// Trust & Security Report

    Amazon.com, Inc. logo

    Amazon.com, Inc.

    Alexa consumer voice assistant ecosystem: Alexa/Alexa+ (voice assistant on Echo devices, Fire TV, and browser), the Alexa Skills Kit (third-party developer platform), and Alexa Smart Properties for Healthcare (enterprise, HIPAA-eligible hidden skills for Covered Entities/Business Associates).

    Certifications held

    1

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (compliance posture / DPA)
    HELD

    Amazon will act as 'processor' to Developer who will act as 'controller' with respect to Developer-Controlled Customer Data. ... Standard Contractual Clauses will apply to Developer-Controlled Customer Data that is transferred to any third country not recognized by the European Commission as providing adequate protection.

    Verify on developer.amazon.com
    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type I/II)
    NOT CONFIRMED

    No public evidence of a SOC 2 report or attestation covering the Alexa consumer service itself. Amazon's SOC 2 reports (via AWS Artifact) attest to the underlying AWS cloud infrastructure that Alexa runs on, not to the Alexa product/service as a distinct entity. No Alexa-specific SOC 2 was found on amazon.com or developer.amazon.com.

    source: aws.amazon.com
    ISO/IEC 27001
    NOT CONFIRMED

    No public evidence of an Alexa-specific ISO 27001 certificate. AWS holds ISO/IEC 27001:2022 for its cloud infrastructure ('AWS has certification for compliance with ISO/IEC 27001:2022...'), which is a host-level certification, not a certification of the Alexa consumer product.

    source: aws.amazon.com
    ISO/IEC 27017 / 27018 / 27701
    NOT CONFIRMED

    These are held by AWS for its cloud infrastructure (host-level), not documented anywhere as certifications of the Alexa service itself. No public evidence at the Alexa product level.

    source: aws.amazon.com
    HIPAA
    NOT CONFIRMED

    The consumer Alexa/Echo experience is not HIPAA-compliant by default. HIPAA eligibility requires enrollment in a separate enterprise program: 'The developer account must be owned by the Covered Entity or Business Associate that will publish the skill... You must agree to the Alexa Skills Business Associate Agreement (BAA) with Amazon... Your skill must be published live, but hidden from the skill store.' The public third-party HIPAA-eligible Alexa Skills Store program was discontinued in December 2022; HIPAA use now requires Alexa Smart Properties for Healthcare with hidden/enterprise skills only.

    source: developer.amazon.com
    PCI DSS
    NOT CONFIRMED

    No public evidence that PCI DSS applies to the Alexa product itself. Payment-card handling PCI attestations, where they exist, apply to Amazon.com retail checkout infrastructure generally, not to Alexa voice/skill data.

    source: amazon.com
    FedRAMP
    NOT CONFIRMED

    FedRAMP authorizations are held by AWS (and AWS GovCloud) as the infrastructure host; no evidence found that the Alexa consumer product itself holds a separate FedRAMP authorization.

    source: aws.amazon.com
    CSA STAR
    NOT CONFIRMED

    AWS holds CSA STAR-related attestations (CCM v4.0) at the infrastructure level; no evidence of an Alexa product-level CSA STAR listing.

    source: aws.amazon.com
    ISO/IEC 42001 (AI Management System / AI governance)
    NOT CONFIRMED

    No public evidence of an ISO/IEC 42001 certification for Alexa or Alexa+ found on amazon.com or developer.amazon.com.

    source: developer.amazon.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Processing occurs across Amazon/AWS global infrastructure; the Alexa Skills DPA lists 40+ permitted processing countries and applies Standard Contractual Clauses for transfers to countries without EU-adequacy status. No dedicated single-region residency guarantee is documented for consumer Alexa voice data.

    As of March 28, 2025, Amazon removed the 'Do Not Send Voice Recordings' option on many newer Echo devices; wake-word-triggered voice interactions are now sent to Amazon's cloud by default (fewer than 0.03% of users had used the old opt-out) to power generative-AI features in Alexa+. Users can still enable 'Don't Save Recordings' (auto-delete after processing) but cannot prevent cloud transmission/processing itself. Third-party legal commentary flags this as a potential GDPR Art. 6/7 consent concern for EU users. Separately, the Alexa Skills DPA governs developer-controlled data for third-party skills and does not itself authorize Amazon to use that data for model training.

    // Security controls

    Encryption in transit

    Design guidance requires 'secure transmission of data between a device and the cloud, such as use of latest TLS, certificate validation of cloud endpoints.'

    developer.amazon.com

    Encryption at rest / data handling

    'All customer data in the cloud should be handled in a secure manner (e.g. access control, automatic logging, encryption, multi-factor authentication).' Device-level: 'Any required storage of personal data should be minimized and encrypted.'

    developer.amazon.com

    Wake-word gating

    By default, Alexa-enabled devices are designed to detect only the chosen wake word, and no audio is stored or sent to the cloud unless the device detects the wake word.

    amazon.com

    User data controls

    Users can view, hear, and delete voice recordings and manage smart home device state history and Alexa Skills permissions via Alexa Privacy Settings or the Alexa app.

    amazon.com

    Communications encryption

    For Alexa calling/messaging features, Amazon decrypts, processes, and re-encrypts audio/video in the cloud, and states it does not retain the audio or content of calls.

    amazon.com

    Regulatory enforcement history

    Amazon paid a $30M FTC settlement over Alexa's retention of children's voice recordings (2023) - relevant compliance history not disclosed on current marketing/trust pages.

    ftc.gov

    // Products & data scope

    Alexa (consumer, Echo devices)Consumer voice assistant / smart home

    data: Wake-word-triggered voice recordings, transcripts, smart-home device state, account/profile data.

    Default, free with an Amazon account. Subject to the standard Amazon.com Privacy Notice; no independent Alexa-specific compliance trust center or SOC 2/ISO reports found.

    Alexa+ (generative AI upgrade)Consumer voice assistant with generative AI

    data: Voice interactions, conversation context across devices/browser, used to power and (per 2025 policy change) train generative features.

    Free with Prime; cloud processing of voice data is mandatory since March 2025 (no full opt-out on affected devices). Amazon states it uses adversarial red-teaming for quality/safety testing.

    Alexa Skills Kit (third-party developer platform)Developer platform / voice app marketplace

    data: Developer-controlled customer data submitted through skills; governed by a separate Alexa GDPR DPA (Amazon as processor, developer as controller).

    Third-party skill privacy compliance is independently variable; published research found high rates of GDPR non-compliance in third-party skill privacy policies (not Amazon's own posture, but a marketplace-quality risk).

    Alexa Smart Properties for HealthcareEnterprise healthcare voice deployment

    data: Protected Health Information (PHI) via hidden/enterprise skills for enrolled Covered Entities/Business Associates under a signed BAA.

    Only path to HIPAA-eligible Alexa use. Requires a BAA, US-only distribution, and skills hidden from the public store. The earlier public HIPAA-eligible Skills Store program (2019-2022) was discontinued.

    // What to watch

    • Host-vs-vendor cert ambiguity: AWS holds SOC 2, ISO 27001/27017/27018/27701, FedRAMP, and CSA STAR for its cloud infrastructure, but no evidence was found that any of these certifications specifically cover the Alexa consumer product/service, so all are graded held=false at the product level per the host-vs-vendor rule.
    • As of March 28, 2025, Amazon removed the 'Do Not Send Voice Recordings' opt-out on many Echo devices, making cloud processing (and use for Alexa+ AI training) effectively mandatory; third-party legal commentary raises GDPR Art. 6/7 consent concerns for EU users. This is a real tension between the vendor's DPA/SCC-based GDPR posture and its current default data-collection behavior.
    • HIPAA eligibility exists only through a separate enterprise program (Alexa Smart Properties for Healthcare, BAA required, hidden/enterprise skills only, US-only). The consumer Alexa/Echo product is not HIPAA-compliant by default, and the earlier public HIPAA-eligible Skills Store program was discontinued in December 2022 - listings must not imply blanket HIPAA compliance.
    • Amazon paid a $30M FTC settlement (2023) over retention of children's Alexa voice recordings; this compliance history is not referenced on current Alexa privacy pages.

    // At a glance

    Pricing model

    Free with Amazon account (Alexa); free with Prime or via subscription (Alexa+); no consumer-facing paid security tier.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Amazon.com, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    amazon.com

    > Browse all vendor trust reports