Compliance and Certifications

As a security company, Checkmarx is committed to the highest levels of certifications and audits. We’ve built security into everything that we do. Our number one focus is to help organizations gain insight into risk related to software exposure. Our commitment to security and privacy is underscored by a number of industry certifications.

Third Party Reviews

To demonstrate how Checkmarx protects customer data, we provide independent third-party reports to our customers. We regularly pass rigorous third-party compliance audits of our security, availability, processing integrity, confidentiality, and privacy controls.

ISO 27001:2013 Certified

Checkmarx has successfully obtained its certification to the International Organization for Standardization (ISO) 27001:2013 standard. This standard formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information security risks. The ISMS is an overarching management framework that allows Checkmarx to identify, analyze, and address its information risks. The ISMS ensures that our security arrangements are fine-tuned to keep pace with changes to security threats, vulnerabilities, and business impacts. The certification is achieved through a systematic and rigorous external examination of an organization’s information security risk profile that takes into account any threats or vulnerabilities.

SSAE16 – SOC2 Type 2 Certified

Checkmarx is SOC2 Type 2 certified by EY. The SOC 2 report demonstrates Checkmarx’s continuous commitment to internal information security practices, policies, procedures, and operations by meeting or exceeding the AICPA standards for security, availability, and confidentiality.

FedRAMP compliant under Project HOST

Checkmarx has a certified installation on a Project Hosts environment to enable our FedRAMP customers.

EU GDPR Compliant

Checkmarx has completed the GDPR readiness. See our Privacy Policy for more details.


Checkmarx successfully completed CSA's STAR Level 1 security assessment for our cloud-based Checkmarx One™ Application Security Platform.

Security and Trust

At Checkmarx, we do everything with our customers in mind. Security, data privacy, compliance, and reliability are important to you, which makes them imperative for us.

Checkmarx One

This page provides information on our approach to security, data privacy, compliance, and reliability for the Checkmarx OneTM application security platform.

Checkmarx is an extension of your software development processes and architecture. We designed Checkmarx One to meet your security standards, including data, application, network, and product security.

Audit logging

Checkmarx logs all actions taken within our AWS environment and web applications using AWS CloudTrail. Logs are encrypted, stored in a secure and centralized location, and available for audit and compliance purposes.


Checkmarx performs daily backups of all customer data and retains backups for seven days. Data is stored in secure locations, encrypted at rest, and protected from unauthorized access. In addition, we perform regular disaster recovery drills to ensure all environments are recoverable.

Data retention

Checkmarx retains customer data for only as long as necessary to provide our services. Customer data is automatically deleted when no longer needed.

For single-tenant Checkmarx One deployments, we group data in clusters based on specific criteria, such as date ranges, user groups, or data types, and delete data clusters when no longer needed.

Encryption at rest

We encrypt all customer data at rest using industry standard encryption protocols, such as AES-256, to protect against unauthorized access or theft.

Encryption in transit

Checkmarx One encrypts all communications with our service using HTTPS. In addition, data transmitted within our service to and from Amazon S3 is encrypted using TLS 1.2.


Checkmarx implements an IDS / IPS for the Checkmarx One environment using a combination of AWS Shield, WAF rules, and DevOps Guru services to identify and alert to anomalies or potential security threats.

Risk Assessment

Checkmarx proactively performs vendor risk management (VRM) assessments of our external security posture using Panorays, with an overall Cyber Posture Rating of 99%. Assessments include network and IT, application, and human maturity, and can be provided to customers.


All exposed AWS instances are protected with a web application firewall (WAF) to detect and block a wide range of web application attacks. WAF rules are customized to the Checkmarx One environment and regularly updated against the latest threats.


All exposed AWS instances are protected with a web application firewall (WAF) to detect and block a wide range of web application attacks. WAF rules are customized to the Checkmarx One environment and regularly updated against the latest threats.

Data Privacy

Checkmarx understands the importance of data privacy for our customers. Our programs, products, and services are structured to provide effective data privacy protections for Checkmarx, its customers, partners, and employees.


Our customers do business everywhere in the world. Checkmarx complies with global industry standards and regulations to protect both our business data and yours.

Checkmarx One

Checkmarx One


Checkmarx ensures all its products and services are designed and delivered to meet the requirements of the Confidentiality, Integrity, and Availability (CIA) triad. This provides the assurances you need to secure your application development, without slowing you down.

Status page

Monitor the operational status and recent history for Checkmarx One services running in each of its five global regions (United States, Europe, India, Singapore, and Australia & New Zealand) on this status page.

Additional Resources

Checkmarx provides customers with additional details on security, privacy, compliance, and availability programs, including certifications, compliance reports, standard security questionnaires, and security architecture. For these and others, please contact your account team.

Security architecture

Existing customers and prospects under NDA can contact their account teams for our white paper detailing our security architecture, access control, infrastructure security and availability controls, data management controls, and more.

Talk to Checkmarx InfoSec

Our InfoSec team is responsible for ensuring the security and integrity of our Checkmarx One platform, along with our other products and services. If you want additional information about our security policies, you can contact us at [email protected].

Report a security vulnerability

If you’re a security researcher and discover a vulnerability in a Checkmarx product or service, please submit your findings to us at [email protected].

Skip to content