Provider Compliance Matrix
Vendor security evaluation for regulated industries. Compare GPU cloud providers across SOC 2, HIPAA, FedRAMP, ISO 27001, GDPR, and PCI DSS — so your legal, security, and procurement teams can make decisions with verified, structured data.
Showing all 10 GPU cloud providers
| Provider | SOC 2 Audit | HIPAA Health Data | FedRAMP US Gov | ISO 27001 ISMS | GDPR EU Privacy | PCI DSS Payments | Docs |
|---|---|---|---|---|---|---|---|
AWS6/6 | ✓ Type II | ✓ BAA | High (GovCloud) | ✓ Certified | ✓ Compliant | Level 1 | Trust |
GCP6/6 | ✓ Type II | ✓ BAA | High | ✓ Certified | ✓ Compliant | Level 1 | Trust |
Azure6/6 | ✓ Type II | ✓ BAA | High (Gov) | ✓ Certified | ✓ Compliant | Level 1 | Trust |
Lambda2/6 | ✓ Type II | Partial | — | — | ✓ Compliant | — | Trust |
CoreWeave4/6 | ✓ Type II | ✓ BAA | In Progress | ✓ Certified | ✓ Compliant | — | Trust |
RunPod1/6 | In Progress | — | — | — | ✓ Compliant | — | Trust |
Nebius2/6 | In Progress | — | — | ✓ Certified | ✓ Compliant | — | Trust |
Together AI3/6 | ✓ Type II | ✓ BAA | — | — | ✓ Compliant | — | Trust |
Crusoe3/6 | ✓ Type II | ✓ BAA | In Progress | — | ✓ Compliant | — | Trust |
Hyperstack2/6 | ✓ Certified | — | — | — | ✓ Compliant | — | Trust |
Data Residency & Region Coverage
All 10 providers · July 202630+ regions
40+ regions
60+ regions
Community cloud — region not guaranteed
Inference API
Multiple DCs, Stargate partner
Key Takeaways for Security Teams
AWS, GCP, and Azure hold all six certifications — including FedRAMP High and PCI DSS Level 1. For strictly regulated industries (healthcare, fintech, federal contracting) these three are the only fully certified GPU cloud options as of July 2026.
CoreWeave leads the specialist tier with SOC 2 Type II, HIPAA BAA, ISO 27001, and FedRAMP in progress. Lambda and Together AI hold SOC 2 + HIPAA but lack FedRAMP and ISO. "In Progress" signals active pursuit — track for 2026–2027 procurement cycles.
RunPod, Nebius, and Hyperstack are GDPR-compliant with SOC 2 in progress or achieved. These are appropriate for EU-based, non-regulated ML workloads. For HIPAA, FedRAMP, or PCI DSS requirements, look to the hyperscaler or specialist tier.
Disclaimer: Last verified July 2026 — certifications change. Always verify directly with the provider before procurement decisions. GPUAdvisor is not a legal or compliance authority. Links to provider trust pages are provided for reference only and do not constitute an endorsement or legal opinion. Consult your legal and security teams before committing to any provider for regulated workloads.
Our advisory team works with regulated-industry buyers in healthcare, fintech, and government contracting.