F5 Products and Services are SOC 2 Compliant
A Service Organization Control or SOC 2 report is a report that focuses on the American Institute of Certified Public Accountants (AICPA) trust principles. It generally examines a service provider’s internal controls and systems related to security, availability, processing integrity, confidentiality, and privacy of data. These reports can play an important role in providing oversight of an organization, vendor management programs, and regulatory oversight. A Type I report evaluates the design and suitability of an organization's controls at a specific point in time whereas a Type II report assesses both the suitability of an organization's controls and its operating effectiveness over a period of time.
At F5, the SOC 2 report helps meet the needs of our customers who need detailed information and assurance about the controls at F5. It offers evidence to our customers that we are implementing the security controls that we say we do and that those controls are working as intended. Without eyes and ears across the cloud, it is difficult to assess how secure the information is in the hands of third-party vendors and a SOC 2 report offers this peace of mind.
Of the five trust principles that an organization can choose to follow, F5's products and services (including F5 Distributed Cloud, Bot Defense, and NGINX) are certified for the security, availability, and confidentiality of the information processed by our systems.
Each trust principle lists control objectives which the organization decides how it wants to meet these control objectives. SOC 2 trust principles are modeled around:
Applicable Products: F5 Distributed Cloud, Bot Defense, and Silverline are SOC2 Type II compliant. NGINXaaS for Azure (N4A) is SOC2 Type I compliant and will have a Type II in early-mid 2026.
