SOC 2 Type II

External auditors conduct a rigorous review of a service organization's controls, evaluating whether there are effectively designed and implemented controls—or safeguards—in place to protect the security, confidentiality, and availability of information stored and processed in that technical environment.

A SOC 2 Type I is a report of the organization's readiness to meet SOC 2 Type II controls and is a point in time audit and does not provide a review of the controls over time.

• SOC 2 Type II is a broadly accepted standard.
• SOC 2 Type II is conducted by an independent and qualified third party auditor.
• The annual report illustrates our commitment to consistency and demonstrates the controls Cloudflare has in place to keep its infrastructure secure and available.

Learn more about how Cloudflare can help your org address compliance requirements.

Yes, Cloudflare has undertaken the AICPA SOC 2 Type II to attest to Security, Confidentiality, and Availability controls in place in accordance with the AICPA Trust Service Criteria. Cloudflare obtained the initial SOC 2 Type II validation in 2019, and we include the report as part of our compliance package for current and potential customers under a nondisclosure agreement ("NDA").

The report provides reasonable assurance to our customers that Cloudflare's service commitments and system requirements were achieved based on the trust services criteria relevant to security, availability, and confidentiality.

Cloudflare issues a SOC 2 Type II once a year. Customers can expect an updated report approximately three months after the completion of the audit.

Part of Cloudflare's approach to SOC 2 compliance involves transparency about which user controls remain among our customers' prescribed responsibilities. Cloudflare's SOC 2 report contains a section that describes the user entity controls.

Your account executive or a member of the sales team can help you get a bridge letter. Bridge letters are created quarterly by Cloudflare. Bridge letters cannot be created for a future period.

All Cloudflare plans are now in-scope for Cloudflare's SOC 2 report. Cloudflare is audited against the SOC 2 standard of examination for Security, Confidentiality, and Availability across our entire organization.

Application Security: API Shield, Bots, DDoS Protection, Client-Side Security, Rate Limiting, SSL/TLS, SSL/TLS for SaaS, Turnstile, WAF, Data Loss Prevention, Log Explorer

Application Performance: Argo Smart Routing, Cache/CDN, DNS, Load Balancing, Speed, Waiting Room, Zaraz

Secure Access Service Edge (SASE) and SSE: Access, Email Security, Browser Isolation, CASB, Cloudflare One, Cloudflare Tunnel, Cloudflare Zero Trust, Gateway, WARP Client

Network Services: Magic WAN, Magic Transit, Magic Firewall, Network Interconnect, Spectrum, Time Services, Magic Network Monitoring

Developer Platform: Browser Rendering, Cloudflare Images, Cloudflare for SaaS, D1, Durable Objects, Hyperdrive, Pages, R2, Stream, Vectorize, Workers, Workers AI, Cloudflare Workers KV, AI Gateway, Cloudflare Queues

Analytics and Insights: Analytics, Cloudflare Web Analytics, Logs, Radar, Security Center

Privacy and Compliance: Data Localization Suite

Cloudflare continuously introduces new features/functions across our platform throughout the year. We introduce those to our SOC 2 scope depending on the annual audit cycle.

Your account executive or a member of the sales team can help you get a copy. Super Administrators can access common compliance documentation through the Cloudflare dashboard. Cloudflare requires all future and current customers to sign a nondisclosure agreement ("NDA") before our report is provided.

For detailed instructions, visit Cloudflare's guide.

At this time Cloudflare only undergoes the SOC 2 Type II audit. Many customers want assurance that the sensitive information they send to Cloudflare can be kept safe. One of the best ways to provide this assurance is a SOC 2 Type II report.

Cloudflare does not undergo SOC 3 or SOC 1 audits. The SOC 3 report is the public version of the SOC 2 Type II report. The SOC 1 report is best for organizations who may have an impact on a customer's financial reporting or handle financial data.

Visit Cloudflare's Trust Hub to learn about additional compliance resources.

Learn more about how Cloudflare's connectivity cloud capabilities help enterprises streamline and map to compliance requirements across multiple standards by visiting our data compliance and protection page.