// Trust & Security Report
Amazon.com, Inc.
Alexa consumer voice assistant ecosystem: Alexa/Alexa+ (voice assistant on Echo devices, Fire TV, and browser), the Alexa Skills Kit (third-party developer platform), and Alexa Smart Properties for Healthcare (enterprise, HIPAA-eligible hidden skills for Covered Entities/Business Associates).
Certifications held
1
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on developer.amazon.com“Amazon will act as 'processor' to Developer who will act as 'controller' with respect to Developer-Controlled Customer Data. ... Standard Contractual Clauses will apply to Developer-Controlled Customer Data that is transferred to any third country not recognized by the European Commission as providing adequate protection.”
> Show 8 unconfirmed / not-held certifications
source: aws.amazon.comNo public evidence of a SOC 2 report or attestation covering the Alexa consumer service itself. Amazon's SOC 2 reports (via AWS Artifact) attest to the underlying AWS cloud infrastructure that Alexa runs on, not to the Alexa product/service as a distinct entity. No Alexa-specific SOC 2 was found on amazon.com or developer.amazon.com.
source: aws.amazon.comNo public evidence of an Alexa-specific ISO 27001 certificate. AWS holds ISO/IEC 27001:2022 for its cloud infrastructure ('AWS has certification for compliance with ISO/IEC 27001:2022...'), which is a host-level certification, not a certification of the Alexa consumer product.
source: aws.amazon.comThese are held by AWS for its cloud infrastructure (host-level), not documented anywhere as certifications of the Alexa service itself. No public evidence at the Alexa product level.
source: developer.amazon.comThe consumer Alexa/Echo experience is not HIPAA-compliant by default. HIPAA eligibility requires enrollment in a separate enterprise program: 'The developer account must be owned by the Covered Entity or Business Associate that will publish the skill... You must agree to the Alexa Skills Business Associate Agreement (BAA) with Amazon... Your skill must be published live, but hidden from the skill store.' The public third-party HIPAA-eligible Alexa Skills Store program was discontinued in December 2022; HIPAA use now requires Alexa Smart Properties for Healthcare with hidden/enterprise skills only.
source: amazon.comNo public evidence that PCI DSS applies to the Alexa product itself. Payment-card handling PCI attestations, where they exist, apply to Amazon.com retail checkout infrastructure generally, not to Alexa voice/skill data.
source: aws.amazon.comFedRAMP authorizations are held by AWS (and AWS GovCloud) as the infrastructure host; no evidence found that the Alexa consumer product itself holds a separate FedRAMP authorization.
source: aws.amazon.comAWS holds CSA STAR-related attestations (CCM v4.0) at the infrastructure level; no evidence of an Alexa product-level CSA STAR listing.
source: developer.amazon.comNo public evidence of an ISO/IEC 42001 certification for Alexa or Alexa+ found on amazon.com or developer.amazon.com.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Processing occurs across Amazon/AWS global infrastructure; the Alexa Skills DPA lists 40+ permitted processing countries and applies Standard Contractual Clauses for transfers to countries without EU-adequacy status. No dedicated single-region residency guarantee is documented for consumer Alexa voice data.
As of March 28, 2025, Amazon removed the 'Do Not Send Voice Recordings' option on many newer Echo devices; wake-word-triggered voice interactions are now sent to Amazon's cloud by default (fewer than 0.03% of users had used the old opt-out) to power generative-AI features in Alexa+. Users can still enable 'Don't Save Recordings' (auto-delete after processing) but cannot prevent cloud transmission/processing itself. Third-party legal commentary flags this as a potential GDPR Art. 6/7 consent concern for EU users. Separately, the Alexa Skills DPA governs developer-controlled data for third-party skills and does not itself authorize Amazon to use that data for model training.
// Security controls
Encryption in transit
Design guidance requires 'secure transmission of data between a device and the cloud, such as use of latest TLS, certificate validation of cloud endpoints.'
developer.amazon.comEncryption at rest / data handling
'All customer data in the cloud should be handled in a secure manner (e.g. access control, automatic logging, encryption, multi-factor authentication).' Device-level: 'Any required storage of personal data should be minimized and encrypted.'
developer.amazon.comWake-word gating
By default, Alexa-enabled devices are designed to detect only the chosen wake word, and no audio is stored or sent to the cloud unless the device detects the wake word.
amazon.comUser data controls
Users can view, hear, and delete voice recordings and manage smart home device state history and Alexa Skills permissions via Alexa Privacy Settings or the Alexa app.
amazon.comCommunications encryption
For Alexa calling/messaging features, Amazon decrypts, processes, and re-encrypts audio/video in the cloud, and states it does not retain the audio or content of calls.
amazon.comRegulatory enforcement history
Amazon paid a $30M FTC settlement over Alexa's retention of children's voice recordings (2023) - relevant compliance history not disclosed on current marketing/trust pages.
ftc.gov// Products & data scope
data: Wake-word-triggered voice recordings, transcripts, smart-home device state, account/profile data.
Default, free with an Amazon account. Subject to the standard Amazon.com Privacy Notice; no independent Alexa-specific compliance trust center or SOC 2/ISO reports found.
data: Voice interactions, conversation context across devices/browser, used to power and (per 2025 policy change) train generative features.
Free with Prime; cloud processing of voice data is mandatory since March 2025 (no full opt-out on affected devices). Amazon states it uses adversarial red-teaming for quality/safety testing.
data: Developer-controlled customer data submitted through skills; governed by a separate Alexa GDPR DPA (Amazon as processor, developer as controller).
Third-party skill privacy compliance is independently variable; published research found high rates of GDPR non-compliance in third-party skill privacy policies (not Amazon's own posture, but a marketplace-quality risk).
data: Protected Health Information (PHI) via hidden/enterprise skills for enrolled Covered Entities/Business Associates under a signed BAA.
Only path to HIPAA-eligible Alexa use. Requires a BAA, US-only distribution, and skills hidden from the public store. The earlier public HIPAA-eligible Skills Store program (2019-2022) was discontinued.
// What to watch
- Host-vs-vendor cert ambiguity: AWS holds SOC 2, ISO 27001/27017/27018/27701, FedRAMP, and CSA STAR for its cloud infrastructure, but no evidence was found that any of these certifications specifically cover the Alexa consumer product/service, so all are graded held=false at the product level per the host-vs-vendor rule.
- As of March 28, 2025, Amazon removed the 'Do Not Send Voice Recordings' opt-out on many Echo devices, making cloud processing (and use for Alexa+ AI training) effectively mandatory; third-party legal commentary raises GDPR Art. 6/7 consent concerns for EU users. This is a real tension between the vendor's DPA/SCC-based GDPR posture and its current default data-collection behavior.
- HIPAA eligibility exists only through a separate enterprise program (Alexa Smart Properties for Healthcare, BAA required, hidden/enterprise skills only, US-only). The consumer Alexa/Echo product is not HIPAA-compliant by default, and the earlier public HIPAA-eligible Skills Store program was discontinued in December 2022 - listings must not imply blanket HIPAA compliance.
- Amazon paid a $30M FTC settlement (2023) over retention of children's Alexa voice recordings; this compliance history is not referenced on current Alexa privacy pages.
// At a glance
Pricing model
Free with Amazon account (Alexa); free with Prime or via subscription (Alexa+); no consumer-facing paid security tier.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Amazon.com, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
amazon.com