// Trust & Security Report
Ahrefs Pte. Ltd.
Ahrefs AI marketing & SEO platform (Site Explorer, Keywords Explorer, Site Audit, Rank Tracker, Brand Radar, Web Analytics, Agent A) plus API/MCP, free SEO tools, browser/WordPress extensions, and sibling products Letaido, Firehose, and Yep search engine
Certifications held
4
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.ahrefs.com“Frameworks ISO 27001 (2022) SOC 2 ... ISO 27001 (2022) Initial Certificate View”
Verify on ahrefs.com“Ready for enterprise management ... Single sign-on ... Two-factor authentication ... ISO27001 certified”
Verify on ahrefs.com“the Regulation (EU) 2016/679 (General Data Protection Regulation) ... we provide appropriate safeguards such as entering into data transfer agreements adopted by the European Commission (e.g. Standard Contractual Clauses (2021/914/EU)). DPO: privacy@ahrefs.com; EU Representative: VeraSafe Ireland Ltd.”
> Show 1 unconfirmed / not-held certifications
source: trust.ahrefs.comNo HIPAA reference found on the trust center, security measures page, or privacy policy. Not applicable to an SEO/marketing data platform.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Personal Data stored in the United States ('Personal Data we collect is transferred to and stored in the United States'). Subprocessor AWS regions span USA, EU, and Singapore. Vendor HQ is Singapore.
Privacy Policy lists model training as an explicit processing purpose: 'to improve products and services built on artificial intelligence such as through training of our machine learning models.' Collected information (which may include Personal Data) can be used for this, and Ahrefs reserves broad rights to process de-identified/aggregated data 'for any purpose.' There is no documented opt-out or an explicit 'we do not train on your data' commitment for paid/enterprise customers. Enterprise buyers handling sensitive data should request the DPA and clarify training scope before onboarding.
// Security controls
Encryption in transit
TLS via Cloudflare. 'All Personal Data is encrypted using Cloudflare when transmitted from our servers to your browser.' AWS RDS uses 'industry-standard TLS protocol.'
ahrefs.comEncryption at rest
'RDS implements encryption of data both at rest and in transit.' Database backups are also encrypted.
ahrefs.comPenetration testing
Independent assessment by Cure53: 'Cure53 Security Assessment of Ahrefs (July 2025)' (Request access). Security Measures page states Ahrefs 'conducts penetration tests annually.'
trust.ahrefs.comBug bounty
No public bug-bounty program (HackerOne/Bugcrowd) found on the trust center, security page, or via search. Treat as none/unknown.
trust.ahrefs.comAccess control
'A subset of Ahrefs personnel have access to user data via controlled interfaces on a purely need-to basis.' Role-based authorization via workspace membership.
ahrefs.comEnterprise auth
Single sign-on (SSO) and two-factor authentication (2FA) offered on Enterprise.
ahrefs.comSubprocessors (transparency)
Public subprocessor list including Amazon Web Services (USA, EU, Singapore), Apollo.io (USA), Basecamp (USA), plus full list on the trust center.
trust.ahrefs.com// Products & data scope
data: Account/registration data, billing (via Stripe), connected accounts (e.g. Google Search Console), crawl and analytics data. Stored in US; ISO 27001 / SOC 2 Type 2 scope.
Core product. Marketed as used by 44% of the Fortune 500. Includes Site Explorer, Keywords Explorer, Site Audit, Rank Tracker, Brand Radar, Web/Bot Analytics, Dashboards.
data: Adds SSO, 2FA, 100+ API endpoints, custom reporting. ISO 27001 certified posture surfaced specifically for enterprise buyers.
Distinct contractual/security tier; request DPA and SOC 2 / ISO certificate via trust center.
data: Programmatic access to Ahrefs data; can connect to ChatGPT, Claude, Copilot. Data flows to whichever AI endpoint the customer connects.
When piped into third-party LLMs, data handling is also governed by those third parties' policies (Privacy Policy 'Third Party Services' clause).
data: Has 'full, unrestricted access to Ahrefs data'; can switch between Claude, Gemini and other models. Inputs may be processed by third-party model providers.
Multi-model routing means customer prompts/data may transit external LLM providers; confirm scope for sensitive use.
data: Lower-trust, separate policies: dedicated 'SEO Toolbar Policy' and 'WordPress Plugin Policy' govern collection. Often usable without an account.
Consumer-grade; distinct privacy notices from the paid platform.
data: Separate products under Ahrefs Group; Letaido has its own Cookie and Tracking Technologies Policy (letaido.com). Yep is a public search engine.
Different data/compliance scopes from the core SEO platform; assess separately if used.
// What to watch
- Stale conflicting page: https://ahrefs.com/legal/security-measures still reads 'Ahrefs systems were not subjected to certification so far, though there is a motion to get SOC2 certification' — contradicted by the current trust center (ISO 27001 certified, SOC 2 Type 2 available) and the Probo case study confirming ISO 27001 certification. Treat the trust center as authoritative; the legal page appears outdated.
- AI/ML training: Privacy Policy permits training machine-learning models on collected information (which can include Personal Data); no explicit no-train guarantee or opt-out documented for paid/enterprise customers.
- SOC 2 Type 2 report and ISO 27001 certificate are gated behind 'Request access' on the trust center (not openly downloadable).
- No public bug-bounty program found.
- Agent A and API/MCP route customer data through third-party LLM providers (Claude, Gemini, ChatGPT, Copilot) governed by those providers' policies.
// At a glance
Pricing model
Paid subscription tiers (Lite/Standard/Advanced/Enterprise) with a free tier (Ahrefs Free) and free standalone tools; usage-based API add-ons
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Ahrefs Pte. Ltd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.ahrefs.com