// Trust & Security Report

    AlpacaDB, Inc. logo

    AlpacaDB, Inc.

    Alpaca Markets

    Certifications held

    9

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001:2022
    HELD

    Security & Privacy by Design: We adhere to the highest standards in security and privacy protection: ISO 27001:2022 certified, SOC 2 Type II controls, MFA, GDPR, EU US DPF, CSA Level 1, and ICO standards.

    Verify on alpaca.markets
    SOC 2 Type II
    HELD

    SOC 2 Type 2 — Assessed against all 5 trust services criteria, Security, Confidentiality, Availability, Integrity, and Privacy

    Verify on alpaca.markets
    GDPR
    HELD

    Alpaca complies with GDPR and UK's ICO Data Protection programs to ensure the privacy and security of all personal data collected and/or stored.

    Verify on alpaca.markets
    EU-US Data Privacy Framework
    HELD

    AlpacaDB Inc. commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs) with regard to unresolved complaints concerning handling of personal data received in reliance on the EU-U.S. DPF.

    Verify on s3.amazonaws.com
    CSA STAR Level 1 (Self-Assessment)
    HELD

    CAIQ Self-assessment v4.0.3, created or renewed on December 29, 2025

    Verify on cloudsecurityalliance.org
    ICO Data Protection Registration (UK)
    HELD

    ICO Data Protection Registration Certificate listed in Trust Center resources alongside SOC 2 Type 2 and ISO 27001:2022 documents

    Verify on trust.alpaca.markets
    FINRA Member
    HELD

    Securities brokerage services are provided by Alpaca Clearing, member FINRA/SIPC, a wholly-owned subsidiary of AlpacaDB, Inc.

    Verify on alpaca.markets
    SIPC Member
    HELD

    We're a FINRA-regulated entity with SIPC protection up to $500,000 per customer (cash sub-limits apply) and optional excess coverage where applicable.

    Verify on alpaca.markets
    PCI DSS
    HELD

    Alpaca's infrastructure is built on Google Cloud Platform which has attained several security and privacy certifications including ISO 27001, SOC 1, SOC 2, PCI DSS — but this applies to GCP infrastructure, not Alpaca directly.

    Verify on alpaca.markets
    > Show 1 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not stated

    Data region

    Not explicitly disclosed; infrastructure runs on Google Cloud Platform (US-headquartered company). Specific storage regions not stated publicly.

    Privacy policy (effective March 20, 2026) states: 'Alpaca does not permit AI service providers to use customer personal data to train their models.' Where Alpaca uses AI for internal operations, those tools may process provided data but do not collect new categories of personal data beyond those already described.

    // Security controls

    Encryption at Rest

    AES-256

    alpaca.markets

    Encryption in Transit

    TLS

    alpaca.markets

    Architecture

    Zero Trust on Google Cloud Platform — verifies every access attempt regardless of user location

    alpaca.markets

    MFA

    Required; strong credentials plus authenticator app

    alpaca.markets

    Bug Bounty Program

    In-house via security@alpaca.markets; no HackerOne or Bugcrowd platform used. Researchers may be rewarded if issue is confirmed valid and aligns with program policy.

    alpaca.markets

    Penetration Testing

    Performed — listed as a confirmed control in Trust Center product security controls

    trust.alpaca.markets

    Backups

    Daily comprehensive backups stored offsite with integrity testing

    alpaca.markets

    Uptime

    99.99% system uptime (as of January 2026)

    alpaca.markets

    Cybersecurity Insurance

    Maintained — listed as a confirmed internal security procedure control in Trust Center

    trust.alpaca.markets

    Disaster Recovery

    Continuity and Disaster Recovery plans established and tested — confirmed controls in Trust Center

    trust.alpaca.markets

    Access Control

    Role-based access control; production database access restricted; encryption key access restricted

    trust.alpaca.markets

    Data Deletion

    Customer data deleted upon leaving — confirmed data and privacy control in Trust Center

    trust.alpaca.markets

    // Products & data scope

    Trading APIBrokerage API / Algorithmic Trading

    data: Account data, order history, portfolio positions, market data. FINRA/SIPC regulated. ISO 27001 and SOC 2 Type II apply. Commission-free for US stocks and ETFs.

    Targets individual retail traders and algorithmic/quant traders. Paper trading mode available. Full audit trail on orders.

    Broker APIEmbedded Brokerage / B2B White-Label Platform

    data: End-customer PII, trading data, account data, portfolio positions. Alpaca acts as data controller and clearing broker. Highest data sensitivity tier in the product family.

    Used by fintechs, digital wallets, robo-advisors, hedge funds, tokenization platforms. End-user PII flows through Alpaca's infrastructure. Same certifications apply but due diligence on data sub-processing should be confirmed via contract.

    Market Data APIFinancial Data Feed

    data: Real-time and historical US stock, ETF, and crypto market data only. Minimal personal data unless combined with a trading account.

    Lower personal data risk. Free and paid tiers. Can be used independently of brokerage accounts.

    MCP ServerAI-Powered Trading Interface (Model Context Protocol)

    data: Connects AI agents (Claude Desktop, ChatGPT, Cursor, VS Code) to the Trading API. Processes natural language trading prompts and order parameters. Accesses portfolio, market data, and order execution.

    Privacy policy explicitly states AI providers cannot use customer data for model training. Full audit trail of AI-generated prompts and order payloads. Requires API key authentication. Paper trading mode for safe testing.

    EliteAdvanced Algorithmic Trading Platform

    data: Same as Trading API; designed for high-frequency and advanced algorithmic traders. Low-cost commissions.

    Same compliance posture as Trading API. Targets sophisticated traders requiring low-latency execution (1.5ms order processing).

    // What to watch

    • No public DPA document found in disclosure library; enterprises should request directly via privacy@alpaca.markets
    • Bug bounty is in-house email-based (security@alpaca.markets) and not hosted on HackerOne or Bugcrowd
    • CSA STAR Level 1 is a self-assessment (CAIQ), not a third-party audited certification
    • Data storage region not explicitly disclosed despite Google Cloud Platform infrastructure
    • Alpaca is a FINRA-regulated financial services API, not a traditional AI tool; its directory listing is most relevant for the MCP Server product

    // At a glance

    Pricing model

    Trading API: commission-free for US stocks/ETFs (retail self-directed). Broker API: negotiated enterprise/institutional pricing. Market Data: free and paid tiers. MCP Server: free account entry, no minimum deposit. Elite: low-cost per-trade model.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on AlpacaDB, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.alpaca.markets

    > Browse all vendor trust reports