// Trust & Security Report
AlpacaDB, Inc.
Alpaca Markets
Certifications held
9
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on alpaca.markets“Security & Privacy by Design: We adhere to the highest standards in security and privacy protection: ISO 27001:2022 certified, SOC 2 Type II controls, MFA, GDPR, EU US DPF, CSA Level 1, and ICO standards.”
Verify on alpaca.markets“SOC 2 Type 2 — Assessed against all 5 trust services criteria, Security, Confidentiality, Availability, Integrity, and Privacy”
Verify on alpaca.markets“Alpaca complies with GDPR and UK's ICO Data Protection programs to ensure the privacy and security of all personal data collected and/or stored.”
Verify on s3.amazonaws.com“AlpacaDB Inc. commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs) with regard to unresolved complaints concerning handling of personal data received in reliance on the EU-U.S. DPF.”
Verify on cloudsecurityalliance.org“CAIQ Self-assessment v4.0.3, created or renewed on December 29, 2025”
Verify on trust.alpaca.markets“ICO Data Protection Registration Certificate listed in Trust Center resources alongside SOC 2 Type 2 and ISO 27001:2022 documents”
Verify on alpaca.markets“Securities brokerage services are provided by Alpaca Clearing, member FINRA/SIPC, a wholly-owned subsidiary of AlpacaDB, Inc.”
Verify on alpaca.markets“We're a FINRA-regulated entity with SIPC protection up to $500,000 per customer (cash sub-limits apply) and optional excess coverage where applicable.”
Verify on alpaca.markets“Alpaca's infrastructure is built on Google Cloud Platform which has attained several security and privacy certifications including ISO 27001, SOC 1, SOC 2, PCI DSS — but this applies to GCP infrastructure, not Alpaca directly.”
> Show 1 unconfirmed / not-held certifications
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not stated
Data region
Not explicitly disclosed; infrastructure runs on Google Cloud Platform (US-headquartered company). Specific storage regions not stated publicly.
Privacy policy (effective March 20, 2026) states: 'Alpaca does not permit AI service providers to use customer personal data to train their models.' Where Alpaca uses AI for internal operations, those tools may process provided data but do not collect new categories of personal data beyond those already described.
// Security controls
Architecture
Zero Trust on Google Cloud Platform — verifies every access attempt regardless of user location
alpaca.marketsBug Bounty Program
In-house via security@alpaca.markets; no HackerOne or Bugcrowd platform used. Researchers may be rewarded if issue is confirmed valid and aligns with program policy.
alpaca.marketsPenetration Testing
Performed — listed as a confirmed control in Trust Center product security controls
trust.alpaca.marketsCybersecurity Insurance
Maintained — listed as a confirmed internal security procedure control in Trust Center
trust.alpaca.marketsDisaster Recovery
Continuity and Disaster Recovery plans established and tested — confirmed controls in Trust Center
trust.alpaca.marketsAccess Control
Role-based access control; production database access restricted; encryption key access restricted
trust.alpaca.marketsData Deletion
Customer data deleted upon leaving — confirmed data and privacy control in Trust Center
trust.alpaca.markets// Products & data scope
data: Account data, order history, portfolio positions, market data. FINRA/SIPC regulated. ISO 27001 and SOC 2 Type II apply. Commission-free for US stocks and ETFs.
Targets individual retail traders and algorithmic/quant traders. Paper trading mode available. Full audit trail on orders.
data: End-customer PII, trading data, account data, portfolio positions. Alpaca acts as data controller and clearing broker. Highest data sensitivity tier in the product family.
Used by fintechs, digital wallets, robo-advisors, hedge funds, tokenization platforms. End-user PII flows through Alpaca's infrastructure. Same certifications apply but due diligence on data sub-processing should be confirmed via contract.
data: Real-time and historical US stock, ETF, and crypto market data only. Minimal personal data unless combined with a trading account.
Lower personal data risk. Free and paid tiers. Can be used independently of brokerage accounts.
data: Connects AI agents (Claude Desktop, ChatGPT, Cursor, VS Code) to the Trading API. Processes natural language trading prompts and order parameters. Accesses portfolio, market data, and order execution.
Privacy policy explicitly states AI providers cannot use customer data for model training. Full audit trail of AI-generated prompts and order payloads. Requires API key authentication. Paper trading mode for safe testing.
data: Same as Trading API; designed for high-frequency and advanced algorithmic traders. Low-cost commissions.
Same compliance posture as Trading API. Targets sophisticated traders requiring low-latency execution (1.5ms order processing).
// What to watch
- No public DPA document found in disclosure library; enterprises should request directly via privacy@alpaca.markets
- Bug bounty is in-house email-based (security@alpaca.markets) and not hosted on HackerOne or Bugcrowd
- CSA STAR Level 1 is a self-assessment (CAIQ), not a third-party audited certification
- Data storage region not explicitly disclosed despite Google Cloud Platform infrastructure
- Alpaca is a FINRA-regulated financial services API, not a traditional AI tool; its directory listing is most relevant for the MCP Server product
// At a glance
Pricing model
Trading API: commission-free for US stocks/ETFs (retail self-directed). Broker API: negotiated enterprise/institutional pricing. Market Data: free and paid tiers. MCP Server: free account entry, no minimum deposit. Elite: low-cost per-trade model.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on AlpacaDB, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.alpaca.markets