Documentation

Compliance

Meet regulatory requirements with built-in compliance controls and automated reporting

Compliance Overview

TigerIdentity helps you achieve and maintain compliance with major regulatory frameworks through automated controls, comprehensive audit logging, and streamlined reporting.

SOC 2
Type II Certified
ISO 27001
Certified ISMS
GDPR
Ready & Compliant

SOC 2 Type II

Certified Since 2024

TigerIdentity maintains SOC 2 Type II certification audited by independent third-party assessors. Our report covers Security, Availability, and Confidentiality trust service criteria.

Request SOC 2 Report →

What SOC 2 Covers

Security

Logical and physical access controls, encryption, network security, incident response

Availability

System uptime, disaster recovery, business continuity, monitoring and alerting

Confidentiality

Data classification, encryption at rest and in transit, access logging, data retention

How TigerIdentity Helps Your SOC 2

  • CC6.1: Immutable audit logs satisfy logical access control requirements
  • CC6.2: Automated access reviews and attestations before audits
  • CC6.3: Just-in-time access eliminates standing privileges
  • CC7.2: Comprehensive audit trail for all system activity

ISO 27001

TigerIdentity's Information Security Management System (ISMS) is certified to ISO/IEC 27001:2022, demonstrating systematic management of information security risks.

Scope of Certification

  • • Design, development, and operation of TigerIdentity platform
  • • Cloud infrastructure and hosting
  • • Customer data processing and storage
  • • Support and professional services

Key Controls

  • • A.5.1: Information security policies
  • • A.8.2: Access control
  • • A.8.9: Configuration management
  • • A.8.16: Monitoring activities

How TigerIdentity Helps Your ISO 27001

  • A.9.1.1: Access control policy enforcement via centralized policies
  • A.9.2.1: User registration and de-registration tracking
  • A.9.4.1: Information access restriction based on policies
  • A.12.4.1: Event logging and monitoring of all access

GDPR Compliance

TigerIdentity provides controls and features to help you comply with the EU General Data Protection Regulation (GDPR).

Article 5: Data Processing Principles

Lawfulness & Transparency: Clear data processing agreements and privacy notices
Purpose Limitation: Data used only for identity and access management
Data Minimization: Collect only necessary identity attributes
Accuracy: Automated identity synchronization keeps data current

Article 17: Right to Erasure

Delete personal data via API or dashboard. Deletion propagates across all systems within 30 days.

DELETE /v1/principals/{principal_id}?gdpr_erasure=true # Deletes identity and pseudonymizes audit logs

Article 15: Right of Access

Export all data associated with a data subject in machine-readable format.

POST /v1/data-exports/gdpr { "principal_id": "user_jane_doe" } # Generates JSON export of all personal data

Article 30: Records of Processing

Generate processing records for your GDPR documentation.

  • • Categories of data subjects (employees, contractors, customers)
  • • Categories of personal data (name, email, department, role)
  • • Purpose of processing (access control, audit, security)
  • • Data retention periods (configurable, default 1 year)

Article 32: Security of Processing

TigerIdentity implements technical and organizational measures:

• AES-256 encryption at rest
• TLS 1.3 in transit
• Regular penetration testing
• Access logging and monitoring
• Incident response procedures
• Staff security training

HIPAA Compliance

For healthcare organizations handling Protected Health Information (PHI), TigerIdentity provides HIPAA-compliant controls.

Business Associate Agreement (BAA)

Available for Enterprise customers. Contact sales to execute a BAA.

Request BAA →

164.308: Administrative Safeguards

  • (a)(1): Security management process with risk assessments
  • (a)(3): Workforce clearance via background checks
  • (a)(5)(ii)(C): Log-in monitoring and audit logs

164.312: Technical Safeguards

  • (a)(1): Unique user identification for all principals
  • (a)(2): Emergency access procedures via break-glass policies
  • (b): Audit controls with immutable logging
  • (e)(1): Transmission security via TLS 1.3

PCI-DSS

For organizations processing credit card data, TigerIdentity helps satisfy PCI-DSS access control requirements.

Requirement 7: Restrict Access

  • 7.1: Limit access to need-to-know
  • 7.2: Access control system with default deny

Requirement 8: Identify Users

  • 8.1: Unique ID for each user
  • 8.2: Strong authentication

Requirement 10: Track Access

  • 10.1: Audit trails for all access
  • 10.2: Automated audit trail

Requirement 12: Security Policy

  • 12.3: Usage policies for technologies
  • 12.10: Incident response plan

FedRAMP (Planned)

TigerIdentity is pursuing FedRAMP Moderate authorization for U.S. federal government customers. Expected availability: Q3 2026.

Express interest in FedRAMP →

Generating Compliance Reports

Generate compliance reports for auditors on-demand or on a schedule.

POST /v1/compliance/reports
Content-Type: application/json

{
  "report_type": "access_review",
  "period": {
    "start": "2026-01-01",
    "end": "2026-03-31"
  },
  "scope": {
    "resources": ["prod-*"],  # All production resources
    "principals": ["department:finance"]
  },
  "format": "pdf",  # pdf, csv, json
  "include_sections": [
    "access_grants",
    "policy_changes",
    "denied_requests",
    "orphaned_accounts",
    "privilege_escalations"
  ]
}

# Response
{
  "report_id": "rpt_abc123",
  "download_url": "https://reports.tigeridentity.com/...",
  "expires_at": "2026-02-12T15:30:00Z"
}

Available Report Types

Access Review Report

Who has access to what, changes over time, certification status

Policy Change Report

All policy modifications with before/after diffs and approvers

Audit Log Summary

Aggregated access decisions, anomalies, security events

Compliance Posture

Control effectiveness, gaps, remediation recommendations

Access Review Automation

Automate periodic access reviews required by SOC 2, ISO 27001, and other frameworks.

# config/access-reviews.yaml
reviews:
  - name: quarterly-production-access
    schedule: "0 0 1 */3 *"  # First day of quarter
    scope:
      resources:
        environment: production
    reviewers:
      - role: resource_owner
      - department: security

    auto_revoke:
      enabled: true
      if_not_certified_within_days: 14

    notifications:
      - on_start: [email, slack]
      - reminder_after_days: 7
      - on_complete: [email]

  - name: monthly-privileged-access
    schedule: "0 0 1 * *"  # Monthly
    scope:
      principals:
        has_privileged_access: true
    reviewers:
      - role: manager
      - department: security

    require_justification: true

Review Workflow

  1. 1.TigerIdentity generates access snapshot and assigns reviewers
  2. 2.Reviewers receive notification with dashboard link
  3. 3.Reviewers certify (approve) or revoke each access grant
  4. 4.Uncertified access auto-revoked after deadline (configurable)
  5. 5.Final report generated with all decisions and attestations

Related Documentation

Security Model
Technical security controls
Audit Logging
Comprehensive audit trails
Data Privacy
GDPR and privacy controls

Need Compliance Documentation?

Request SOC 2 reports, BAA, or discuss your compliance requirements

Contact Compliance TeamBack to Docs