// Trust & Security Report

    Ahrefs Pte. Ltd. logo

    Ahrefs Pte. Ltd.

    Ahrefs AI marketing & SEO platform (Site Explorer, Keywords Explorer, Site Audit, Rank Tracker, Brand Radar, Web Analytics, Agent A) plus API/MCP, free SEO tools, browser/WordPress extensions, and sibling products Letaido, Firehose, and Yep search engine

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001 (2022)
    HELD

    Frameworks ISO 27001 (2022) SOC 2 ... ISO 27001 (2022) Initial Certificate View

    Verify on trust.ahrefs.com
    ISO 27001 (homepage enterprise claim)
    HELD

    Ready for enterprise management ... Single sign-on ... Two-factor authentication ... ISO27001 certified

    Verify on ahrefs.com
    SOC 2 Type 2
    HELD

    COMPLIANCE SOC 2 Type 2 Request access

    Verify on trust.ahrefs.com
    GDPR (posture, not a certification)
    HELD

    the Regulation (EU) 2016/679 (General Data Protection Regulation) ... we provide appropriate safeguards such as entering into data transfer agreements adopted by the European Commission (e.g. Standard Contractual Clauses (2021/914/EU)). DPO: privacy@ahrefs.com; EU Representative: VeraSafe Ireland Ltd.

    Verify on ahrefs.com
    > Show 1 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No HIPAA reference found on the trust center, security measures page, or privacy policy. Not applicable to an SEO/marketing data platform.

    source: trust.ahrefs.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Personal Data stored in the United States ('Personal Data we collect is transferred to and stored in the United States'). Subprocessor AWS regions span USA, EU, and Singapore. Vendor HQ is Singapore.

    Privacy Policy lists model training as an explicit processing purpose: 'to improve products and services built on artificial intelligence such as through training of our machine learning models.' Collected information (which may include Personal Data) can be used for this, and Ahrefs reserves broad rights to process de-identified/aggregated data 'for any purpose.' There is no documented opt-out or an explicit 'we do not train on your data' commitment for paid/enterprise customers. Enterprise buyers handling sensitive data should request the DPA and clarify training scope before onboarding.

    // Security controls

    Encryption in transit

    TLS via Cloudflare. 'All Personal Data is encrypted using Cloudflare when transmitted from our servers to your browser.' AWS RDS uses 'industry-standard TLS protocol.'

    ahrefs.com

    Encryption at rest

    'RDS implements encryption of data both at rest and in transit.' Database backups are also encrypted.

    ahrefs.com

    Penetration testing

    Independent assessment by Cure53: 'Cure53 Security Assessment of Ahrefs (July 2025)' (Request access). Security Measures page states Ahrefs 'conducts penetration tests annually.'

    trust.ahrefs.com

    Bug bounty

    No public bug-bounty program (HackerOne/Bugcrowd) found on the trust center, security page, or via search. Treat as none/unknown.

    trust.ahrefs.com

    Access control

    'A subset of Ahrefs personnel have access to user data via controlled interfaces on a purely need-to basis.' Role-based authorization via workspace membership.

    ahrefs.com

    Enterprise auth

    Single sign-on (SSO) and two-factor authentication (2FA) offered on Enterprise.

    ahrefs.com

    Subprocessors (transparency)

    Public subprocessor list including Amazon Web Services (USA, EU, Singapore), Apollo.io (USA), Basecamp (USA), plus full list on the trust center.

    trust.ahrefs.com

    // Products & data scope

    Ahrefs SEO/marketing platform (paid subscriptions)SEO & marketing analytics SaaS

    data: Account/registration data, billing (via Stripe), connected accounts (e.g. Google Search Console), crawl and analytics data. Stored in US; ISO 27001 / SOC 2 Type 2 scope.

    Core product. Marketed as used by 44% of the Fortune 500. Includes Site Explorer, Keywords Explorer, Site Audit, Rank Tracker, Brand Radar, Web/Bot Analytics, Dashboards.

    Ahrefs EnterpriseEnterprise SaaS tier

    data: Adds SSO, 2FA, 100+ API endpoints, custom reporting. ISO 27001 certified posture surfaced specifically for enterprise buyers.

    Distinct contractual/security tier; request DPA and SOC 2 / ISO certificate via trust center.

    Ahrefs API & MCPDeveloper API / Model Context Protocol

    data: Programmatic access to Ahrefs data; can connect to ChatGPT, Claude, Copilot. Data flows to whichever AI endpoint the customer connects.

    When piped into third-party LLMs, data handling is also governed by those third parties' policies (Privacy Policy 'Third Party Services' clause).

    Agent A (AI marketing agent)AI agent

    data: Has 'full, unrestricted access to Ahrefs data'; can switch between Claude, Gemini and other models. Inputs may be processed by third-party model providers.

    Multi-model routing means customer prompts/data may transit external LLM providers; confirm scope for sensitive use.

    Free SEO tools, SEO Toolbar (browser extension), WordPress pluginFree / consumer utilities

    data: Lower-trust, separate policies: dedicated 'SEO Toolbar Policy' and 'WordPress Plugin Policy' govern collection. Often usable without an account.

    Consumer-grade; distinct privacy notices from the paid platform.

    Letaido / Firehose / Yep (sibling products)AI workspace, data firehose, search engine

    data: Separate products under Ahrefs Group; Letaido has its own Cookie and Tracking Technologies Policy (letaido.com). Yep is a public search engine.

    Different data/compliance scopes from the core SEO platform; assess separately if used.

    // What to watch

    • Stale conflicting page: https://ahrefs.com/legal/security-measures still reads 'Ahrefs systems were not subjected to certification so far, though there is a motion to get SOC2 certification' — contradicted by the current trust center (ISO 27001 certified, SOC 2 Type 2 available) and the Probo case study confirming ISO 27001 certification. Treat the trust center as authoritative; the legal page appears outdated.
    • AI/ML training: Privacy Policy permits training machine-learning models on collected information (which can include Personal Data); no explicit no-train guarantee or opt-out documented for paid/enterprise customers.
    • SOC 2 Type 2 report and ISO 27001 certificate are gated behind 'Request access' on the trust center (not openly downloadable).
    • No public bug-bounty program found.
    • Agent A and API/MCP route customer data through third-party LLM providers (Claude, Gemini, ChatGPT, Copilot) governed by those providers' policies.

    // At a glance

    Pricing model

    Paid subscription tiers (Lite/Standard/Advanced/Enterprise) with a free tier (Ahrefs Free) and free standalone tools; usage-based API add-ons

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Ahrefs Pte. Ltd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.ahrefs.com

    > Browse all vendor trust reports