// Trust & Security Report
Temporal Technologies, Inc.
Durable execution / workflow orchestration platform used to build reliable applications and AI agents. Two distinct offerings: the open-source, self-hosted Temporal Server, and the managed Temporal Cloud SaaS.
Certifications held
4
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.temporal.io“Badges: SOC 2 Type II ... Certifications: SOC 2 Type 2, HIPAA (listed under Temporal Cloud offering)”
Verify on trust.temporal.io“Badges: SOC 2 Type II, GDPR, HIPAA, CCPA; ...for individuals who are located in the European Economic Area, Switzerland, or the United Kingdom...our legal bases for processing your information under the applicable data protection laws will depend on the personal information at issue. We use European Commission-approved Standard Contractual Clauses and UK ICO-approved International Data Transfer Addendums”
> Show 6 unconfirmed / not-held certifications
source: trust.temporal.ioNo public evidence: ISO 27001 does not appear on the Trust Center badge list (SOC 2 Type II, GDPR, HIPAA, CCPA only), on temporal.io/security, or in Temporal Cloud security docs.
source: trust.temporal.ioNo public evidence: not referenced on the Trust Center, temporal.io/security, or docs.temporal.io/cloud/security.
source: trust.temporal.ioNo public evidence: not referenced on the Trust Center or security documentation.
source: trust.temporal.ioNo public evidence: not referenced on the Trust Center or security documentation.
source: trust.temporal.ioNo public evidence: not referenced anywhere on the Trust Center or vendor security pages. Temporal is a workflow orchestration platform, not an AI model provider, so this cert would not be expected.
source: trust.temporal.ioNo public evidence: not referenced on the Trust Center or security documentation.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Namespace-level regional isolation on AWS/GCP/Azure; docs state 'Namespaces do not share data processing or data storage across regional boundaries' but do not enumerate the specific region list.
Temporal is a durable-execution/workflow-orchestration engine, not a generative AI model provider. The Data Processing Agreement states Temporal 'does not use customer workflow data for any purpose other than delivery of service,' and no vendor page mentions using customer data to train AI/ML models. Temporal's homepage markets the platform as infrastructure for OTHER companies' AI agents (OpenAI, Cursor, Replit, Retool build agent workflows on top of Temporal) -- Temporal itself does not process or train on the content of those agents' conversations beyond running the workflow.
// Security controls
Encryption in transit
TLS 1.3 for all connections to Temporal Cloud, regardless of authentication method
docs.temporal.ioClient-side / end-to-end encryption
Optional Data Converter encrypts payloads before they leave the customer's environment; optional Codec Server allows secure Web UI decryption without sharing keys with Temporal
temporal.ioNetwork isolation
Workers poll Temporal Cloud outbound only (no inbound connections into customer VPCs); AWS PrivateLink and GCP Private Service Connect supported
docs.temporal.ioTenant isolation
Namespace is the isolation boundary; per-Namespace mTLS or API key auth, plus separate Actions-Per-Second / Operations-Per-Second rate limits to prevent noisy-neighbor issues
docs.temporal.ioThird-party audits
Annual third-party audit(s) and annual third-party penetration testing, per Trust Center quick-summary
trust.temporal.ioVulnerability disclosure
Has a bug bounty / vulnerability disclosure program; Temporal Technologies is a CVE Numbering Authority (CNA) and publishes CVEs for the open-source server
trust.temporal.ioAccess management
Centralized IAM/SSO used to manage employee access, per Trust Center quick-summary
trust.temporal.ioSubprocessors
Published subprocessor list (7 entries): Auth0, AWS, Elastic, Google Cloud, IBM, Microsoft Azure, WorkOS
trust.temporal.io// Products & data scope
data: All workflow state and data remain entirely within the customer's own infrastructure; Temporal Technologies has no access.
Free and open source (MIT-licensed core); no vendor certifications apply because the customer operates and secures the deployment themselves.
data: Typical data access per Trust Center: username, email address, and business workflow state (event histories); payloads can be end-to-end encrypted client-side via the Data Converter so Temporal never sees plaintext.
Holds SOC 2 Type II and HIPAA per the Trust Center; GDPR/CCPA compliance posture backed by a DPA and Standard Contractual Clauses. Namespace-level regional isolation across AWS/GCP/Azure.
// What to watch
- No ISO 27001 (or ISO 27017/27018/27701) certification found anywhere on the vendor's own domain -- graded held=false, not an oversight.
- CCPA is listed as a Trust Center 'badge' alongside SOC 2/GDPR/HIPAA; it is a legal compliance posture rather than a third-party-audited certification, but is included here because the vendor itself presents it at the same tier.
- Self-hosted Temporal Server and managed Temporal Cloud have materially different security postures -- certifications (SOC 2, HIPAA) apply only to Temporal Cloud, not to self-hosted deployments. Listing should make this product-level distinction explicit rather than applying certs directory-wide.
- Data residency region list is not fully enumerated by the vendor in public docs (only isolation guarantees are documented).
// At a glance
Pricing model
Temporal Cloud: usage-based (Actions Per Second and storage/retention); Temporal Server: free, open source, self-hosted (customer bears infrastructure cost).
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Temporal Technologies, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.temporal.io