Security Is a
Core Pillar

Your network is the gateway to your digital life. We treat its security with the same rigor as the performance and reliability you expect from TP-Link products.

🛡 CISA Secure by Design WiFi Alliance Certified 🔒 WPA3 on All New Products 🇺🇸 US-Based Security Team
Our Approach

Five Principles of Data Handling

Every TP-Link product is designed around these non-negotiable commitments to your data.

01
Minimal Collection
We collect only the data necessary for your device to function. No browsing history. No DNS logs. No traffic inspection.
02
Local Processing
Network management, parental controls, and QoS decisions happen on your device — not in our cloud.
03
Encrypted Transit
All communication between your devices, our app, and cloud services uses TLS 1.3 encryption end-to-end.
04
No Data Sales
Your network data is never sold, shared with advertisers, or monetized. Period. This is a contractual guarantee.
05
User Control
You can export, review, or delete your data at any time through the Deco app or your TP-Link account settings.
Certifications & Compliance

Verified by Independent Standards

We don't just claim security — we submit to independent testing and public accountability.

🏛

CISA Secure by Design

Pledged participant in the U.S. Cybersecurity & Infrastructure Security Agency's Secure by Design initiative.

Pledged
📶

WiFi Alliance Certified

All Deco and Archer products carry WiFi CERTIFIED marks, ensuring interoperability and security compliance.

Active
🔒

FCC Compliance

All products sold in the US meet FCC Part 15 and Part 18 requirements. Tested by accredited labs.

Active
🌍

200+ International Certifications

Products certified across CE, UKCA, NCC, BSMI, IC, and 200+ regional safety and electromagnetic standards.

Active
🔍

Third-Party Penetration Testing

Annual penetration testing by independent security firms. Full results available to enterprise customers.

Q3 2026 Report
📜

SOC 2 Type II

Cloud services audit for security, availability, and confidentiality controls. Assessment in progress.

In Progress
Transparency

Open About How We Build & Respond

📦 Software Bill of Materials

We publish SBOMs for all current-generation Deco and Archer products, enabling customers and researchers to independently verify our software supply chain.

  • SPDX and CycloneDX formats available
  • Updated with each firmware release
  • Covers all third-party libraries and kernel modules
  • Enterprise customers receive full SBOM upon request

⚡ Vulnerability Response

We maintain a coordinated disclosure program and commit to clear timelines for every reported vulnerability.

1
Reported
Via security@tp-link.com or HackerOne
Day 0
2
Acknowledged
Triaged & assigned to engineering
≤ 48 hours
3
Patched
Fix developed, tested, & QA'd
≤ 30 days
4
Deployed
OTA firmware push + advisory
≤ 90 days

Built for the US Market,
Operated in the US

Our US operations are led by a dedicated American team with local security oversight, US-based cloud infrastructure, and direct relationships with US regulators and standards bodies.

🏢
US Headquarters Irvine, California — product, engineering, and support teams
US Cloud Infrastructure US customer data processed and stored on AWS US regions
🛡
Dedicated Security Team US-based security engineers with direct firmware authority
📞
US-Based Support Customer support and escalation handled domestically
🇺🇸
Looking Ahead

Third-Party Audit Roadmap

We're investing in independent verification to earn your trust through evidence, not promises.

Q1 2026 — Completed
CISA Secure by Design Pledge
Formal commitment to CISA's secure development practices with published progress metrics.
Q2 2026 — In Progress
SOC 2 Type II Assessment
Independent audit of cloud service security controls, availability, and data confidentiality.
Q3 2026 — Planned
Independent Penetration Test Report
Full product security assessment by a top-tier third-party security firm. Summary will be published publicly.
Q4 2026 — Planned
Trust Center Launch
Comprehensive public trust portal with real-time security status, audit reports, SBOM downloads, and vulnerability disclosure history.

📢 Security Advisories

We publish security advisories for all confirmed vulnerabilities. Subscribe to get notified when new advisories are issued.

View Security Advisories Report a Vulnerability
Customer Trust

What Customers Say

"After the FCC concerns, I almost switched brands. Then I read TP-Link's security commitment page. The transparency — SBOM, vulnerability timelines, third-party audits — convinced me to stay."

Mark R.
IT Manager, Portland OR

"HomeShield caught 3 phishing attempts in the first week. The monthly security report shows exactly what's happening on my network. No other router brand does this."

Jennifer L.
Small Business Owner, Austin TX

"I manage networks for 12 offices. TP-Link's US-based security team responds faster than any other vendor. The 48-hour acknowledge SLA is real — I've tested it."

David K.
Network Administrator, Chicago IL
Common Questions

Frequently Asked Questions

Does TP-Link sell or share my personal data?

No. TP-Link does not sell user data to third parties. Network data is processed locally on-device where possible, and cloud-transmitted data is encrypted in transit and at rest. See our Data Handling Principles for full details.

Where is my data stored?

For US customers, data is stored on US-based cloud infrastructure managed by our US operations team. We do not route US customer data through overseas servers.

How does TP-Link respond to security vulnerabilities?

We acknowledge all reported vulnerabilities within 48 hours, issue patches within 30 days for critical issues, and fully resolve within 90 days. All confirmed vulnerabilities are published in our Security Advisories.

What security certifications does TP-Link hold?

TP-Link holds WiFi CERTIFIED 7 certification, FCC compliance, CISA Secure by Design pledge, and 200+ international security certifications. We are pursuing SOC 2 Type II and independent penetration testing in 2026.

Can I use TP-Link products without a cloud account?

Yes. Core WiFi functionality works fully offline. A TP-Link account is only required for remote management, HomeShield cloud features, and firmware auto-updates. You can opt out of cloud features at any time.