Skip to main content

Compliance & Certifications

Transparency is at the core of our security commitment. This page provides an overview of Phala’s compliance certifications, security controls, and data processing practices.
For compliance reports, security documentation, or to schedule a security review, visit the Trust Center or contact [email protected].

Compliance Reports

Phala maintains industry-standard compliance certifications to demonstrate our commitment to security and privacy.

SOC 2 Type I

SOC 2 Type I Report

Service Organization Control 2 Type I report validating our security, availability, and confidentiality controls at a specific point in time.
 The SOC 2 Type I report covers:
  • Security: Protection against unauthorized access
  • Availability: System availability for operation and use
  • Confidentiality: Protection of confidential information

HIPAA Compliance

HIPAA Compliance

Health Insurance Portability and Accountability Act compliance certification demonstrating our commitment to protecting sensitive patient health information. Coming Soon
Phala is working toward HIPAA compliance certification to support healthcare and life sciences customers with protected health information (PHI) requirements.

Security Controls Framework

Phala has implemented a comprehensive security control framework with 120+ controls across multiple security domains. All controls are actively implemented and monitored.

Control Categories

  • Customer data handling policies approved by management
  • Least-privileged access to sensitive data
  • Encryption of web-based management interfaces
  • Data classification and retention policies
  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA) required
  • Periodic access reviews
  • Unique user identities
  • Access provisioning and deprovisioning procedures
  • Root access restrictions
  • Data encrypted at rest using strong cryptographic algorithms
  • Data encrypted in transit (TLS 1.2+)
  • Key management procedures
  • Removable media encryption
  • Cryptography policies and standards
  • Network security controls limiting inbound/outbound traffic
  • Web Application Firewall (WAF)
  • Intrusion Detection/Prevention System (IDS/IPS)
  • Remote server administration port restrictions
  • Encrypted remote production access
  • Documented incident response plan
  • Incident response team with defined roles
  • Security event tracking and evaluation
  • Post-mortem reviews and lessons learned
  • Breach notification procedures
  • Annual incident response testing
  • Documented disaster recovery plan
  • Business continuity plan
  • Business impact analysis
  • High availability architecture
  • Annual BCP/DR testing
  • Regular vulnerability scans
  • Annual third-party penetration testing
  • Vulnerability management policy
  • Patch management procedures
  • Centralized logging system
  • Real-time alerting
  • Database and server monitoring
  • File integrity monitoring (FIM)
  • Continuous control monitoring
  • Background checks for personnel
  • Security awareness training
  • Code of conduct
  • Non-disclosure agreements
  • Termination/offboarding procedures
  • Vendor risk assessments
  • Compliance monitoring for critical vendors
  • Data processing agreements
  • Subprocessor management

Subprocessors

Phala works with trusted third-party service providers to deliver our services. Below is a list of our current subprocessors and their purposes.
SubprocessorPurposeJurisdiction
Google CloudInfrastructure hostingUS, EU
StripePayment processingUS
PostHogProduct analyticsUS/EU
Customer.ioMarketing & Email servicesUS
AttioCRMUK
LinkedInMarketing analyticsUS
FingerprintSecurity analyticsUS
GitHubCode repository and software developmentUS

Data Processing Agreement

Our commitment to protecting your data extends to our relationships with subprocessors:
  • All subprocessor agreements impose data protection obligations substantially similar to those in our main DPA
  • We notify customers of any intended additions or replacements to the subprocessor list
  • Phala remains liable for subprocessor performance in accordance with our DPA terms

Data Processing Agreement

View our full Data Processing Agreement for detailed information on data handling practices.

Privacy

Phala maintains comprehensive privacy practices:
  • Public Privacy Policy: Available at phala.com/privacy
  • Privacy by Design: TEE technology ensures data remains encrypted even during processing
  • Data Subject Rights: Users can access, correct, and delete their personal information
  • Privacy Compliance Review: Quarterly executive review of privacy compliance
  • HIPAA Privacy Rule: Policies for allowable use and disclosure of PHI (for covered entities)

Security Architecture

Phala Cloud’s security is built on Trusted Execution Environments (TEEs) that provide hardware-level isolation and cryptographic guarantees:

Trust Center Verification

Automated verification reports for every deployment

Security Architecture

Technical security architecture and design documents

Security Audit

Independent third-party security audit by zkSecurity

Chain of Trust

Understand the cryptographic chain of trust

Regulatory Compliance

Phala Cloud helps customers meet various regulatory requirements:
RegulationHow Phala Helps
GDPRData encryption at rest and in transit, DPA available, subprocessor transparency
HIPAATEE-based data isolation, access controls, audit logging (BAA available upon request)
SOC 2Certified Type I report, comprehensive security controls
PCI DSSEncryption, access controls, network segmentation

Contact

For compliance inquiries, security documentation requests, or to schedule a security review:

Additional Resources