CircleCI Security & Compliance Status
Before you share customer data with CircleCI, your compliance team needs documented proof they can be trusted. ThirdProof investigated CircleCI across 27 intelligence sources — here's what we found.
⚠ FedRAMP Status: Not found in the FedRAMP Marketplace. Vendors handling government data or CUI must be FedRAMP authorized.
- FedRAMP Status
- CircleCI is not listed on the FedRAMP Marketplace as of March 2026.
- SOC 2 Status
- CircleCI has a SOC 2 claim detected on their trust page. Claim is vendor-attested — no public registry exists for independent verification.
- Sanctions Screening
- CircleCI returned no matches in OFAC SDN, EU Consolidated, and UN sanctions screening.
- Risk Tier
- ThirdProof assigned CircleCI a Moderate Risk tier with 95% confidence across 27 intelligence sources.
27 sources checked. Every investigation delivers two audit-ready artifacts: a risk report and an auto-filled security questionnaire — built from independent evidence, not vendor self-attestation.
Get CircleCI's Full Report Free →Certification & Compliance Status
Need a complete vendor security questionnaire?
Run a full ThirdProof investigation to get 133 security questions auto-filled with source evidence — ready for your next audit or vendor onboarding review.
Get CircleCI's Full Report Free →Verified against FedRAMP Marketplace API as of March 2026
Organizations with federal compliance requirements should verify this directly at marketplace.fedramp.gov.
CircleCI is not listed on the FedRAMP Marketplace.
Assessment Preview — 23 Sources Queried
Run your own investigation to see the full evidence chain, compliance assessment, and recommended actions.
Get CircleCI's Full Report Free →Executive Summary Preview
CircleCI (circleci.com) is an established CI/CD and software delivery platform with a 14-year operating history, assessed at Tier 3 (Moderate Risk) based on independently sourced evidence. This rating reflects a well-documented historical security incident that, while resolved, warrants documented vendor assurance before onboarding.
This is an excerpt. Run your own investigation to see the full assessment. Get CircleCI's Full Report Free →
Key Findings for CircleCI
| Severity | Finding | Source |
|---|---|---|
| medium | Aging adverse media in historical archives | Historical Media Search |
| info | Clean domain reputation | Threat Intelligence |
2 total findings. Get CircleCI's Full Report Free →
Recommended Actions
- Request the current SOC 2 Type II report and bridge letter directly from CircleCI's security team. SOC 2 reports are confidential and not publicly available — contact CircleCI via their trust portal at trust.circleci.com or email security@circleci.com. The report should cover an audit period ending within the last 12 months; a bridge letter should confirm no material changes since the report period. Retain both documents in your vendor risk register.
- Request post-breach security assurance documentation covering CircleCI's January 2023 incident. Ask specifically for: a summary of control improvements implemented since the breach (endpoint detection, session management, privileged access), evidence of employee security awareness program enhancements, and confirmation of any third-party security audit conducted after the incident. Set a 30-day deadline for receipt.
- Clarify CircleCI's AI data usage policy before onboarding any pipelines that process proprietary source code, credentials, or sensitive build artifacts. Visit https://circleci.com/legal/ai-terms/ and request written clarification from their sales or legal team on: (1) whether build logs or pipeline data are used to train AI models, (2) which third-party AI providers (if any) have access to pipeline data, and (3) what the data retention period is for AI-processed data.
Intelligence Sources Queried for CircleCI
ThirdProof uses a deterministic rules engine to assign risk tiers. AI writes the narrative — rules drive the decision.
What a ThirdProof assessment covers↓
Sanctions Screening
Is CircleCI on any OFAC, EU, or UN sanctions list? Are any officers or affiliates flagged?
Cyber Risk Assessment
What is CircleCI's security posture? Threat intelligence scanning, known vulnerabilities, and security header analysis.
Business Registration
Is CircleCI a legitimately registered business entity? Corporate status, jurisdiction, and officer verification.
Adverse Media Analysis
Has CircleCI appeared in negative news coverage? Data breaches, lawsuits, regulatory actions, and complaints.
Domain & Infrastructure
Is CircleCI's website secure? TLS configuration, DNS hygiene, security headers, and domain age analysis.
Company Intelligence
What are CircleCI's firmographics? Employee count, industry classification, technology stack, and corporate structure.
Trust & Compliance Verification
Does CircleCI claim SOC 2, ISO 27001, HITRUST, or FedRAMP? ThirdProof scans trust pages for certification claims and cross-references the FedRAMP public registry for independent verification.
Supply Chain & Subprocessor Discovery
Who does CircleCI depend on? ThirdProof discovers subprocessors from vendor-published pages and runs sanctions screening and safe browsing checks against each one.
Regulatory & Financial Filings
Has CircleCI appeared in SEC enforcement filings? Is it associated with any FDIC bank failures? ThirdProof searches regulatory databases with entity verification to confirm attribution.
Full methodology, rule engine, and AI disclosure: /methodology
Seeing this in an audit? ThirdProof lets you investigate CircleCI and every other vendor in your stack — average report time: 7 minutes. Get CircleCI's Full Report Free →
Frequently asked about CircleCI
Is CircleCI FedRAMP authorized?+
Does CircleCI have SOC 2 Type II?+
Is CircleCI on the OFAC sanctions list?+
What is CircleCI's vendor risk tier?+
Can I get an auto-filled security questionnaire for CircleCI?+
Is CircleCI safe to use as a vendor?+
Does CircleCI have SOC 2 certification?+
Has CircleCI had any data breaches?+
Is CircleCI on any sanctions lists?+
How do I assess CircleCI for vendor risk?+
How long does a ThirdProof assessment take?+
Is ThirdProof free?+
Can I use a ThirdProof report as SOC 2 audit evidence?+
How is ThirdProof different from a security questionnaire?+
Also investigate these vendors
CircleCI is in your vendor stack. Can you prove you assessed them?
SOC 2 CC9.2, HIPAA, PCI-DSS, and CMMC all require documented vendor due diligence — not just knowing the answer, but having audit-ready evidence you verified it. Most compliance teams can't produce that documentation on demand.
ThirdProof investigates CircleCI across 27 intelligence sources in an average of 7 minutes — sanctions screening, cyber posture, SOC 2 verification, FedRAMP status, and more. Every investigation produces two deliverables: an audit-ready risk report and an auto-filled security questionnaire your prospects and auditors expect to see.
Replaces $600–$900 in manual compliance consulting time per vendor assessed.