GitHub
Certifications & attestations
| Certification | Status | Source | Last verified |
|---|---|---|---|
| SOC 1 Type II Report available to enterprise owners via GitHub enterprise settings (Compliance tab). | Verified | vendor source ↗ | June 10, 2026 |
| SOC 2 Type II Report available to enterprise owners via GitHub enterprise settings (Compliance tab). | Verified | vendor source ↗ | June 10, 2026 |
| ISO 27001 ISO/IEC 27001:2022 certification. | Verified | vendor source ↗ | June 10, 2026 |
| CSA STAR Level 2 CSA STAR certification (Level 2) plus CAIQ self-assessment (Level 1). | Verified | vendor source ↗ | June 10, 2026 |
| PCI DSS PCI DSS Attestation of Compliance available as a compliance report. | Verified | vendor source ↗ | June 10, 2026 |
→ Direct answer: Does GitHub have SOC 2?
Subprocessors
Subprocessor extraction for GitHub is pending.
Hosting & data residency
- Infrastructurenot yet recorded
- Data residencyGitHub Enterprise Cloud with data residency (GHE.com) offers regional data storage.
Trust documents & links
- Trust centerhttps://github.com/trust-center
- Security pagehttps://github.com/security
- DPAhttps://docs.github.com/en/site-policy/privacy-policies/github-data-protection-agreement-non-enterprise-customers
- Status pagehttps://www.githubstatus.com
Security incidents & disclosures
No incidents on record in the public sources we track, as of June 10, 2026. Absence of a record is not a guarantee — see methodology.
Change history
2026-06-10
Vendor added with a verified initial snapshot: SOC 1 Type II, SOC 2 Type II, ISO/IEC 27001:2022, CSA STAR Level 2, and a PCI DSS Attestation of Compliance confirmed against GitHub's published compliance-reports documentation (docs.github.com, fetched 2026-06-10). The main GitHub Trust Center delegates product detail to two Vanta-hosted trust portals (copilot.github.trust.page, ghec.github.trust.page) which are JS-rendered — deeper extraction pending.