Gitea Achieves SOC 2 Type II and SOC 3 Attestation

Gitea Team
4 min read

At Gitea, trust has always been at the core of everything we do. Today, we’re proud to announce that Gitea has officially completed both SOC 2 Type II and SOC 3 attestation, as confirmed by an independent third-party auditor. This achievement marks a significant step forward in our ongoing commitment to providing the highest standards of security, availability, confidentiality, processing integrity, and privacy for organizations running self-hosted Git services, subscribing to Gitea Cloud, or adopting Gitea Enterprise.

What SOC 2 Type II Actually Means (and Why It Matters)

SOC 2 (System and Organization Controls 2) is developed by the American Institute of CPAs (AICPA) and is widely regarded as the gold standard for security and compliance in cloud and software services. Unlike SOC 2 Type I (which only evaluates the design of controls at a single point in time), Type II examines both the design and operating effectiveness of those controls over an extended observation period — in our case, a full 12 months of continuous operation.

During this rigorous audit, the independent auditor examined every layer of the Gitea ecosystem that enterprises rely on:

  • Secure software development lifecycle and code signing practices
  • Infrastructure hardening, encryption in transit and at rest
  • Access controls, multi-factor authentication, and audit logging
  • Incident response, vulnerability management, and penetration testing programs
  • Business continuity and disaster recovery planning
  • Vendor and third-party risk management
  • Employee training and background screening processes

The auditor verified that these controls not only exist on paper but have been consistently and effectively applied throughout the entire review period without material exceptions.

SOC 3: Trust, Publicly Verified

Alongside the detailed SOC 2 Type II report (which remains confidential and available under NDA to current and prospective enterprise customers), we have also obtained a SOC 3 report. The SOC 3 report is a public-facing, general-use document that carries the same audit rigor as SOC 2 Type II but can be freely distributed.

To request the official Gitea SOC 3 Trust Services Report, please contact sales@gitea.com.

This public seal of approval gives every organization — from startups to regulated industries — immediate confidence that Gitea has been independently vetted against the industry’s most stringent criteria.

Why This Milestone Matters for Self-Hosted Environments

Many compliance frameworks (FedRAMP, HIPAA, PCI-DISA, GDPR, ISO 27001 mapping, etc.) explicitly accept or require SOC 2 Type II attestation as evidence of a mature security program. Until now, organizations wanting to run an on-premises or private-cloud Git service at scale often faced difficult trade-offs between open-source flexibility and regulatory compliance.

With today’s announcement, Gitea eliminates that compromise. Enterprises in healthcare, finance, government, and other regulated sectors can deploy Gitea Enterprise in their own infrastructure with the assurance that the underlying platform has been built and operated according to the same rigorous standards expected of major cloud providers. Teams that prefer a fully managed experience can instead rely on Gitea Cloud, confident that the hosting environment adheres to the same independently audited controls.

A Thank You to Our Community and Enterprise Users

This achievement would not have been possible without the incredible contributions from the global Gitea open-source community and the early feedback from our Gitea Cloud and Gitea Enterprise customers. Your real-world usage, security reports, and feature requests have directly shaped the controls and processes that passed this audit.

We also extend our deepest gratitude to the audit team at our chosen CPA firm for their thoroughness and professionalism throughout the year-long engagement.

Looking Ahead

SOC 2 Type II and SOC 3 attestation is not a one-time event — it’s an ongoing commitment. We have already begun the next observation period and will continue expanding our compliance portfolio (ISO 27001, HIPAA enablement, TISAX, and others) in 2026 and beyond.

Whether you’re running a small team or managing Git services for tens of thousands of developers across regulated industries, Gitea now offers the rare combination of full control, open-source transparency, and independently verified enterprise-grade security.

Welcome to the next chapter of self-hosted Git — secure, compliant, and truly yours.