Compliance for feature flags

Unleash Enterprise is designed to operate within FedRAMP-authorized environments. Many Unleash customers successfully operate in FedRAMP Moderate and FedRAMP High environments today by self-hosting Unleash within their own authorization boundary, where they control infrastructure, encryption, and network security. Unleash provides the application-level controls that map directly to FedRAMP control requirements: RBAC, audit logs, change requests, SSO (with MFA enforced through your identity provider), local flag evaluation, and more. For organizations that require a FedRAMP-authorized SaaS offering listed on the FedRAMP Marketplace, Unleash does not currently hold that authorization. However, many organizations in highly regulated environments prefer self-hosting precisely because it keeps all data entirely within their own infrastructure, including feature flag evaluation context, with no dependency on a third-party SaaS provider’s compliance posture.

For self-hosted deployments, cryptographic protection is managed at the infrastructure layer. Unleash delegates all cryptographic operations to the runtime and infrastructure: TLS termination happens at load balancers and reverse proxies, and all application-level cryptographic calls (such as hashing) are executed by the runtime’s OpenSSL modules. Customers achieve FIPS compliance by:

• Terminating TLS at infrastructure components that use FIPS-validated modules (load balancers, reverse proxies)
• Deploying on FIPS-enabled OS distributions (for example, RHEL in FIPS mode)
• Building container images using FIPS-enabled base images
• Using FIPS-validated encryption for the PostgreSQL database and disk-level storage

Unleash uses FIPS-approved algorithms (for example, SHA-256 for hashing) that are executed by the runtime’s validated cryptographic modules. Unleash integrates cleanly into FIPS-compliant infrastructure stacks.

Yes. Unleash Enterprise supports fully air-gapped deployments. Unleash Edge provides continued flag evaluation even when disconnected from the core Unleash instance, using local caching. No external network connectivity is required for flag evaluation at runtime.

Unleash’s architecture is designed so that you can evaluate feature flags locally within your applications using SDKs or Unleash Edge. No end-user data needs to be sent to the Unleash server. This privacy-by-design architecture simplifies compliance with data protection requirements across FedRAMP, SOC 2, ISO 27001, GDPR, and other frameworks. For more details, refer to Data collection and privacy.

Unleash maintains SOC 2 Type II certification, with annual penetration testing performed by external auditors. Results and the SOC 2 report are available through the Trust Center upon request. For FedRAMP and ISO 27001, Unleash provides detailed control mappings showing how Enterprise features align with framework requirements. See the individual guides: FedRAMP, SOC 2 Type II, ISO 27001.

When a vendor holds a certification (for example, a FedRAMP ATO), their hosted service has been independently assessed and authorized. This matters when the vendor’s infrastructure is within your authorization boundary. When you self-host Unleash, your infrastructure is the authorization boundary. Unleash provides the application-level security controls you need to satisfy framework requirements: access management, audit trails, change approval workflows, and local evaluation. You manage infrastructure-level controls such as encryption, network security, and key management within your own certified environment. This is why many organizations in FedRAMP High and other highly regulated environments choose self-hosted Unleash; it gives them full control over the compliance boundary while providing enterprise-grade feature management controls.