Skip to content

SOC 2 Type II and SOC 3 — Independently Verified

Gitea Cloud and Gitea Enterprise have completed SOC 2 Type II and SOC 3 attestation, audited by an independent CPA firm against the AICPA Trust Services Criteria. The audit covered a full 12-month observation period and validated both the design and the day-to-day operating effectiveness of our security program — no material exceptions.

For procurement, security, and compliance teams, this means Gitea is no longer something you have to vouch for internally. It is an independently attested platform you can adopt with the same confidence as the major hyperscalers, while keeping the openness and control of self-hosted Git.

At a glance

  • Reports available: SOC 2 Type II (under NDA) and SOC 3 (public summary).
  • Audit scope: Gitea Cloud and Gitea Enterprise services, including the underlying infrastructure, SDLC, and operations.
  • Period: 12 months of continuous operation, evaluated by an independent AICPA-registered auditor.
  • Criteria: Security, Availability, Confidentiality, Processing Integrity, and Privacy.
  • Status: Active, with the next observation period already in progress.

What this means for your team

  • Faster security review. Hand the SOC 2 Type II report to your InfoSec team and shortcut weeks of vendor questionnaires.
  • A clean answer for auditors. Map Gitea's controls into your own SOC 2, ISO 27001, HIPAA, FedRAMP, PCI-DSS, or GDPR programs without bespoke evidence requests.
  • Run regulated workloads with confidence. Healthcare, financial services, public sector, and automotive teams can deploy Gitea Enterprise on their own infrastructure or adopt Gitea Cloud knowing the platform is held to the same standard expected of major cloud providers.
  • No trade-off between open source and compliance. You keep full source access, transparency, and portability — and gain independently verified enterprise-grade controls.

Trust Services Criteria covered

  • Security — protection against unauthorized access, both logical and physical.
  • Availability — systems available for operation and use as committed.
  • Confidentiality — information designated as confidential is protected end to end.
  • Processing Integrity — system processing is complete, accurate, timely, and authorized.
  • Privacy — personal information is collected, used, retained, and disposed of in line with our privacy notice.

During the audit, the independent assessor examined every layer enterprises rely on, including secure SDLC and code signing, encryption in transit and at rest, access control and MFA, audit logging, incident response, vulnerability management and penetration testing, business continuity and disaster recovery, vendor risk management, and personnel security.

Get the reports

  • SOC 3 (public report) — a general-use summary that carries the same audit rigor as SOC 2 Type II and can be shared freely with stakeholders. Email sales@gitea.com and we will send it over.
  • SOC 2 Type II (under NDA) — the detailed report, including the auditor's opinion, system description, and tests of operating effectiveness. Available to current and prospective enterprise customers under a mutual NDA. Request it through our contact form or your account team.

Beyond SOC 2: our compliance roadmap

SOC 2 Type II is a baseline, not a finish line. The next observation period is already underway, and we are actively expanding the compliance portfolio:

  • ISO/IEC 27001 — information security management certification.
  • HIPAA enablement — controls and BAA support for healthcare workloads.
  • TISAX — assessment for automotive industry supply chains.
  • Continued alignment with FedRAMP, PCI-DSS, and GDPR control mappings.

Talk to our security team

Need to walk through control mappings, complete a vendor assessment, or sign an NDA to access the SOC 2 Type II report? Contact us and we will route you to the right specialist.

Read the full announcement on the blog: Gitea Achieves SOC 2 Type II and SOC 3 Attestation.