// Trust & Security Report
ActiveCampaign, LLC
Marketing automation platform including email marketing, CRM, SMS and WhatsApp messaging, landing pages, and AI-powered automation via Active Intelligence (v2.8 at assessment date)
Certifications held
6
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.activecampaign.com“Trust center compliance section explicitly lists 'SOC 2 Type 2' and provides 'ActiveCampaign SOC 2 Type 2 Report' as a downloadable resource. The trust center FAQ also confirms the report is available upon written request no more than once a year.”
Verify on trust.activecampaign.com“Trust center compliance section lists GDPR. ActiveCampaign acts as a data processor, provides a signed DPA, supports data subject rights (access, erasure, portability), and has obtained EU adequacy under the EU-US Data Privacy Framework.”
Verify on activecampaign.com“ActiveCampaign is certified under three data privacy frameworks: EU-U.S. Data Privacy Framework (effective July 11, 2023), UK Extension to the EU-U.S. Data Privacy Framework (effective October 12, 2023), and Swiss-U.S. Data Privacy Framework (effective September 15, 2024). Trust center resources list 'ActiveCampaign Certification to the Data Privacy Framework'.”
Verify on trust.activecampaign.com“Trust center compliance section explicitly lists 'CCPA COMPLIANT' and provides 'ActiveCampaign CCPA Information' as a standalone resource.”
Verify on trust.activecampaign.com“Trust center compliance section lists HIPAA. Trust center FAQ includes 'Is ActiveCampaign willing to sign a BAA?' as a listed question. Vendor blog states 'Business Associate Agreement (BAA): Available on eligible plans to cover the use and disclosure of PHI' with the Professional tier (~$229/mo) cited as an example qualifying plan.”
Verify on trust.activecampaign.com“Trust center compliance section lists 'Google CASA Tier 2' as a compliance line item (displayed alongside SOC 2 Type 2, GDPR, CCPA, and HIPAA).”
> Show 6 unconfirmed / not-held certifications
source: trust.activecampaign.comISO 27001 is NOT listed in the trust center compliance section, which enumerates only SOC 2 Type 2, GDPR, CCPA, HIPAA, and Google CASA Tier 2. Third-party security profile aggregators (e.g. Nudge Security) claim this cert, but no vendor-domain page (trust center, security page, or legal page) accessible during this assessment confirms it. Cannot grade held=true without vendor-domain proof.
source: trust.activecampaign.comNo public evidence of ISO 27701 certification found on any accessible ActiveCampaign domain page or trust center.
source: trust.activecampaign.comNo public evidence of ISO 42001 AI governance certification found on any accessible ActiveCampaign domain page or trust center.
source: trust.activecampaign.comClaimed by at least one third-party security profile aggregator (Nudge Security). Not listed in ActiveCampaign's own trust center compliance section or any accessible vendor-domain security page. Cannot confirm; graded held=false.
source: trust.activecampaign.comThird-party profile (Nudge Security) claims 'CSA STAR Level 1 Compliant' (the self-assessment tier). ActiveCampaign does not appear in the publicly searchable portion of the CSA STAR registry, and no vendor-domain page confirms this. Cannot verify; graded held=false.
source: trust.activecampaign.comThird-party security profile aggregators claim PCI compliance. ActiveCampaign is a marketing automation platform and does not appear to directly process payment card data in scope of PCI DSS. No vendor-domain page confirms a PCI DSS certification or SAQ/AoC. Cannot verify; graded held=false.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Multi-regional data centers in the US, EU (Ireland), and APAC. Accounts are automatically assigned to the closest region by GEO IP at account creation; customers cannot manually select a region. Importantly, contact data continues to be processed in the United States and other locations outside the hosting region regardless of the assigned data center, per the Multi-Regional Data Hosting Policy.
The Terms of Service (section 4) explicitly state: 'we may view, copy, and internally use Marketing Content to help us train and improve the Services, including their functionality and effectiveness.' Contact data is also used 'to train, detect issues with our Services, and to ensure their proper functioning.' The Active Intelligence product page states the AI is 'trained on billions of real customer interactions across email, SMS, WhatsApp, and more' but adds that 'while Active Intelligence learns from aggregated patterns across our platform to improve recommendations, your specific customer information and campaigns are never shared with anyone else.' This creates a notable tension: the ToS permits training on customer Marketing Content with no explicit opt-out mechanism, while marketing materials emphasize only anonymized/aggregated patterns are used. AI-generated outputs 'may not be unique across users' (ToS section 5.3). No opt-out for AI training on aggregated data exists.
// Security controls
Encryption in transit
Implied by Web Application Firewall and Zero Trust Network Access controls listed in trust center; explicit TLS confirmation not extracted from accessible pages.
trust.activecampaign.comEncryption at rest
Not explicitly confirmed in accessible vendor pages; single-tenancy architecture and world-class data centers referenced but no specific algorithm or AES standard stated.
activecampaign.comMulti-Factor Authentication
MFA available on all customer accounts; required per NIST standards for internal personnel. Configurable idle session timeouts.
activecampaign.comZero Trust Network Access
Listed as an active infrastructure control in trust center.
trust.activecampaign.comWeb Application Firewall
Listed as an active network security control in trust center.
trust.activecampaign.comArchitecture
Single-tenancy architecture; each customer's data is isolated. Separate production environment listed as a trust center control.
activecampaign.comPenetration Testing
Continuous penetration testing by internal Red Team; pen test attestation available in trust center. Bug bounty program via Bugcrowd.
activecampaign.comVulnerability Management
Daily vulnerability scanning; static code analysis; open-source package management; in-house tooling for anomalous activity detection.
activecampaign.comEndpoint Security
Endpoint security and MDM system listed as active infrastructure controls in trust center.
trust.activecampaign.comAccess Control
Minimum necessary access principle; regular audits of user access permissions; personnel MFA required per NIST.
activecampaign.comAI Controls
Trust center lists three AI-specific controls: AI policy, AI Features, and Third-Party AI Diligence.
trust.activecampaign.comSubprocessors
Trust center lists: Amazon Web Services (cloud provider), Cloudflare (cloud monitoring), Snowflake (data storage and processing), Zendesk (customer support service); full list available in trust center. New subprocessors posted with 7-day objection window before deemed consent.
trust.activecampaign.com// Products & data scope
data: Contact data (names, email addresses, behavioral tracking, IP), email content (Marketing Content), campaign metrics, form submissions
Core product; automation workflows, segmentation, A/B testing. Contact data in scope of DPA. Marketing Content explicitly usable by ActiveCampaign to train/improve services per ToS section 4.
data: Deals pipeline data, contact records, interaction history, employment and occupation data
Built-in CRM; not available as a standalone product. Subject to same DPA and ToS terms as core platform.
data: Marketing Content, customer interaction history, brand kit assets, aggregate behavioral patterns from platform-wide data
AI features generate email and SMS content and automation suggestions. ToS section 4 permits use of Marketing Content to train and improve services. No opt-out. AI-generated content 'may not be unique across users' (ToS 5.3). Trust center lists AI policy, AI Features, and Third-Party AI Diligence as controls.
data: Phone numbers, message content, opt-in consent records
Available as additional channels within the core platform subscription.
data: Form submissions, visitor behavior, IP addresses
Built-in landing page builder integrated with automation workflows.
// What to watch
- AI TRAINING CONTRADICTION: ToS section 4 explicitly permits ActiveCampaign to 'view, copy, and internally use Marketing Content to help us train and improve the Services.' This is broader than the Active Intelligence marketing page, which states only 'aggregated patterns' are used and individual customer data is not shared. No opt-out mechanism for AI training on customer data exists. Buyers should review ToS section 4 and 5.3 carefully.
- ISO 27001 UNCONFIRMED: Not listed in the trust center compliance section (which lists SOC 2 Type 2, GDPR, CCPA, HIPAA, Google CASA Tier 2). Third-party security profile aggregators claim this cert. AIFOXX must not list ISO 27001 as held until ActiveCampaign provides direct on-domain confirmation (e.g. a certificate accessible via the trust center).
- FEDRAMP UNCONFIRMED: Claimed by a third-party aggregator (Nudge Security) but not listed on any accessible ActiveCampaign domain page. Graded held=false.
- CSA STAR UNCONFIRMED: Third-party profile claims Level 1 (self-assessment). Not confirmed via CSA STAR registry or vendor's own pages. Graded held=false.
- PCI DSS UNCONFIRMED: Third-party aggregator claims PCI compliance. ActiveCampaign does not appear to directly process card-holder data in scope of PCI DSS as a marketing automation platform. No vendor-domain evidence. Graded held=false.
- HIPAA BAA IS PLAN-GATED: BAA is available only on eligible plans (at minimum Professional tier per vendor's own blog). Starter and Plus plans do not qualify. Healthcare buyers must verify current plan eligibility before assuming HIPAA coverage.
- DATA RESIDENCY LIMITATION: Contact data continues to be processed in the United States even when accounts are hosted in the EU or APAC region, per the vendor's own Multi-Regional Data Hosting Policy. This limits GDPR data-transfer protection to the hosting layer only.
- TRUST CENTER PARTIALLY GATED: Full certification documents and detailed controls require account login or an explicit access request. This limits public verifiability of some controls and the SOC 2 Type 2 report itself.
// At a glance
Pricing model
Per-contact subscription tiers (Starter, Plus, Professional, Enterprise); pricing scales with contact count. Professional tier cited at approximately $229/month for BAA eligibility.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on ActiveCampaign, LLC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.activecampaign.com