Storage Buckets: Security & Compliance

Storage Buckets are built on the same infrastructure that powers the Hugging Face Hub, with enterprise-grade security and compliance built in.

Encryption

All data stored in buckets is encrypted at rest using AES-256 encryption. Data in transit is protected via TLS.

Access Control

Buckets use the Hub’s standard access control mechanisms:

• SSO: Authenticate through your organization’s identity provider via Single Sign-On
• RBAC: Fine-grained permissions through Resource Groups let you control who can read, write, or admin each bucket
• Tokens: Programmatic access is managed through User Access Tokens with scoped permissions

Audit Logs

All bucket operations — uploads, downloads, deletions, and permission changes — are recorded in your organization’s Audit Logs, giving you a full trail of who accessed what and when.

Data Residency

Bucket data is stored in US and EU regions. You can choose where your data lives when creating a bucket, and pre-warming lets you cache data closer to your compute in specific cloud regions.

Compliance

Hugging Face maintains the following certifications and compliance standards:

• SOC 2 Type 2 certified — active monitoring and patching of security vulnerabilities
• GDPR compliant — data processing agreements available through Enterprise Plans

For more details on Hugging Face’s overall security posture, see the Security page. For questions, contact security@huggingface.co.

Update on GitHub