, Inc.

    Durable execution / workflow orchestration platform used to build reliable applications and AI agents. Two distinct offerings: the open-source, self-hosted Temporal Server, and the managed Temporal Cloud SaaS.

    Certifications held

    4

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Badges: SOC 2 Type II ... Certifications: SOC 2 Type 2, HIPAA (listed under Temporal Cloud offering)

    Verify on trust.temporal.io
    HIPAA
    HELD

    Badges: ... HIPAA ... Certifications: SOC 2 Type 2, HIPAA

    Verify on trust.temporal.io
    GDPR (compliance posture)
    HELD

    Badges: SOC 2 Type II, GDPR, HIPAA, CCPA; ...for individuals who are located in the European Economic Area, Switzerland, or the United Kingdom...our legal bases for processing your information under the applicable data protection laws will depend on the personal information at issue. We use European Commission-approved Standard Contractual Clauses and UK ICO-approved International Data Transfer Addendums

    Verify on trust.temporal.io
    CCPA
    HELD

    Badges: SOC 2 Type II, GDPR, HIPAA, CCPA

    Verify on trust.temporal.io
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence: ISO 27001 does not appear on the Trust Center badge list (SOC 2 Type II, GDPR, HIPAA, CCPA only), on temporal.io/security, or in Temporal Cloud security docs.

    source: trust.temporal.io
    ISO 27017 / ISO 27018 / ISO 27701
    NOT CONFIRMED

    No public evidence: not referenced on the Trust Center, temporal.io/security, or docs.temporal.io/cloud/security.

    source: trust.temporal.io
    PCI DSS
    NOT CONFIRMED

    No public evidence: not referenced on the Trust Center or security documentation.

    source: trust.temporal.io
    FedRAMP
    NOT CONFIRMED

    No public evidence: not referenced on the Trust Center or security documentation.

    source: trust.temporal.io
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence: not referenced anywhere on the Trust Center or vendor security pages. Temporal is a workflow orchestration platform, not an AI model provider, so this cert would not be expected.

    source: trust.temporal.io
    CSA STAR
    NOT CONFIRMED

    No public evidence: not referenced on the Trust Center or security documentation.

    source: trust.temporal.io

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Namespace-level regional isolation on AWS/GCP/Azure; docs state 'Namespaces do not share data processing or data storage across regional boundaries' but do not enumerate the specific region list.

    Temporal is a durable-execution/workflow-orchestration engine, not a generative AI model provider. The Data Processing Agreement states Temporal 'does not use customer workflow data for any purpose other than delivery of service,' and no vendor page mentions using customer data to train AI/ML models. Temporal's homepage markets the platform as infrastructure for OTHER companies' AI agents (OpenAI, Cursor, Replit, Retool build agent workflows on top of Temporal) -- Temporal itself does not process or train on the content of those agents' conversations beyond running the workflow.

    // Security controls

    Encryption in transit

    TLS 1.3 for all connections to Temporal Cloud, regardless of authentication method

    docs.temporal.io

    Encryption at rest

    AES-256-GCM across Elasticsearch and the core persistence layer

    docs.temporal.io

    Client-side / end-to-end encryption

    Optional Data Converter encrypts payloads before they leave the customer's environment; optional Codec Server allows secure Web UI decryption without sharing keys with Temporal

    temporal.io

    Network isolation

    Workers poll Temporal Cloud outbound only (no inbound connections into customer VPCs); AWS PrivateLink and GCP Private Service Connect supported

    docs.temporal.io

    Tenant isolation

    Namespace is the isolation boundary; per-Namespace mTLS or API key auth, plus separate Actions-Per-Second / Operations-Per-Second rate limits to prevent noisy-neighbor issues

    docs.temporal.io

    Third-party audits

    Annual third-party audit(s) and annual third-party penetration testing, per Trust Center quick-summary

    trust.temporal.io

    Vulnerability disclosure

    Has a bug bounty / vulnerability disclosure program; Temporal Technologies is a CVE Numbering Authority (CNA) and publishes CVEs for the open-source server

    trust.temporal.io

    Access management

    Centralized IAM/SSO used to manage employee access, per Trust Center quick-summary

    trust.temporal.io

    Subprocessors

    Published subprocessor list (7 entries): Auth0, AWS, Elastic, Google Cloud, IBM, Microsoft Azure, WorkOS

    trust.temporal.io

    Status page

    Public status page at status.temporal.io

    trust.temporal.io

    // Products & data scope

    Temporal Server (open source)Self-hosted workflow/durable-execution engine

    data: All workflow state and data remain entirely within the customer's own infrastructure; Temporal Technologies has no access.

    Free and open source (MIT-licensed core); no vendor certifications apply because the customer operates and secures the deployment themselves.

    Temporal CloudManaged SaaS workflow/durable-execution platform

    data: Typical data access per Trust Center: username, email address, and business workflow state (event histories); payloads can be end-to-end encrypted client-side via the Data Converter so Temporal never sees plaintext.

    Holds SOC 2 Type II and HIPAA per the Trust Center; GDPR/CCPA compliance posture backed by a DPA and Standard Contractual Clauses. Namespace-level regional isolation across AWS/GCP/Azure.

    // What to watch

    • No ISO 27001 (or ISO 27017/27018/27701) certification found anywhere on the vendor's own domain -- graded held=false, not an oversight.
    • CCPA is listed as a Trust Center 'badge' alongside SOC 2/GDPR/HIPAA; it is a legal compliance posture rather than a third-party-audited certification, but is included here because the vendor itself presents it at the same tier.
    • Self-hosted Temporal Server and managed Temporal Cloud have materially different security postures -- certifications (SOC 2, HIPAA) apply only to Temporal Cloud, not to self-hosted deployments. Listing should make this product-level distinction explicit rather than applying certs directory-wide.
    • Data residency region list is not fully enumerated by the vendor in public docs (only isolation guarantees are documented).

    // At a glance

    Pricing model

    Temporal Cloud: usage-based (Actions Per Second and storage/retention); Temporal Server: free, open source, self-hosted (customer bears infrastructure cost).

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Temporal Technologies, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.temporal.io

    > Browse all vendor trust reports