Cloudflare's SOC 2 Type II report covers security, confidentiality, and availability controls to protect customer data and is available to download from the Cloudflare dashboard.
SOC stands for the Service Organization Controls created by the American Institute of Certified Public Accounts ("AICPA"). SOC 2 Type II is a security compliance attestation; a report created by independent, third-party auditors that validate and document Cloudflare's commitment to security.
External auditors conduct a rigorous review of a service organization's controls, evaluating whether there are effectively designed and implemented controls—or safeguards—in place to protect the security, confidentiality, and availability of information stored and processed in that technical environment.
A SOC 2 Type I is a report of the organization's readiness to meet SOC 2 Type II controls and is a point in time audit and does not provide a review of the controls over time.
SOC 2 Type II is a broadly accepted standard.
SOC 2 Type II is conducted by an independent and qualified third party auditor.
The annual report illustrates our commitment to consistency and demonstrates the controls Cloudflare has in place to keep its infrastructure secure and available.
Yes, Cloudflare has undertaken the AICPA SOC 2 Type II to attest to Security, Confidentiality, and Availability controls in place in accordance with the AICPA Trust Service Criteria. Cloudflare obtained the initial SOC 2 Type II validation in 2019, and we include the report as part of our compliance package for current and potential customers under a nondisclosure agreement ("NDA").
The report provides reasonable assurance to our customers that Cloudflare’s service commitments and system requirements were achieved based on the trust services criteria relevant to security, availability, and confidentiality.
Cloudflare issues a SOC 2 Type II once a year. Customers can expect an updated report approximately three months after the completion of the audit.
Part of Cloudflare’s approach to SOC 2 compliance involves transparency about which user controls remain among our customers’ prescribed responsibilities. Cloudflare’s SOC 2 report contains a section that describes the user entity controls.
Your account executive or a member of the sales team can help you get a bridge letter. Bridge letters are created quarterly by Cloudflare. Bridge letters cannot be created for a future period.
All Cloudflare plans are now in-scope for Cloudflare’s SOC 2 report. Cloudflare is audited against the SOC 2 standard of examination for Security, Confidentiality, and Availability across our entire organization.
Application Security:
API Shield, Bot Management, DDoS Protection, Page Shield, Rate Limiting, SSL/TLS, Turnstile, WAF
Application Performance:
Argo Smart Routing, Cache/CDN, DNS, Load Balancing, Speed, Waiting Room, Zaraz
Secure Access Service Edge (SASE):
Cloudflare One
Zero Trust Services:
Access, Area 1 Email Security, Browser Isolation, Cloudflare Tunnel, Cloudflare Zero Trust, Gateway, Zero Trust WARP Client
Network Services:
Magic WAN, Magic Transit, Magic Firewall, Network Interconnect, Spectrum
Developer Platform:
Cloudflare Image Optimization, Cloudflare for SaaS, Durable Objects, Pages, R2, Stream, Workers, Workers KV
Analytics and Insights:
Analytics, Cloudflare Web Analytics, Logs, Radar, Security Center
Privacy and Compliance:
Data Localization
Cloudflare continuously introduces new features/functions across our platform throughout the year. We introduce those to our SOC 2 scope depending on the annual audit cycle.
Your account executive or a member of the sales team can help you get a copy. Super Administrators can access common compliance documentation through the Cloudflare dashboard. Cloudflare requires all future and current customers to sign a nondisclosure agreement ("NDA") before our report is provided.
At this time Cloudflare only undergoes the SOC 2 Type II audit. Many customers want assurance that the sensitive information they send to Cloudflare can be kept safe. One of the best ways to provide this assurance is a SOC 2 Type II report.
Cloudflare does not undergo SOC 3 or SOC 1 audits. The SOC 3 report is the public version of the SOC 2 Type II report. The SOC 1 report is best for organizations who may have an impact on a customer’s financial reporting or handle financial data.
Visit Cloudflare’s Trust Hub to learn about additional compliance resources.
Learn more about how Cloudflare’s connectivity cloud capabilities help enterprises streamline and map to compliance requirements across multiple standards by visiting our data compliance and protection page.
Aligning to NIS2 cyber security risk management obligations in the EU with Cloudflare
How Cloudflare helps address locality obligations, data protection in Europe
