Full SOC 1 Type 2 and SOC 2 Type 2 reports, as well as bridge letters covering December 2025, are not publicly downloadable and require submission of an access request through the Trust Center portal.
This analysis describes what GitHub's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision requires organizations to complete a formal access request process before reviewing the underlying audit evidence that typically forms the basis of vendor due diligence assessments, which may introduce timeline dependencies in procurement workflows.
Under this portal structure, organizations and users cannot directly download SOC audit reports or bridge letters; the agreement requires submission of a formal access request to obtain these compliance documents.
How other platforms handle this
Advertisers who wish to run political advertising on Snapchat must complete Snap's political advertiser authorization process, comply with applicable election advertising laws, and include required disclosures identifying the funding source of political ads.
XXII. Generative AI Terms of Use
Model cards should describe: Intended uses and out-of-scope uses. Potential biases and limitations. How the model was trained, including the training data and evaluation. Model architecture and parameters.
Monitoring
GitHub has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"GitHub.Enterprise.Cloud.SOC.1.Type.2.-.Bridge.Letter.01.Dec.2025.-.31.Dec.2025.pdf [lock icon] ... GitHub.Enterprise.Cloud.SOC.2.Type.2.-.Bridge.Letter.01.Dec.2025.-.31.Dec.2025.pdf [lock icon]— Excerpt from GitHub's GitHub Copilot Business Privacy Statement
(1) REGULATORY LANDSCAPE: Under GDPR, organizations acting as data controllers must assess the security measures of processors before engagement; access to SOC 2 Type 2 reports is a standard mechanism for this assessment. Gated report access does not prevent compliance but may affect the timeline of vendor approval processes. The relevant enforcement authorities are EU member state data protection authorities. (2) GOVERNANCE EXPOSURE: Low. Gated audit report access is a standard practice among enterprise SaaS vendors and does not itself create compliance exposure. The mechanism is procedural rather than substantive. (3) JURISDICTION FLAGS: EU/EEA organizations subject to GDPR processor assessment obligations and organizations in regulated sectors such as financial services or healthcare that require audit evidence before vendor onboarding may experience procurement friction due to the access request requirement. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should initiate the access request process early in vendor evaluation cycles. B2B contracts with GitHub may include provisions for ongoing access to audit reports; legal teams should verify whether the access request mechanism satisfies contractual audit rights obligations. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should document the access request submission and report receipt as part of the vendor due diligence file. Organizations with annual vendor reassessment obligations should calendar report refresh cycles, noting that bridge letters are available for the period ending December 2025.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision requires organizations to complete a formal access request process before reviewing the underlying audit evidence that typically forms the basis of vendor due diligence assessments, which may introduce timeline dependencies in procurement workflows.
Under this portal structure, organizations and users cannot directly download SOC audit reports or bridge letters; the agreement requires submission of a formal access request to obtain these compliance documents.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by GitHub.