F5 Products and Services are SOC 2 Compliant
A Service Organization Control or SOC 2 report is a report that focuses on the American Institute of Certified Public Accountants (AICPA) trust principles. It generally examines a service provider’s internal controls and systems related to security, availability, processing integrity, confidentiality, and privacy of data. These reports can play an important role in providing oversight of an organization, vendor management programs, and regulatory oversight. A Type I report evaluates the design and suitability of an organization's controls at a specific point in time whereas a Type II report assesses both the suitability of an organization's controls and its operating effectiveness over a period of time.
At F5, the SOC 2 report helps meet the needs of our customers who need detailed information and assurance about the controls at F5. It offers evidence to our customers that we are implementing the security controls that we say we do and that those controls are working as intended. Without eyes and ears across the cloud, it is difficult to assess how secure the information is in the hands of third-party vendors and a SOC 2 report offers this peace of mind.
Of the five trust principles that an organization can choose to follow, F5's products and services (including F5 Distributed Cloud, Bot Defense, and NGINX) are certified for the security, availability, and confidentiality of the information processed by our systems.
Each trust principle lists control objectives which the organization decides how it wants to meet these control objectives. SOC 2 trust principles are modeled around:
Applicable Products: F5 Distributed Cloud, Bot Defense, Silverline, AI Guardrails and AI Red Team are SOC2 Type II compliant. NGINXaaS for Azure (N4A) is SOC2 Type I compliant and will have a Type II in early-mid 2026.
F5 and its services prioritize the protection of personal data and uphold the highest standards of data privacy. The technical and organizational controls that protect personal data collected by F5 are listed in the specific service contracts (for example, the Service-Specific Terms applicable to services provided under our End User Services Agreement) and in F5's SOC2 Type II report. F5 Global Support is ISO 27001 certified and F5 Distributed Cloud Services are ISO 27001 certified with an extension of ISO 27017 and ISO 27018. F5 is also PCI-DSS Compliant as a Level 1 Service Provider for the F5 Distributed Cloud Services. Additional security certifications apply to specific F5 services and F5 hardware. Find more detailed information about data security practices at https://www.f5.com/company/policies/privacy-notice.
