We're proud to announce that Chainstack has officially achieved ISO/IEC 27001 certification. We received the final Stage 2 audit report and certificate from our long-term compliance partner A-LIGN, closing out a process we committed to publicly earlier this year.
Paired with the SOC 2 Type II certification earned in December 2025, Chainstack is now one of a small number of blockchain infrastructure providers that can hand an enterprise compliance team both audit reports on the first ask.
What ISO/IEC 27001 actually certifies
ISO/IEC 27001 is the international standard for information security management. Unlike SOC 2, which attests that a defined set of controls operated effectively over a period of time, ISO 27001 certifies that an organization has built and continues to operate a full Information Security Management System (ISMS) — a governed, risk-driven program spanning policies, people, processes, and technology, aligned to the Annex A control set of the 2022 revision of the standard.
In practice, the audit examined how Chainstack:
- Identifies and treats security risks across blockchain node infrastructure, APIs, and internal systems
- Enforces identity and access controls — MFA, hardware tokens, role-based access with least-privilege, and privileged access management — for both customer-facing services and internal tooling
- Protects data at rest (AES-256) and in transit (TLS), including secure erasure procedures
- Handles change management, secure development (environment isolation, team segregation, multi-user code review), and vulnerability response — backed by automated dependency checks, IaC-based patching, and an active bug bounty program on HackenProof
- Maintains business continuity, incident response, and supplier security across our global footprint
- Runs internal audits, management reviews, and continuous improvement of the ISMS itself
The certification was issued by A-LIGN, accredited by the ANSI National Accreditation Board (ANAB) and the United Kingdom Accreditation Service (UKAS).
Why we did this
Chainstack customers include wallets, exchanges, custodians, tokenization platforms, oracle networks, and a growing set of regulated financial institutions building on public and permissioned chains. For every one of them, the vendor security review is a real gate. Dual certification (SOC 2 Type II + ISO 27001) is what gets you through it — the difference between a two-week procurement cycle and a six-month one.
What this means for you
If you're a Chainstack customer, nothing changes operationally — the controls audited under ISO 27001 are the ones we've been operating against all along. What does change is what your security, risk, and procurement teams can now do with that:
- Vendor questionnaires — most SIG, CAIQ, and custom questionnaires map directly to ISO 27001 Annex A, which shortens vendor reviews
- Regulatory filings — for MiCA, DORA, state money transmitter regimes, and equivalent frameworks, third-party infrastructure now comes pre-mapped to a control set your regulator already recognizes
- Internal audit — our ISMS documentation and audit report are available under NDA through the Chainstack Trust Center, alongside our SOC 2 Type II report, independent penetration test report, and public SecurityScorecard rating
If you're evaluating Chainstack and want the reports, reach out to your account team or contact us — we'll get them to your compliance reviewer the same day.
What's next
Together with SOC 2 Type II, it confirms that Chainstack meets the audit standard regulated teams already require from the rest of their infrastructure stack. If you're building on Chainstack — deploy on infrastructure your compliance team can sign off on.
Read the full announcement on Chainstack Blog → https://chainstack.com/chainstack-achieved-iso-27001-certification/
Top comments (1)
wow, congrats 🔥